On Thu, 07 Oct 2021, christian.ehrha...@canonical.com wrote:
> From: Christian Ehrhardt
>
> If running multiple [1] clusters (uncommon) the ceph config file will be
> derived from the cluster name. Therefore the rule to allow to read ceph
> config files need to be opened up slightly to allow for
only adds
additional access. This should be no problem at all on SUSE.
Outside of this rule, the apparmor userspace understands kernel
differences and various rules and any modern SUSE would have a new
enough parser to handle the various rules syntax we use in the current
libvirt
644
> > --- a/src/security/apparmor/usr.sbin.libvirtd.in
> > +++ b/src/security/apparmor/usr.sbin.libvirtd.in
> > @@ -89,6 +89,7 @@ profile libvirtd @sbindir@/libvirtd
> > flags=(attach_disconnected) {
> >/usr/lib/xen-*/bin/libxl-save-helper PUx,
> >/usr/lib/xen-*/bin/pygrub PUx,
> >/usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
> > + /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
> >
> ># Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
> ># read and run an ebtables script.
> > --
> > 2.28.0
> >
>
> --
> Christian Ehrhardt
> Staff Engineer, Ubuntu Server
> Canonical Ltd
>
--
Jamie Strandboge | http://www.canonical.com
urity/apparmor/libvirt-qemu
> @@ -168,6 +168,11 @@
>/usr/{lib,lib64}/qemu/*.so mr,
>/usr/lib/@{multiarch}/qemu/*.so mr,
>
> + # let qemu load old shared objects after upgrades (LP: #1847361)
> + /{var/,}run/qemu/*/*.so mr,
> + # but explicitly deny writing to
unfortunate and unexpected. What kind of probing does
virt-aa-helper do on these?
--
Jamie Strandboge | http://www.canonical.com
**.qcow{,2} r,
/**.qed r,
/**.vmdk r,
/**.vhd r,
/**.[iI][sS][oO] r,
/**/disk{,.*} r,
Why are these not sufficient? What was the denial that triggered the
issue?
--
Jamie Strandboge | http://www.canonical.com
uxv r,
+1 to apply. A code comment that is simply the first sentence of
Stefan's commit message might be a nice touch, but that is not a
blocker.
--
Jamie Strandboge | http://www.canonical.com
+94,8 @@
>/etc/pki/CA/* r,
>/etc/pki/libvirt{,-spice,-vnc}/ r,
>/etc/pki/libvirt{,-spice,-vnc}/** r,
> + /etc/pki/qemu/ r,
> + /etc/pki/qemu/** r,
+1 to apply
--
Jamie Strandboge | http://www.canonical.com
sr.sbin.libvirtd.in
> +++ b/src/security/apparmor/usr.sbin.libvirtd.in
> @@ -86,6 +86,7 @@ profile libvirtd @sbindir@/libvirtd
> flags=(attach_disconnected) {
>/usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
>/usr/{lib,lib64}/xen/bin/* Ux,
>/usr/lib/xen-*/bin/
On Mon, 03 Aug 2020, Christian Ehrhardt wrote:
> From: Jamie Strandboge
>
> Allow qemu to read @{PROC}/sys/vm/overcommit_memory.
> This is read on guest start-up and (as read-only) not a
> critical secret that has to stay hidden.
>
> Signed-off-by: Christian Ehrhardt
&g
e brings in network rules so this is actually a lot of access.
Why is it reaching out to nss? Is it just cause some library happens to
look at /etc/nsswitch.conf and pull in other things or does it actually
need networking? I suspect the former. If my suspicion is true, perhaps
instead:
# vi
--- a/src/security/apparmor/libvirt-qemu
> +++ b/src/security/apparmor/libvirt-qemu
> @@ -227,3 +227,8 @@
># required for sasl GSSAPI plugin
>/etc/gss/mech.d/ r,
>/etc/gss/mech.d/* r,
> +
> + # required by libpmem init to fts_open()/fts_read() the symlinks in
&
On Wed, 08 Apr 2020, Jamie Strandboge wrote:
> On Wed, 08 Apr 2020, Christian Ehrhardt wrote:
>
> > With libpmem support compiled into qemu it will trigger the following
> > denials on every startup.
