Re: [PATCH 1/3] Apparmor: Add profile for virtqemud

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 6/16/21 11:23 AM, Christian Boltz wrote:
Hello,

[I'm not subscribed to the libvirt list, please CC me in replies]

Am Mittwoch, 16. Juni 2021, 05:41:02 CEST schrieb Jim Fehlig:
diff --git a/src/security/apparmor/libvirt-qemu
b/src/security/apparmor/libvirt-qemu index 85c9e61d6c..990bb0b2ba
100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
[...]

You only need to add

+  ptrace (readby, tracedby) peer=virtqemud,

The following rule

+  ptrace (readby, tracedby) peer=/usr/sbin/virtqemud,

is superfluous and can be removed.

Technical background: the reason why there are rules for libvirtd and
/usr/sbin/libvirtd is backwards compability to the old
   /usr/sbin/libvirtd {
profile before it became
   profile libvirtd /usr/sbin/libvirtd {

You don't need that for a new profile that is
   profile virtqumud /usr/sbin/virtquemud {
from the beginning.

Understood.

This also applies to your 2/3 and 3/3 patches.

Will fix in V2.

    signal (receive) peer=libvirtd,
    signal (receive) peer=/usr/sbin/libvirtd,
+  signal (receive) peer=virtqemud,
+  signal (receive) peer=/usr/sbin/virtqemud,

Same here - the rule with peer=/usr/sbin/virtquemud is superfluous.

[...]
+  unix (send, receive) type=stream addr=none peer=(label=virtqemud),
+  unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/
virtqemud),

And again ;-)

[...]
diff --git a/src/security/apparmor/usr.sbin.virtqemud.in
b/src/security/apparmor/usr.sbin.virtqemud.in new file mode 100644
index 0000000000..b986241c74
--- /dev/null
+++ b/src/security/apparmor/usr.sbin.virtqemud.in
@@ -0,0 +1,135 @@
+#include <tunables/global>
+@{LIBVIRT}="libvirt"
+
+profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) {
+  #include <abstractions/base>
+  #include <abstractions/dbus>
+
+  capability kill,
+  capability net_admin,
+  capability net_raw,
+  capability setgid,
+  capability sys_admin,
+  capability sys_module,
+  capability sys_ptrace,
+  capability sys_pacct,
+  capability sys_nice,
+  capability sys_chroot,
+  capability setuid,
+  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+  capability chown,
+  capability setpcap,
+  capability mknod,
+  capability fsetid,
+  capability audit_write,
+  capability ipc_lock,
+  capability sys_rawio,
+  capability bpf,
+  capability perfmon,
+
+  # Needed for vfio
+  capability sys_resource,
[...]

Just wondering - do the new profiles (in all 3 patches) reallly need
all the capabilities and the other broad rules?

I'll try to figure that out before posting V2

(See my 0/3 reply how to find out ;-)

... using your tips!

Regards,
Jim




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux