On Mon, Aug 16, 2010 at 02:45:02PM -0500, Jamie Strandboge wrote:
> On Mon, 2010-08-16 at 17:15 +0100, Daniel P. Berrange wrote:
> > On Fri, Aug 13, 2010 at 05:00:06PM -0500, Jamie Strandboge wrote:
> > > Attached is 0003-apparmor-examples.patch
> > 
> > Can you include full commit messages with each patch,
> > since it makes it easier to review & understand, and
> > will be needed when the patches are applied to GIT.
> 
> Certainly, and I apologize. Attached is an updated patch with messages.
> 
> -- 
> Jamie Strandboge             | http://www.canonical.com

> Author: Jamie Strandboge <ja...@canonical.com>
> Description: AppArmor example profile adjustments:
>  - libvirt-qemu: allow guests setgid and setuid so qemu can drop privileges
>  - virt-aa-helper:
>    + allow access to @{PROC}/[0-9]*/net/psched
>    + allow searching /sys/bus/usb/devices/
>    + deny access to /dev to suppress confusing, non-fatal profile denials
>    + allow access to user-tmp abstraction
> Bug-Ubuntu: LP: #579584, LP: #565691
> 
> diff -Naurp libvirt.orig/examples/apparmor/libvirt-qemu 
> libvirt/examples/apparmor/libvirt-qemu
> --- libvirt.orig/examples/apparmor/libvirt-qemu       2010-04-06 
> 16:14:52.000000000 -0500
> +++ libvirt/examples/apparmor/libvirt-qemu    2010-08-13 16:46:34.000000000 
> -0500
> @@ -1,4 +1,4 @@
> -# Last Modified: Mon Apr  5 15:11:27 2010
> +# Last Modified: Fri Aug 13 16:38:32 2010
>  
>    #include <abstractions/base>
>    #include <abstractions/consoles>
> @@ -9,6 +9,10 @@
>    capability dac_read_search,
>    capability chown,
>  
> +  # needed to drop privileges
> +  capability setgid,
> +  capability setuid,
> +
>    network inet stream,
>    network inet6 stream,

Does QEMU really need this ? The libvirt QEMU driver will drop
privileges from root:root to qemu:qemu after forking, but before
the /usr/bin/qemu binary is actually exec'd. 

Daniel
-- 
|: Red Hat, Engineering, London    -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org        -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to