> > apparmor="DENIED" operation="open" name="
u list what files libpem init is looking at? I'm a bit
uncomfortable with the glob here and would rather not guess that today's
and all future files in /sys/bus/nd/devices are safe for all qemu
processes to read.
--
Jamie Strandboge | http://www.canonical.com
On Wed, 29 Jan 2020, Michal Privoznik wrote:
> On 1/27/20 5:30 PM, Jamie Strandboge wrote:
> > On Sat, 25 Jan 2020, Michal Privoznik wrote:
> >
> > > These helper binaries are installed under libexec dir not lib
> > > dir.
> > >
> > > Sig
gest using this for the previous reasons:
profile virt-aa-helper /usr/{lib,lib64,libexec}/libvirt/virt-aa-helper {
The filename rename is fine though (the filename doesn't have to match
the profile name or binary attachment, so picking what we expect to be
the normal use case is fine).
>#include
>
># needed for searching directories
> @@ -70,5 +70,5 @@ profile virt-aa-helper
> /usr/{lib,lib64}/libvirt/virt-aa-helper {
>/**.[iI][sS][oO] r,
>/**/disk{,.*} r,
>
> - #include
> + #include
> }
> --
> 2.24.1
>
--
Jamie Strandboge | http://www.canonical.com
r,
> @@ -86,6 +87,7 @@
>/usr/share/qemu-kvm/** r,
>/usr/share/qemu/** r,
>/usr/share/seabios/** r,
> + /usr/share/sgabios/** r,
>/usr/share/slof/** r,
>/usr/share/vgabios/** r,
+1 to apply
--
Jamie Strandboge | http://www.canonical.com
ipulating AppArmor directly), and
>an abstraction to be included by
> /etc/apparmor.d/libvirt/TEMPLATE
>(typically /etc/apparmor.d/abstractions/libvirt-qemu).
+1 to apply
--
Jamie Strandboge | http://www.canonical.com
mix,
> - /usr/bin/qemu-ppc64 rmix,
> - /usr/bin/qemu-ppc64abi32 rmix,
> - /usr/bin/qemu-ppc64le rmix,
> - /usr/bin/qemu-s390x rmix,
> - /usr/bin/qemu-sh4 rmix,
> - /usr/bin/qemu-sh4eb rmix,
> - /usr/bin/qemu-sparc rmix,
> - /usr/bin/qemu-sparc32plus rmix,
> - /usr/bin/qemu-sparc64 rmix,
>/usr/bin/qemu-unicore32 rmix,
>/usr/bin/qemu-x86_64 rmix,
># for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761)
+1 to apply
--
Jamie Strandboge | http://www.canonical.com
ix,
> + /usr/libexec/libvirt_parthelper ix,
> + /usr/libexec/libvirt_iohelper ix,
>/etc/libvirt/hooks/** rmix,
>/etc/xen/scripts/** rmix,
>
> --
> 2.24.1
>
--
Jamie Strandboge | http://www.canonical.com
On Wed, 20 Nov 2019, Cole Robinson wrote:
> On 11/19/19 4:31 PM, Jamie Strandboge wrote:
> > On Thu, 14 Nov 2019, Christian Ehrhardt wrote:
> >
> >> It was mentioned that the pointers in loops like:
> >> for (i = 0; i < ctl->def->nserials; i++)
> &g
On Wed, 20 Nov 2019, Christian Ehrhardt wrote:
> On Tue, Nov 19, 2019 at 10:25 PM Jamie Strandboge wrote:
> > On Tue, 22 Oct 2019, Christian Ehrhardt wrote:
> > > +for (i = 0; i < ctl->def->nshmems; i++) {
> > > +if (ctl->def->shmems[i]) {
&
On Wed, 20 Nov 2019, Christian Ehrhardt wrote:
> On Wed, Nov 20, 2019 at 3:40 PM Christian Ehrhardt
> wrote:
> >
> > On Tue, Nov 19, 2019 at 10:12 PM Jamie Strandboge
> > wrote:
> > >
> > > On Wed, 16 Oct 2019, Christian Ehrhardt wrote:
> > >
buf, " \"%s/{,*}" rk,\n", sc_db);
Is it possible that the certificates might be in a lower directory? Ie,
is '**' warranted?
