Re: [PATCH V2 3/4] Apparmor: Allow reading libnl's classid file

Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> · Thu, 24 Jun 2021 07:43:24 +0200

On Wed, Jun 23, 2021 at 1:28 AM Jim Fehlig <jfehlig@xxxxxxxx> wrote:
>
> I noticed the following denial messages from apparmor in audit.log when
> starting confined VMs via the QEMU driver
>
> type=AVC msg=audit(1623864006.370:837): apparmor="DENIED" operation="open" \
> profile="virt-aa-helper" name="/etc/libnl/classid" pid=11265 \
> comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
>
> type=AVC msg=audit(1623864006.582:849): apparmor="DENIED" operation="open" \
> profile="libvirt-0ca2720d-6cff-48bb-86c2-61ab9a79b6e9" \
> name="/etc/libnl/classid" pid=11270 comm="qemu-system-x86" \
> requested_mask="r" denied_mask="r" fsuid=107 ouid=0
>
> It is possible for site admins to assign names to classids in this file,
> which are then used by all libnl tools, possibly those used by libvirt.
> To be on the safe side, allow read access to the file in the virt-aa-helper
> profile and the libvirt-qemu abstraction.
>
> Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx>

While this particular rule would be covered in
abstractions/nameservice that would allow much more.
I agree if we really only need libnl and nothing else then
adapting/adding the existing rule should be better.

Reviewed-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>

> ---
>  src/security/apparmor/libvirt-qemu                      | 2 ++
>  src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 3 ++-
>  2 files changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
> index 3e31ed4981..4156428163 100644
> --- a/src/security/apparmor/libvirt-qemu
> +++ b/src/security/apparmor/libvirt-qemu
> @@ -37,6 +37,8 @@
>    @{PROC}/sys/vm/overcommit_memory r,
>    # detect hardware capabilities via qemu_getauxval
>    owner @{PROC}/*/auxv r,
> +  # allow reading libnl's classid file
> +  /etc/libnl{,-3}/classid r,
>
>    # For hostdev access. The actual devices will be added dynamically
>    /sys/bus/usb/devices/ r,
> diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> index dd18c8ab89..8ebb47596a 100644
> --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> @@ -19,7 +19,8 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
>    # Used when internally running another command (namely apparmor_parser)
>    @{PROC}/@{pid}/fd/ r,
>
> -  @sysconfdir@/libnl-3/classid r,
> +  # allow reading libnl's classid file
> +  @sysconfdir@/libnl{,-3}/classid r,
>
>    # for gl enabled graphics
>    /dev/dri/{,*} r,
> --
> 2.31.1
>

--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd