Re: [libvirt] [PATCH] AppArmor: add rules needed with additional mediation features brought by Linux 4.14.
Hi, thanks Jamie for this review. All your suggestions make sense to me, I'll implement + test them and will re-submit as v3. Cheers, -- intrigeri -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] AppArmor: add rules needed with additional mediation features brought by Linux 4.14.
On Thu, 2017-10-26 at 08:39 -0500, Jamie Strandboge wrote: > On Thu, 2017-10-26 at 10:22 +, intrigeri+libv...@boum.org wrote: > > diff --git a/examples/apparmor/usr.sbin.libvirtd > > b/examples/apparmor/usr.sbin.libvirtd > > index 819068ffc3..eb24726e08 100644 > > --- a/examples/apparmor/usr.sbin.libvirtd > > +++ b/examples/apparmor/usr.sbin.libvirtd > > @@ -30,10 +30,13 @@ > ># Needed for vfio > >capability sys_resource, > > > > + mount, > > + > > This is interesting since the Ubuntu profile is missing mount rules. > What specific denials/libvirt actions prompted this rule? > Responding to myself now that I read the SUSE bug. I actually suggest using the fine-grained rules in the SUSE patch because it is much easier to add more rules for more access than to take them away. These rules are in the 'examples' directory so I think it is expected that a distribution may need to tailor them from time to time (hopefully upstreaming their changes! :). -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] AppArmor: add rules needed with additional mediation features brought by Linux 4.14.
On Thu, 2017-10-26 at 10:22 +, intrigeri+libv...@boum.org wrote: > From: intrigeri > > --- > examples/apparmor/libvirt-qemu | 2 ++ > examples/apparmor/usr.sbin.libvirtd | 6 ++ > 2 files changed, 8 insertions(+) > > diff --git a/examples/apparmor/libvirt-qemu > b/examples/apparmor/libvirt-qemu > index b341e31f42..5994a35042 100644 > --- a/examples/apparmor/libvirt-qemu > +++ b/examples/apparmor/libvirt-qemu > @@ -16,6 +16,8 @@ >network inet stream, >network inet6 stream, > > + signal (receive) set=("term") peer=/usr/sbin/libvirtd, I suggest this rule instead: signal (receive) peer=/usr/sbin/libvirtd, ie, let libvirtd send any signals it wants to its VMs. >/dev/net/tun rw, >/dev/kvm rw, >/dev/ptmx rw, > diff --git a/examples/apparmor/usr.sbin.libvirtd > b/examples/apparmor/usr.sbin.libvirtd > index 819068ffc3..eb24726e08 100644 > --- a/examples/apparmor/usr.sbin.libvirtd > +++ b/examples/apparmor/usr.sbin.libvirtd > @@ -30,10 +30,13 @@ ># Needed for vfio >capability sys_resource, > > + mount, > + This is interesting since the Ubuntu profile is missing mount rules. What specific denials/libvirt actions prompted this rule? >network inet stream, >network inet dgram, >network inet6 stream, >network inet6 dgram, > + network netlink raw, This is fine. >network packet dgram, >network packet raw, > > @@ -42,6 +45,9 @@ >ptrace (trace) peer=/usr/sbin/dnsmasq, >ptrace (trace) peer=libvirt-*, > > + signal (send) set=("hup") peer=/usr/sbin/dnsmasq, I suspect you are missing 'term' to support net-destroy. I suggest this instead: signal (send) peer=/usr/sbin/dnsmasq, Ie, let libvirtd send any signals to fully manage its dnsmasq. > + signal (send) set=("term") peer=libvirt-*, I suggest this instead: signal (send) peer=libvirt-*, Ie, let libvirtd send any signals to its VMs. I think you are missing this in libvirt-qemu: ptrace (readby, tracedby) peer=/usr/sbin/libvirtd, and this in usr.sbin.libvirtd: ptrace (read, trace) peer=libvirt-*, -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCH] AppArmor: add rules needed with additional mediation features brought by Linux 4.14.
From: intrigeri --- examples/apparmor/libvirt-qemu | 2 ++ examples/apparmor/usr.sbin.libvirtd | 6 ++ 2 files changed, 8 insertions(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index b341e31f42..5994a35042 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -16,6 +16,8 @@ network inet stream, network inet6 stream, + signal (receive) set=("term") peer=/usr/sbin/libvirtd, + /dev/net/tun rw, /dev/kvm rw, /dev/ptmx rw, diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 819068ffc3..eb24726e08 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -30,10 +30,13 @@ # Needed for vfio capability sys_resource, + mount, + network inet stream, network inet dgram, network inet6 stream, network inet6 dgram, + network netlink raw, network packet dgram, network packet raw, @@ -42,6 +45,9 @@ ptrace (trace) peer=/usr/sbin/dnsmasq, ptrace (trace) peer=libvirt-*, + signal (send) set=("hup") peer=/usr/sbin/dnsmasq, + signal (send) set=("term") peer=libvirt-*, + # Very lenient profile for libvirtd since we want to first focus on confining # the guests. Guests will have a very restricted profile. / r, -- 2.15.0.rc2 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] AppArmor: add rules needed with additional mediation features brought by Linux 4.14.
intrigeri: > + network unix dgram, > + network unix stream, Hold on, these two rules are probably not needed (chances are that they were needed due to a bug in the AppArmor parser, that got fixed in 2.11.1). I'll double-check tomorrow. Sorry for the noise! -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCH] AppArmor: add rules needed with additional mediation features brought by Linux 4.14.
--- examples/apparmor/libvirt-qemu | 2 ++ examples/apparmor/usr.sbin.libvirtd | 9 + 2 files changed, 11 insertions(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index b341e31f42..5994a35042 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -16,6 +16,8 @@ network inet stream, network inet6 stream, + signal (receive) set=("term") peer=/usr/sbin/libvirtd, + /dev/net/tun rw, /dev/kvm rw, /dev/ptmx rw, diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 819068ffc3..17b5ee38ff 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -30,6 +30,8 @@ # Needed for vfio capability sys_resource, + mount, + network inet stream, network inet dgram, network inet6 stream, @@ -37,11 +39,18 @@ network packet dgram, network packet raw, + network netlink raw, + network unix dgram, + network unix stream, + ptrace (trace) peer=unconfined, ptrace (trace) peer=/usr/sbin/libvirtd, ptrace (trace) peer=/usr/sbin/dnsmasq, ptrace (trace) peer=libvirt-*, + signal (send) set=("hup") peer=/usr/sbin/dnsmasq, + signal (send) set=("term") peer=libvirt-*, + # Very lenient profile for libvirtd since we want to first focus on confining # the guests. Guests will have a very restricted profile. / r, -- 2.15.0.rc2 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list