> > + case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
> > +break;
> > +case VIR_DOM
gt;fss[i]->fsdriver ==
> VIR_DOMAIN_FS_DRIVER_TYPE_PATH ||
> ctl->def->fss[i]->fsdriver ==
> VIR_DOMAIN_FS_DRIVER_TYPE_DEFAULT) &&
> ctl->def->fss[i]->src) {
> @@ -1166,16 +1160,14 @@ get_files(vahControl * ctl)
>
_IVSHMEM:
> + /* until exposed, recreate
> qemuDomainPrepareShmemChardev */
> +if (virAsprintf(&mem_path,
> "/var/lib/libvirt/shmem-%s-sock",
> +shmem->name) < 0)
> + g
that making this
change will result in scenarios where the rule is (correctly) added, but
previous rules are not removed.
Can you comment on if this is working correctly? Is it possible to have
tests that demonstrate everything is working as intended?
--
Jamie Strandboge | http://w
rn -1;
> }
> -rc = 0;
>
> - cleanup:
> -VIR_FREE(profile_name);
> -
> -return rc;
> +return reload_profile(mgr, def, src->path, false);
The logic of the refactor looks fine, but note by calling
reload_profile() here, it will call virDomainDefGetSecuri
> -
> -rc = 0;
> - cleanup:
> -VIR_FREE(profile_name);
> -
> -return rc;
> +return 0;
> }
>
> static int
LGTM. I don't recall why this was there initially but guessing it was
obviated by a refactor at some point (perhaps before I initially
submitted).
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: PGP signature
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
-u | --uuid uuid (profile name)\n"
> +"-h | --helpthis help\n"
> +" Extra File:\n"
> +"-f | --add-file add file to a profile
> generated from XML\n"
> +&q
ot; \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" a,\n",
> +" \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" w,\n",
> LOCALSTATEDIR, ctl->def->name);
> virBufferAsprintf(&buf,
> " \"%s/libvirt/qemu/
self/fd/ is redundant with
the next rule.
> + @{PROC}/@{pid}/fd/ r,
This access LGTM. +1 to apply.
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: PGP signature
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
.lib.libvirt.virt-aa-helper
> +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
> @@ -63,6 +63,7 @@ profile virt-aa-helper
> /usr/{lib,lib64}/libvirt/virt-aa-helper {
>/**.qcow{,2} r,
>/**.qed r,
>/**.vmdk r,
> + /**.vhd r,
This looks fine. +1 to apply.
end, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
>
># for gathering information about available host resources
+1 to apply. Thanks for chasing this down.
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: PGP signature
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Wed, 20 Mar 2019, Christian Ehrhardt wrote:
> On Wed, Mar 20, 2019 at 8:45 AM Christian Ehrhardt
> wrote:
> >
> > On Mon, Mar 4, 2019 at 11:42 AM Christian Ehrhardt
> > wrote:
> > >
> > > On Fri, Mar 1, 2019 at 5:56 PM Jamie Strandboge
> &
rc = -1;
> +if (rc < 0) {
> +rc = profile_status("libvirtd", 1);
> +/* Error or unconfined should all result in -1*/
> +if (rc < 0)
> +rc = -1;
> +}
LGTM. +1 to apply. Thanks!
