Re: [PATCH v3 3/4] apparmor: fix UUID specification

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 1/7/25 08:23, Georgia Garcia wrote:

There is a common misconception when writing AppArmor policy that
[0-9]* applies * to the [0-9] class, but that's not the case. For this
example, [0-9]* matches a single digit followed by any number of
characters except for /

Create a UUID variable that uses the following format 8-4-4-4-12.

Signed-off-by: Georgia Garcia <georgia.garcia@xxxxxxxxxxxxx>
---
  src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 5 ++++-
  src/security/apparmor/usr.sbin.libvirtd.in              | 7 +++++--
  src/security/apparmor/usr.sbin.virtqemud.in             | 6 ++++--
  3 files changed, 13 insertions(+), 5 deletions(-)
This patch seems fine to me. Did you notice the issue by code inspection, or does it fix an observed error? If the latter, we should mention it in the commit message. 

Reviewed-by: Jim Fehlig <jfehlig@xxxxxxxx>

Regards,
Jim



diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
index 44645c6989..90a8b7072c 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -1,5 +1,8 @@
  #include <tunables/global>
+@{hextet}=[0-9a-f][0-9a-f][0-9a-f][0-9a-f] 
+@{UUID}=@{hextet}@{hextet}-@{hextet}-@{hextet}-@{hextet}-@{hextet}@{hextet}@{hextet}
+
  profile virt-aa-helper @libexecdir@/virt-aa-helper {
    #include <abstractions/base>
    #include <abstractions/openssl>
@@ -44,7 +47,7 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
    /{usr/,}{s,}bin/apparmor_parser Ux,
@sysconfdir@/apparmor.d/libvirt/* r, 
-  @sysconfdir@/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+  @sysconfdir@/apparmor.d/libvirt/libvirt-@{UUID}* rw,
# for backingstore -- allow access to non-hidden files in @{HOME} as well 
    # as storage pools
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
index 70e586895f..3659ddc219 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -1,4 +1,7 @@
  #include <tunables/global>
+
+@{hextet}=[0-9a-f][0-9a-f][0-9a-f][0-9a-f]
+@{UUID}=@{hextet}@{hextet}-@{hextet}-@{hextet}-@{hextet}-@{hextet}@{hextet}@{hextet}
  @{LIBVIRT}="libvirt"
profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { 
@@ -72,7 +75,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
    signal (send) set=("term") peer=libvirtd//qemu_bridge_helper,
# allow connect with openGraphicsFD, direction reversed in newer versions 
-  unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
+  unix (send, receive) type=stream addr=none peer=(label=libvirt-@{UUID}),
    # unconfined also required if guests run without security module
    unix (send, receive) type=stream addr=none peer=(label=unconfined),
@@ -115,7 +118,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { 
    /etc/xen/scripts/** rmix,
# allow changing to our UUID-based named profiles 
-  change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+  change_profile -> @{LIBVIRT}-@{UUID},
/usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper Cx -> qemu_bridge_helper, 
    # child profile for bridge helper process
diff --git a/src/security/apparmor/usr.sbin.virtqemud.in b/src/security/apparmor/usr.sbin.virtqemud.in
index 42fa4813da..86b23465b6 100644
--- a/src/security/apparmor/usr.sbin.virtqemud.in
+++ b/src/security/apparmor/usr.sbin.virtqemud.in
@@ -1,5 +1,7 @@
  #include <tunables/global>
  @{LIBVIRT}="libvirt"
+@{hextet}=[0-9a-f][0-9a-f][0-9a-f][0-9a-f]
+@{UUID}=@{hextet}@{hextet}-@{hextet}-@{hextet}-@{hextet}-@{hextet}@{hextet}@{hextet}
profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) { 
    #include <abstractions/base>
@@ -71,7 +73,7 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) {
    signal (send) set=(term) peer=libvirtd//qemu_bridge_helper,
# allow connect with openGraphicsFD, direction reversed in newer versions 
-  unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
+  unix (send, receive) type=stream addr=none peer=(label=libvirt-@{UUID}),
    # unconfined also required if guests run without security module
    unix (send, receive) type=stream addr=none peer=(label=unconfined),
@@ -109,7 +111,7 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) { 
    /etc/libvirt/hooks/** rmix,
# allow changing to our UUID-based named profiles 
-  change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+  change_profile -> @{LIBVIRT}-@{UUID},
/usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper Cx -> qemu_bridge_helper, 
    # child profile for bridge helper process
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux