On 01/26/2014 03:47 PM, Felix Geyer wrote:
> Tested on Debian unstable.
> The profile updates are partly taken from the Ubuntu trusty libvirt package.
Thanks for these updates! :) Comments inline.
> ---
> examples/apparmor/libvirt-qemu | 21 +++++++++++++++++----
> examples/apparmor/usr.lib.libvirt.virt-aa-helper | 10 ++++++++++
> examples/apparmor/usr.sbin.libvirtd | 16 ++++++++++++----
> 3 files changed, 39 insertions(+), 8 deletions(-)
>
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index 766a334..e1980b7 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -9,6 +9,10 @@
> capability dac_read_search,
> capability chown,
>
> + # needed to drop privileges
> + capability setgid,
> + capability setuid,
> +
> network inet stream,
> network inet6 stream,
>
> @@ -20,7 +24,7 @@
>
> # For hostdev access. The actual devices will be added dynamically
> /sys/bus/usb/devices/ r,
> - /sys/devices/*/*/usb[0-9]*/** r,
> + /sys/devices/**/usb[0-9]*/** r,
>
> # WARNING: this gives the guest direct access to host hardware and specific
> # portions of shared memory. This is required for sound using ALSA with kvm,
> @@ -32,6 +36,8 @@
> /{dev,run}/shmpulse-shm* rwk,
> /dev/snd/* rw,
> capability ipc_lock,
> + # spice
> + owner /{dev,run}/shm/spice.* rw,
> # 'kill' is not required for sound and is a security risk. Do not enable
> # unless you absolutely need it.
> deny capability kill,
> @@ -58,6 +64,7 @@
> /usr/share/proll/** r,
> /usr/share/vgabios/** r,
> /usr/share/seabios/** r,
> + /usr/share/ovmf/** r,
>
> # access PKI infrastructure
> /etc/pki/libvirt-vnc/** r,
> @@ -109,9 +116,15 @@
> /bin/dd rmix,
> /bin/cat rmix,
>
> - /usr/libexec/qemu-bridge-helper Cx,
> + # for usb access
> + /dev/bus/usb/ r,
> + /etc/udev/udev.conf r,
> + /sys/bus/ r,
> + /sys/class/ r,
> +
> + /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
> # child profile for bridge helper process
> - profile /usr/libexec/qemu-bridge-helper {
> + profile qemu_bridge_helper {
> #include <abstractions/base>
>
> capability setuid,
> @@ -125,5 +138,5 @@
> /etc/qemu/** r,
> owner @{PROC}/*/status r,
>
> - /usr/libexec/qemu-bridge-helper rmix,
> + /usr/{lib,libexec}/qemu-bridge-helper rmix,
> }
I think you could actually deny the access to /etc/udev/udev.conf, but the
access is harmless.
Acked-By: Jamie Strandboge <jamie@xxxxxxxxxxxxx>
> diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> index 94bf359..bceaaff 100644
> --- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> +++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> @@ -12,6 +12,8 @@
> network inet,
>
> deny @{PROC}/[0-9]*/mounts r,
> + @{PROC}/[0-9]*/net/psched r,
> + owner @{PROC}/[0-9]*/status r,
> @{PROC}/filesystems r,
>
> # for hostdev
> @@ -35,4 +37,12 @@
> @{HOME}/** r,
> /var/lib/libvirt/images/ r,
> /var/lib/libvirt/images/** r,
> + /{media,mnt,opt,srv}/** r,
> +
> + /**.img r,
> + /**.qcow{,2} r,
> + /**.qed r,
> + /**.vmdk r,
> + /**.[iI][sS][oO] r,
> + /**/disk{,.*} r,
> }
Acked-By: Jamie Strandboge <jamie@xxxxxxxxxxxxx>
> diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
> index 1b24835..fd6def1 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -4,6 +4,7 @@
>
> /usr/sbin/libvirtd {
> #include <abstractions/base>
> + #include <abstractions/dbus>
>
> capability kill,
> capability net_admin,
> @@ -22,20 +23,25 @@
> capability setpcap,
> capability mknod,
> capability fsetid,
> + capability audit_write,
>
> network inet stream,
> network inet dgram,
> network inet6 stream,
> network inet6 dgram,
> + network packet dgram,
>
> # Very lenient profile for libvirtd since we want to first focus on confining
> # the guests. Guests will have a very restricted profile.
> + / r,
> /** rwmkl,
>
> - /bin/* Ux,
> - /sbin/* Ux,
> - /usr/bin/* Ux,
> - /usr/sbin/* Ux,
> + /bin/* PUx,
> + /sbin/* PUx,
> + /usr/bin/* PUx,
> + /usr/sbin/* PUx,
> + /lib/udev/scsi_id PUx,
> + /usr/lib/xen-common/bin/xen-toolstack PUx,
>
> # force the use of virt-aa-helper
> audit deny /sbin/apparmor_parser rwxl,
> @@ -45,6 +51,8 @@
> audit deny /sys/kernel/security/apparmor/.* rwxl,
> /sys/kernel/security/apparmor/profiles r,
> /usr/lib/libvirt/* PUxr,
> + /etc/libvirt/hooks/** rmix,
> + /etc/xen/scripts/** rmix,
>
> # allow changing to our UUID-based named profiles
> change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
>
Acked-By: Jamie Strandboge <jamie@xxxxxxxxxxxxx>
--
Jamie Strandboge http://www.ubuntu.com/
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list