--
Jamie Strandboge |
t(&buf, " \"/dev/dri/\" r,\n");
> -virBufferAddLit(&buf, "
> \"/sys/devices/*/*/{uevent,vendor,device,subsystem_vendor,subsystem_device}\"
> r,\n");
> -virBufferAddLit(&buf, "
> \"/sys/devices/*/*/drm/
_platform.d/*\" r,\n");
> +virBufferAddLit(&buf, " \"/proc/modules\" r,\n");
> + virBufferAddLit(&buf, " \"/proc/driver/nvidia/params\" r,\n");
> +virBufferAddLit(&buf, " \"/dev/nvidiactl\&quo
eam,
>
> + ptrace (readby, tracedby) peer=libvirtd,
>ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
>
> + signal (receive) peer=libvirtd,
>signal (receive) peer=/usr/sbin/libvirtd,
>
>/dev/net/tun rw,
+1 to commit
--
Jamie Strandboge | http:
d configuration*. Conditionally adding the
access would provide benefit when 'user = "root"' is set in qemu.conf or the
device itself has different permissions that allow the access (eg, 660
root:kvm).
I maintain a preference for updating the profile on hotplug events. I'm
iarch}/dri/*.so*\" mr,\n");
virBufferAddLit(&buf, " \"/usr/lib/fglrx/dri/*.so*\" mr,\n");
This is slightly futureproofed with the trailing '*'. On my system, the '**'
wasn't needed, but if you observe systems where it is, feel free to kee
On Mon, 18 Feb 2019, Christian Ehrhardt wrote:
>
> + # for gl enabled graphics
> + /dev/dri/{,*} r,
> +
+1 to include
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: PGP signature
--
libvir-list mailing list
libvir-list@redh
ng to prevent it since
VMs run as non-root and /var/lib/libvirt is 755. Perhaps get rid of owner and
make this an explicit denial rule to silence the denial (with a code comment)?
> +virBufferAddLit(&buf, " # Probe DRI device attributes\n");
> +virBufferAddLit(&buf, " \"/dev/dri/\" r,\n");
> +virBufferAddLit(&buf, "
> \"/sys/devices/*/*/{uevent,vendor,device,subsystem_vendor,subsystem_device}\"
> r,\n");
> +virBufferAddLit(&buf, "
> \"/sys/devices/*/*/drm/*/{uevent,vendor,device,subsystem_vendor,subsystem_device}\"
> r,\n");
These are fine.
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: PGP signature
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
apparmor/usr.lib.libvirt.virt-aa-helper
> @@ -19,6 +19,9 @@ profile virt-aa-helper
> /usr/{lib,lib64}/libvirt/virt-aa-helper {
>
>/etc/libnl-3/classid r,
>
> + # for gl enabled graphics
> + /dev/dri/{,*} r,
> +
This looks fine.
--
Jamie Strandboge |
.*rw,$"
>
> +sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e
> "s,, rendernode='/dev/dri/testegl1'/>,g" "$template_xml" >
> "$test_xml"
> +testme "0" "dri egl" "
er=/usr/sbin/libvirtd,
> + signal (receive) set=("term") peer=libvirtd,
>
> /dev/net/tun rw,
> /etc/qemu/** r,
This also LGTM. It'd be nice if there was a mechanism to specify the parent
profile like we can the current profile, but we can't now a
er=/usr/sbin/dnsmasq,
>ptrace (read,trace) peer=libvirt-*,
>
> + signal (send) peer=dnsmasq,
>signal (send) peer=/usr/sbin/dnsmasq,
>signal (read, send) peer=libvirt-*,
>signal (send) set=("kill", "term") peer=unconfined,
This LGTM.
--
Jamie
, receive) type=stream addr=none peer=(label=unconfined
> addr=none),
>
> - ptrace (trace) peer=unconfined,
> - ptrace (trace) peer=/usr/sbin/libvirtd,
> - ptrace (trace) peer=/usr/sbin/dnsmasq,
> - ptrace (trace) peer=libvirt-*,
> + ptrace (read,trace) pe
n/libvirt/qemu/*{/,} ->
> /dev/**,
+1 for the rules. Please change '{var/,}' to '{,var/}' and '{/,}' to
'{,/}' since, while equivalent, the latter is a more widely use rule
style (I recognize that the previous rules used '{var/,}').
