Re: [PATCH V2 0/4] Apparmor: Add profiles for hypervisor daemons

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 6/23/21 1:17 PM, Christian Boltz wrote:
Hello,

[I'm not subscribed to libvir-list - please CC me in replies]

Am Mittwoch, 23. Juni 2021, 01:27:43 CEST schrieb Jim Fehlig:
and other improvements. V2 of
https://listman.redhat.com/archives/libvir-list/2021-June/msg00456.htm

Changes since V1:
Removed many unneeded capabilities. I used the 'audit' qualifier as
suggested by cboltz to verify which capabilities were actually used.
It's a difficult task though, as it is nearly impossible for one
person to exercise a driver in all the ways thousands of users will
push it :-). I was able to whittle the virtxend profile quite a bit
since xen doesn't need a lot in the way of host capabilities.

Your updated patches look good :-)

Thanks. The V3 I sent earlier contains a few more incremental improvements and can likely be merged IMO.

There's one thing I missed in the first review, but that might be worth
a separate patch instead of updating this patchset:

Starting with AppArmor 3.0 userspace, profiles should have an abi rule
in their preamble (as the first line):

abi <abi/3.0>,

Definitely sounds like something for a separate patch.

Without this abi rule, network, dbus and unix will not be enforced.
Note that even without the abi/3.0 rule, (open)SUSE kernels support and
enforce network rules since years, and Ubuntu kernels support all rule
types.

Older AppArmor versions will ignore the abi line.


Adding the abi rule might mean that you'll have to add some network,
dbus or unix rules to the profiles, therefore please do some testing
instead of blindly adding the abi rule ;-)

My relationship with apparmor is complicated. Even the slightest changes call for a fair bit of testing :-).

Regards,
Jim




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux