On 6/16/21 11:23 AM, Christian Boltz wrote:
Hello,
[I'm not subscribed to the libvirt list, please CC me in replies]
Am Mittwoch, 16. Juni 2021, 05:41:02 CEST schrieb Jim Fehlig:
diff --git a/src/security/apparmor/libvirt-qemu
b/src/security/apparmor/libvirt-qemu index 85c9e61d6c..990bb0b2ba
100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
[...]
You only need to add
+ ptrace (readby, tracedby) peer=virtqemud,
The following rule
+ ptrace (readby, tracedby) peer=/usr/sbin/virtqemud,
is superfluous and can be removed.
Technical background: the reason why there are rules for libvirtd and
/usr/sbin/libvirtd is backwards compability to the old
/usr/sbin/libvirtd {
profile before it became
profile libvirtd /usr/sbin/libvirtd {
You don't need that for a new profile that is
profile virtqumud /usr/sbin/virtquemud {
from the beginning.
Understood.
This also applies to your 2/3 and 3/3 patches.
Will fix in V2.
signal (receive) peer=libvirtd,
signal (receive) peer=/usr/sbin/libvirtd,
+ signal (receive) peer=virtqemud,
+ signal (receive) peer=/usr/sbin/virtqemud,
Same here - the rule with peer=/usr/sbin/virtquemud is superfluous.
[...]
+ unix (send, receive) type=stream addr=none peer=(label=virtqemud),
+ unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/
virtqemud),
And again ;-)
[...]
diff --git a/src/security/apparmor/usr.sbin.virtqemud.in
b/src/security/apparmor/usr.sbin.virtqemud.in new file mode 100644
index 0000000000..b986241c74
--- /dev/null
+++ b/src/security/apparmor/usr.sbin.virtqemud.in
@@ -0,0 +1,135 @@
+#include <tunables/global>
+@{LIBVIRT}="libvirt"
+
+profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) {
+ #include <abstractions/base>
+ #include <abstractions/dbus>
+
+ capability kill,
+ capability net_admin,
+ capability net_raw,
+ capability setgid,
+ capability sys_admin,
+ capability sys_module,
+ capability sys_ptrace,
+ capability sys_pacct,
+ capability sys_nice,
+ capability sys_chroot,
+ capability setuid,
+ capability dac_override,
+ capability dac_read_search,
+ capability fowner,
+ capability chown,
+ capability setpcap,
+ capability mknod,
+ capability fsetid,
+ capability audit_write,
+ capability ipc_lock,
+ capability sys_rawio,
+ capability bpf,
+ capability perfmon,
+
+ # Needed for vfio
+ capability sys_resource,
[...]
Just wondering - do the new profiles (in all 3 patches) reallly need
all the capabilities and the other broad rules?
I'll try to figure that out before posting V2
(See my 0/3 reply how to find out ;-)
... using your tips!
Regards,
Jim