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
expressed in libvirt XML it should be added on demand
> via
> + # virt-aa-helper instead.
> + owner /tmp/qemu-smb.*/{,**} rw,
>
># for file-posix getting limits since 9103f1ce
>/sys/devices/**/block/*/queue/max_segments r,
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
want more unique paths per rule.
> + /{,var/}tmp/ r,
> + owner /{,var/}tmp/**/ r,
> +
># for file-posix getting limits since 9103f1ce
>/sys/devices/**/block/*/queue/max_segments r,
Thanks for the changes! The comments seem longer than 80 characters,
but +1 to commit as is.
--
Ja
ev to qemu namespaces
> + mount options=(rw, move) /dev/ -> /{var/,}run/libvirt/qemu/*.dev/,
> + mount options=(rw, move) /dev/**{/,} ->
> /{var/,}run/libvirt/qemu/*{/,},
What are you trying to convey with this rule? As written, the '{/,}' is
redundant since '**
t
is designed in such a way that this doesn't matter.
I'd much rather not call this 'sort of safe' but instead call out the
problem, justify why the rule should be there and perhaps add a TODO
that once smb is supported in domain xml that this rule will be added
conditionally.
hanges:
> - 3b1d19e6 AppArmor: add rules needed with additional mediation
> features
> - b482925c apparmor: support ptrace checks
>
> Signed-off-by: Christian Ehrhardt
> Acked-by: Jamie Strandboge
> Acked-by: intrigeri
> ---
> examples/apparmor/usr.sbin.libvirtd | 3 ++
ithout security module
> + unix (send, receive) type=stream addr=none
> peer=(label=unconfined),
Makes sense. This libvirtd policy is meant to be super restrictive, so
+1 to apply.
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
emu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -193,6 +193,9 @@
>deny /dev/shm/lttng-ust-wait-* r,
>deny /run/shm/lttng-ust-wait-* r,
>
> + # for vfio hotplug on systems without static vfio (LP: #1775777)
> + /dev/vfio/vfio rw,
> +
Makes sense. If the guest doesn&
ate_xml" > "$test_xml"
> mkfifo "$tmpdir/parallel.pipe.in" "$tmpdir/parallel.pipe.out"
> -testme "0" "parallel (pipe)" "-r -u $valid_uuid" "$test_xml"
> +testme "0" "parallel (pipe)" "-r
sk1,g" -e
> "s,, path='$tmpdir/parallel.pipe'/> port='0'/>,g" "$template_xml" > "$test_xml"
> mkfifo "$tmpdir/parallel.pipe.in" "$tmpdir/parallel.pipe.out"
> -testme "0" "parallel (pipe)"
;/tmp/nvdimm-base" rw,
>
> Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1757085
>
> Acked-by: Jamie Strandboge
> Signed-off-by: Christian Ehrhardt
> ---
> src/security/virt-aa-helper.c | 8
> tests/virt-aa-helper-test | 3 +++
> 2 fi
t_xml
> sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e
> "s,, socket='/var/lib/libvirt/qemu/myself.vnc'> address='0.0.0.0'/>,g" "$template_xml" > "$test_xml"
> testme "0" "vnc socke
tLabel,
> + .domainRestoreSecurityInputLabel= AppArmorRestoreInputLabel,
> +
> .domainSetSecurityDaemonSocketLabel =
> AppArmorSetSecurityDaemonSocketLabel,
> .domainSetSecuritySocketLabel =
> AppArmorSetSecuritySocketLabel,
> .domainClearSecuritySocketLabel =
> AppArmorClearSecuritySocketLabel,
+1 to apply
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
