Hello, [I'm not subscribed to the libvirt list, please CC me in replies]
Am Mittwoch, 16. Juni 2021, 05:41:02 CEST schrieb Jim Fehlig:
> diff --git a/src/security/apparmor/libvirt-qemu
> b/src/security/apparmor/libvirt-qemu index 85c9e61d6c..990bb0b2ba
> 100644
> --- a/src/security/apparmor/libvirt-qemu
> +++ b/src/security/apparmor/libvirt-qemu
[...]
You only need to add
> + ptrace (readby, tracedby) peer=virtqemud,
The following rule
> + ptrace (readby, tracedby) peer=/usr/sbin/virtqemud,
is superfluous and can be removed.
Technical background: the reason why there are rules for libvirtd and
/usr/sbin/libvirtd is backwards compability to the old
/usr/sbin/libvirtd {
profile before it became
profile libvirtd /usr/sbin/libvirtd {
You don't need that for a new profile that is
profile virtqumud /usr/sbin/virtquemud {
from the beginning.
This also applies to your 2/3 and 3/3 patches.
> signal (receive) peer=libvirtd,
> signal (receive) peer=/usr/sbin/libvirtd,
> + signal (receive) peer=virtqemud,
> + signal (receive) peer=/usr/sbin/virtqemud,
Same here - the rule with peer=/usr/sbin/virtquemud is superfluous.
[...]
> + unix (send, receive) type=stream addr=none peer=(label=virtqemud),
> + unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/
virtqemud),
And again ;-)
[...]
> diff --git a/src/security/apparmor/usr.sbin.virtqemud.in
> b/src/security/apparmor/usr.sbin.virtqemud.in new file mode 100644
> index 0000000000..b986241c74
> --- /dev/null
> +++ b/src/security/apparmor/usr.sbin.virtqemud.in
> @@ -0,0 +1,135 @@
> +#include <tunables/global>
> +@{LIBVIRT}="libvirt"
> +
> +profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) {
> + #include <abstractions/base>
> + #include <abstractions/dbus>
> +
> + capability kill,
> + capability net_admin,
> + capability net_raw,
> + capability setgid,
> + capability sys_admin,
> + capability sys_module,
> + capability sys_ptrace,
> + capability sys_pacct,
> + capability sys_nice,
> + capability sys_chroot,
> + capability setuid,
> + capability dac_override,
> + capability dac_read_search,
> + capability fowner,
> + capability chown,
> + capability setpcap,
> + capability mknod,
> + capability fsetid,
> + capability audit_write,
> + capability ipc_lock,
> + capability sys_rawio,
> + capability bpf,
> + capability perfmon,
> +
> + # Needed for vfio
> + capability sys_resource,
[...]
Just wondering - do the new profiles (in all 3 patches) reallly need
all the capabilities and the other broad rules?
(See my 0/3 reply how to find out ;-)
Regards,
Christian Boltz
--
Let's hope the best and praise the Gecko!
[Hans-Peter Jansen in opensuse-factory]
signature.asc
Description: This is a digitally signed message part.
