Hello, [I'm not subscribed to libvir-list - please CC me in replies] Am Mittwoch, 23. Juni 2021, 01:27:43 CEST schrieb Jim Fehlig: > and other improvements. V2 of > https://listman.redhat.com/archives/libvir-list/2021-June/msg00456.htm > > Changes since V1: > Removed many unneeded capabilities. I used the 'audit' qualifier as > suggested by cboltz to verify which capabilities were actually used. > It's a difficult task though, as it is nearly impossible for one > person to exercise a driver in all the ways thousands of users will > push it :-). I was able to whittle the virtxend profile quite a bit > since xen doesn't need a lot in the way of host capabilities. Your updated patches look good :-) There's one thing I missed in the first review, but that might be worth a separate patch instead of updating this patchset: Starting with AppArmor 3.0 userspace, profiles should have an abi rule in their preamble (as the first line): abi <abi/3.0>, Without this abi rule, network, dbus and unix will not be enforced. Note that even without the abi/3.0 rule, (open)SUSE kernels support and enforce network rules since years, and Ubuntu kernels support all rule types. Older AppArmor versions will ignore the abi line. Adding the abi rule might mean that you'll have to add some network, dbus or unix rules to the profiles, therefore please do some testing instead of blindly adding the abi rule ;-) Regards, Christian Boltz -- The Consultant's Curse: When the customer has beaten upon you long enough, give him what he asks for, instead of what he needs. This is very strong medicine, and is normally only required once.
Attachment:
signature.asc
Description: This is a digitally signed message part.