river = {
> .domainSetSecurityImageLabel=
> AppArmorSetSecurityImageLabel,
> .domainRestoreSecurityImageLabel=
> AppArmorRestoreSecurityImageLabel,
>
> +.domainSetSecurityMemoryLabel = AppArmorSetMemoryLabel,
> +.domainRestoreSecurityMemoryLabel =
>
sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e
> "s,, evdev='$disk2' />,g" "$template_xml" > "$test_xml"
> testme "0" "input dev passthrough" "-r -u $valid_uuid" "$test_xml"
s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e
> "s,, socket='/var/lib/libvirt/qemu/myself.vnc'> address='0.0.0.0'/>,g" "$template_xml" > "$test_xml"
> testme "0" "vnc socket" "-r -u $valid_uui
@@ virSecurityDriver virAppArmorSecurityDriver = {
> .domainSetSecurityMemoryLabel = AppArmorSetMemoryLabel,
> .domainRestoreSecurityMemoryLabel =
> AppArmorRestoreMemoryLabel,
>
> +.domainSetSecurityInputLabel= AppArmorSetInputLabel,
> + .domainRestoreSecurityInputL
emoryLabel = AppArmorSetMemoryLabel,
> + .domainRestoreSecurityMemoryLabel =
> AppArmorRestoreMemoryLabel,
> +
> .domainSetSecurityDaemonSocketLabel =
> AppArmorSetSecurityDaemonSocketLabel,
> .domainSetSecuritySocketLabel =
> AppArmorSetSecuritySocketLabel,
> .domainClearSecuritySocketLabel =
> AppArmorClearSecuritySocketLabel,
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
t;mems[i]->nvdimmPath,
> "rw") != 0)
> +goto cleanup;
> +}
> + }
> +
> if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
> for (i = 0; i < ctl->def->nnets; i++) {
> virDomainNetDefPtr net = ctl->def->
ot;) != 0)
> +goto cleanup;
> +}
> +}
> +
> for (i = 0; i < ctl->def->nnets; i++) {
> if (ctl->def->nets[i] &&
> ctl->def->nets[i]->type ==
> VIR_DOMAIN_NET_TYPE_VHOSTUSER &&
Adding test cases for this would be good.
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
.domainRestoreSecurityInputLabel= AppArmorRestoreInputLabel,
> +
> .domainSetSecurityDaemonSocketLabel =
> AppArmorSetSecurityDaemonSocketLabel,
> .domainSetSecuritySocketLabel =
> AppArmorSetSecuritySocketLabel,
> .domainClearSecuritySocketLabel =
&
-1115,6 +1162,9 @@ virSecurityDriver virAppArmorSecurityDriver = {
> .domainSetSecurityImageLabel=
> AppArmorSetSecurityImageLabel,
> .domainRestoreSecurityImageLabel=
> AppArmorRestoreSecurityImageLabel,
>
> +.domainSetSecurityMemoryLabel = AppArmorSetMemoryLabel,
>
+ # required for sasl GSSAPI plugin
> + /etc/gss/mech.d/ r,
> + /etc/gss/mech.d/* r,
LGTM. +1
Thanks!
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
(read, send) peer=libvirt-*,
> > - signal (send) set=("kill") peer=unconfined,
> > + signal (send) set=("kill", "term") peer=unconfined,
>
LGTM too. +1 to apply.
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: Thi
armor/usr.lib.libvirt.virt-aa-helper
> @@ -51,7 +51,7 @@ profile virt-aa-helper
> /usr/{lib,lib64}/libvirt/virt-aa-helper {
>/var/lib/libvirt/images/** r,
>/{media,mnt,opt,srv}/** r,
># For virt-sandbox
> - /run/libvirt/**/[sv]d[a-z] r
> + /{,var/}run/libvirt/**/[sv]d[a-
} r,
>/**.qed r,
>/**.vmdk r,
These profile changes LGTM. +1 to apply them. Like intrigeri, I'll let
someone else ACK the build system changes.
