On Fri, Aug 13, 2010 at 05:00:06PM -0500, Jamie Strandboge wrote: > Attached is 0003-apparmor-examples.patch Can you include full commit messages with each patch, since it makes it easier to review & understand, and will be needed when the patches are applied to GIT. > diff -Naurp libvirt.orig/examples/apparmor/libvirt-qemu libvirt/examples/apparmor/libvirt-qemu > --- libvirt.orig/examples/apparmor/libvirt-qemu 2010-04-06 16:14:52.000000000 -0500 > +++ libvirt/examples/apparmor/libvirt-qemu 2010-08-13 16:46:34.000000000 -0500 > @@ -1,4 +1,4 @@ > -# Last Modified: Mon Apr 5 15:11:27 2010 > +# Last Modified: Fri Aug 13 16:38:32 2010 > > #include <abstractions/base> > #include <abstractions/consoles> > @@ -9,6 +9,10 @@ > capability dac_read_search, > capability chown, > > + # needed to drop privileges > + capability setgid, > + capability setuid, > + > network inet stream, > network inet6 stream, > > diff -Naurp libvirt.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper libvirt/examples/apparmor/usr.lib.libvirt.virt-aa-helper > --- libvirt.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper 2010-04-06 16:14:52.000000000 -0500 > +++ libvirt/examples/apparmor/usr.lib.libvirt.virt-aa-helper 2010-08-13 16:44:01.000000000 -0500 > @@ -1,8 +1,9 @@ > -# Last Modified: Mon Apr 5 15:10:27 2010 > +# Last Modified: Fri Aug 13 16:38:32 2010 > #include <tunables/global> > > /usr/lib/libvirt/virt-aa-helper { > #include <abstractions/base> > + #include <abstractions/user-tmp> > > # needed for searching directories > capability dac_override, > @@ -12,11 +13,16 @@ > network inet, > > deny @{PROC}/[0-9]*/mounts r, > + @{PROC}/[0-9]*/net/psched r, > @{PROC}/filesystems r, > > # for hostdev > /sys/devices/ r, > /sys/devices/** r, > + /sys/bus/usb/devices/ r, > + deny /dev/sd* r, > + deny /dev/mapper/ r, > + deny /dev/mapper/* r, > > /usr/lib/libvirt/virt-aa-helper mr, > /sbin/apparmor_parser Ux, > @@ -24,8 +30,11 @@ > /etc/apparmor.d/libvirt/* r, > /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, > > - # for backingstore -- allow access to non-hidden files in @{HOME} as well > - # as storage pools > + # For backingstore, virt-aa-helper may need to peek inside the disk image, so > + # allow access to non-hidden files in @{HOME} as well as storage pools, and > + # removable media and filesystems, and certain file extentions. A > + # virt-aa-helper failure when checking a disk for backinsgstore is non-fatal > + # (but obviously the backingstore won't be added). > audit deny @{HOME}/.* mrwkl, > audit deny @{HOME}/.*/ rw, > audit deny @{HOME}/.*/** mrwkl, ACK Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list