On Mon, 2010-08-16 at 17:15 +0100, Daniel P. Berrange wrote: > On Fri, Aug 13, 2010 at 05:00:06PM -0500, Jamie Strandboge wrote: > > Attached is 0003-apparmor-examples.patch > > Can you include full commit messages with each patch, > since it makes it easier to review & understand, and > will be needed when the patches are applied to GIT. Certainly, and I apologize. Attached is an updated patch with messages. -- Jamie Strandboge | http://www.canonical.com
Author: Jamie Strandboge <jamie@xxxxxxxxxxxxx>
Description: AppArmor example profile adjustments:
- libvirt-qemu: allow guests setgid and setuid so qemu can drop privileges
- virt-aa-helper:
+ allow access to @{PROC}/[0-9]*/net/psched
+ allow searching /sys/bus/usb/devices/
+ deny access to /dev to suppress confusing, non-fatal profile denials
+ allow access to user-tmp abstraction
Bug-Ubuntu: LP: #579584, LP: #565691
diff -Naurp libvirt.orig/examples/apparmor/libvirt-qemu libvirt/examples/apparmor/libvirt-qemu
--- libvirt.orig/examples/apparmor/libvirt-qemu 2010-04-06 16:14:52.000000000 -0500
+++ libvirt/examples/apparmor/libvirt-qemu 2010-08-13 16:46:34.000000000 -0500
@@ -1,4 +1,4 @@
-# Last Modified: Mon Apr 5 15:11:27 2010
+# Last Modified: Fri Aug 13 16:38:32 2010
#include <abstractions/base>
#include <abstractions/consoles>
@@ -9,6 +9,10 @@
capability dac_read_search,
capability chown,
+ # needed to drop privileges
+ capability setgid,
+ capability setuid,
+
network inet stream,
network inet6 stream,
diff -Naurp libvirt.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper libvirt/examples/apparmor/usr.lib.libvirt.virt-aa-helper
--- libvirt.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper 2010-04-06 16:14:52.000000000 -0500
+++ libvirt/examples/apparmor/usr.lib.libvirt.virt-aa-helper 2010-08-13 16:44:01.000000000 -0500
@@ -1,8 +1,9 @@
-# Last Modified: Mon Apr 5 15:10:27 2010
+# Last Modified: Fri Aug 13 16:38:32 2010
#include <tunables/global>
/usr/lib/libvirt/virt-aa-helper {
#include <abstractions/base>
+ #include <abstractions/user-tmp>
# needed for searching directories
capability dac_override,
@@ -12,11 +13,16 @@
network inet,
deny @{PROC}/[0-9]*/mounts r,
+ @{PROC}/[0-9]*/net/psched r,
@{PROC}/filesystems r,
# for hostdev
/sys/devices/ r,
/sys/devices/** r,
+ /sys/bus/usb/devices/ r,
+ deny /dev/sd* r,
+ deny /dev/mapper/ r,
+ deny /dev/mapper/* r,
/usr/lib/libvirt/virt-aa-helper mr,
/sbin/apparmor_parser Ux,
@@ -24,8 +30,11 @@
/etc/apparmor.d/libvirt/* r,
/etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
- # for backingstore -- allow access to non-hidden files in @{HOME} as well
- # as storage pools
+ # For backingstore, virt-aa-helper may need to peek inside the disk image, so
+ # allow access to non-hidden files in @{HOME} as well as storage pools, and
+ # removable media and filesystems, and certain file extentions. A
+ # virt-aa-helper failure when checking a disk for backinsgstore is non-fatal
+ # (but obviously the backingstore won't be added).
audit deny @{HOME}/.* mrwkl,
audit deny @{HOME}/.*/ rw,
audit deny @{HOME}/.*/** mrwkl,
Attachment:
signature.asc
Description: This is a digitally signed message part
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list