[libvirt] [PATCHv3] Rework lxc apparmor profile

2014-07-15 Thread Cédric Bosdonnat
Rework the apparmor lxc profile abstraction to mimic ubuntu's container-default.
This profile allows quite a lot, but strives to restrict access to
dangerous resources.

Removing the explicit authorizations to bash, systemd and cron files,
forces them to keep the lxc profile for all applications inside the
container. PUx permissions where leading to running systemd (and others
tasks) unconfined.

Put the generic files, network and capabilities restrictions directly
in the TEMPLATE.lxc: this way, users can restrict them on a per
container basis.
---
 Diff to v2:
   * Fixed missing goto cleanup

 examples/apparmor/Makefile.am |   6 +-
 examples/apparmor/TEMPLATE.lxc|  15 
 examples/apparmor/{TEMPLATE = TEMPLATE.qemu} |   2 +-
 examples/apparmor/libvirt-lxc | 119 +++---
 src/security/security_apparmor.c  |  21 +++--
 src/security/virt-aa-helper.c |  29 +--
 6 files changed, 149 insertions(+), 43 deletions(-)
 create mode 100644 examples/apparmor/TEMPLATE.lxc
 rename examples/apparmor/{TEMPLATE = TEMPLATE.qemu} (75%)

diff --git a/examples/apparmor/Makefile.am b/examples/apparmor/Makefile.am
index a741e94..7a20e16 100644
--- a/examples/apparmor/Makefile.am
+++ b/examples/apparmor/Makefile.am
@@ -15,7 +15,8 @@
 ## http://www.gnu.org/licenses/.
 
 EXTRA_DIST=\
-   TEMPLATE\
+   TEMPLATE.qemu   \
+   TEMPLATE.lxc\
libvirt-qemu\
libvirt-lxc \
usr.lib.libvirt.virt-aa-helper  \
@@ -36,6 +37,7 @@ abstractions_DATA = \
 
 templatesdir = $(apparmordir)/libvirt
 templates_DATA = \
-   TEMPLATE \
+   TEMPLATE.qemu \
+   TEMPLATE.lxc \
$(NULL)
 endif WITH_APPARMOR_PROFILES
diff --git a/examples/apparmor/TEMPLATE.lxc b/examples/apparmor/TEMPLATE.lxc
new file mode 100644
index 000..7b64885
--- /dev/null
+++ b/examples/apparmor/TEMPLATE.lxc
@@ -0,0 +1,15 @@
+#
+# This profile is for the domain whose UUID matches this file.
+#
+
+#include tunables/global
+
+profile LIBVIRT_TEMPLATE {
+  #include abstractions/libvirt-lxc
+
+  # Globally allows everything to run under this profile
+  # These can be narrowed depending on the container's use.
+  file,
+  capability,
+  network,
+}
diff --git a/examples/apparmor/TEMPLATE b/examples/apparmor/TEMPLATE.qemu
similarity index 75%
rename from examples/apparmor/TEMPLATE
rename to examples/apparmor/TEMPLATE.qemu
index 187dec5..008a221 100644
--- a/examples/apparmor/TEMPLATE
+++ b/examples/apparmor/TEMPLATE.qemu
@@ -5,5 +5,5 @@
 #include tunables/global
 
 profile LIBVIRT_TEMPLATE {
-  #include abstractions/libvirt-driver
+  #include abstractions/libvirt-qemu
 }
diff --git a/examples/apparmor/libvirt-lxc b/examples/apparmor/libvirt-lxc
index d404328..4bfb503 100644
--- a/examples/apparmor/libvirt-lxc
+++ b/examples/apparmor/libvirt-lxc
@@ -2,16 +2,115 @@
 
   #include abstractions/base
 
-  # Needed for lxc-enter-namespace
-  capability sys_admin,
-  capability sys_chroot,
+  umount,
 
-  # Added for lxc-enter-namespace --cmd /bin/bash
-  /bin/bash PUx,
+  # ignore DENIED message on / remount
+  deny mount options=(ro, remount) - /,
 
-  /usr/sbin/cron PUx,
-  /usr/lib/systemd/systemd PUx,
+  # allow tmpfs mounts everywhere
+  mount fstype=tmpfs,
 
-  /usr/lib/libsystemd-*.so.* mr,
-  /usr/lib/libudev-*.so.* mr,
-  /etc/ld.so.cache mr,
+  # allow mqueue mounts everywhere
+  mount fstype=mqueue,
+
+  # allow fuse mounts everywhere
+  mount fstype=fuse.*,
+
+  # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
+  mount fstype=binfmt_misc - /proc/sys/fs/binfmt_misc/,
+  deny @{PROC}/sys/fs/** wklx,
+
+  # allow efivars to be mounted, writing to it will be blocked though
+  mount fstype=efivarfs - /sys/firmware/efi/efivars/,
+
+  # block some other dangerous paths
+  deny @{PROC}/sysrq-trigger rwklx,
+  deny @{PROC}/mem rwklx,
+  deny @{PROC}/kmem rwklx,
+
+  # deny writes in /sys except for /sys/fs/cgroup, also allow
+  # fusectl, securityfs and debugfs to be mounted there (read-only)
+  mount fstype=fusectl - /sys/fs/fuse/connections/,
+  mount fstype=securityfs - /sys/kernel/security/,
+  mount fstype=debugfs - /sys/kernel/debug/,
+  mount fstype=proc - /proc/,
+  mount fstype=sysfs - /sys/,
+  deny /sys/firmware/efi/efivars/** rwklx,
+  deny /sys/kernel/security/** rwklx,
+
+  # generated by: lxc-generate-aa-rules.py container-rules.base
+  deny /proc/sys/[^kn]*{,/**} wklx,
+  deny /proc/sys/k[^e]*{,/**} wklx,
+  deny /proc/sys/ke[^r]*{,/**} wklx,
+  deny /proc/sys/ker[^n]*{,/**} wklx,
+  deny /proc/sys/kern[^e]*{,/**} wklx,
+  deny /proc/sys/kerne[^l]*{,/**} wklx,
+  deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
+  deny /proc/sys/kernel/d[^o]*{,/**} wklx,
+  deny /proc/sys/kernel/do[^m]*{,/**} wklx,
+  deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
+  deny /proc/sys/kernel/doma[^i]*{,/**} 

Re: [libvirt] [PATCHv3] Rework lxc apparmor profile

2014-07-15 Thread Eric Blake
On 07/15/2014 03:02 AM, Cédric Bosdonnat wrote:
 Rework the apparmor lxc profile abstraction to mimic ubuntu's 
 container-default.
 This profile allows quite a lot, but strives to restrict access to
 dangerous resources.
 
 Removing the explicit authorizations to bash, systemd and cron files,
 forces them to keep the lxc profile for all applications inside the
 container. PUx permissions where leading to running systemd (and others
 tasks) unconfined.
 
 Put the generic files, network and capabilities restrictions directly
 in the TEMPLATE.lxc: this way, users can restrict them on a per
 container basis.
 ---
  Diff to v2:
* Fixed missing goto cleanup

Will push shortly, based on the ack given here:
https://www.redhat.com/archives/libvir-list/2014-July/msg00745.html

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list