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
libv
On Wed, 2017-12-20 at 14:43 +0100, Christian Ehrhardt wrote:
> On Tue, Dec 19, 2017 at 5:21 PM, Jamie Strandboge m> wrote:
> > On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote:
> > > From: Serge Hallyn
> > >
> > > Allows owner access to hugep
P: #901272)
> - /etc/pki/CA/ r,
> - /etc/pki/CA/* r,
> - /etc/pki/libvirt/ r,
> - /etc/pki/libvirt/** r,
> -
> # for save and resume
>/{usr/,}bin/dash rmix,
>/{usr/,}bin/dd rmix,
+1 to apply. Thanks for the patch and intrigeri for the feedback.
--
Jamie S
On Wed, 2017-12-20 at 11:56 +0100, Christian Ehrhardt wrote:
> From: Jamie Strandboge
>
> Required to generate correct profiles when using usb passthrough.
>
> Bug-Ubuntu: https://bugs.launchpad.net/bugs/565691
>
> Signed-off-by: Stefan Bader
> Signed-off-by: Christ
On Wed, 2017-12-20 at 08:41 +0100, Christian Ehrhardt wrote:
> From: Jamie Strandboge
>
> Allows (multi-arch enabled) access to libraries under the
> /usr/lib/@{multiarch}/qemu/*.so path in the Debian/Ubuntu
> qemu-block-extra package and all such libs for the paths
>
On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote:
> From: Jamie Strandboge
>
> Bug-Ubuntu: https://bugs.launchpad.net/bugs/591769
>
> Signed-off-by: Stefan Bader
> ---
> examples/apparmor/usr.lib.libvirt.virt-aa-helper | 4
> 1 file changed, 4 inserti
On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote:
> From: Jamie Strandboge
>
> Required to generate correct profiles when using usb passthrough.
>
> Bug-Ubuntu: https://bugs.launchpad.net/bugs/565691
>
> Signed-off-by: Stefan Bader
> ---
> examples/appar
On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote:
> From: Jamie Strandboge
>
> This is required for the ebtables functionality added in
> libvirt 0.8.0.
>
> Signed-off-by: Stefan Bader
> ---
> examples/apparmor/usr.sbin.libvirtd | 4
> 1 file changed
/usr/bin/qemu-mipsel rmix,
>/usr/bin/qemu-mipsn32 rmix,
>/usr/bin/qemu-mipsn32el rmix,
> - /usr/bin/qemu-nbd rmix,
>/usr/bin/qemu-or32 rmix,
>/usr/bin/qemu-ppc rmix,
> /usr/bin/qemu-ppc64 rmix,
Nice catch. +1 to apply.
--
Jamie Strandboge | http:/
curity_manager.c, is it possible that these rules can be removed and
vm-specific ones added dynamically with virt-aa-helper?
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
212,6 @@
># silence refusals to open lttng files (see LP: #1432644)
>deny /dev/shm/lttng-ust-wait-* r,
>deny /run/shm/lttng-ust-wait-* r,
> +
> + # for vfio (LP: #1678322)
> + /dev/vfio/vfio rw,
Why not just also add this rule iff there is a vfio-specific device
rule? Ie
irt-spice (LP: #1690140)
> + /etc/pki/libvirt-spice/ r,
> + /etc/pki/libvirt-spice/** r,
> +
+1 to apply
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote:
> From: Jamie Strandboge
>
> Allows (multi-arch enabled) access to libraries under the
> /usr/lib/@{multiarch}/qemu/*.so path in the Debian/Ubuntu
> qemu-block-extra package.
>
> Bug-Ubuntu: https://bugs.launc
/dev/shm/lttng-ust-wait-* r,
> + deny /run/shm/lttng-ust-wait-* r,
+1 to apply. These are noisy and not needed by typical guests.
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
>/sys/devices/system/node/node[0-9]*/meminfo r,
>/sys/devices/system/cpu/ r,
>
> + /sys/module/vhost/parameters/max_mem_regions r,
> +
+1 to apply
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed mes
On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote:
> From: Jamie Strandboge
>
> Newer qemu wants to read
> /sys/devices/system/node/
> /sys/devices/system/cpu/
> /sys/devices/system/node/node[0-9]*/meminfo
>
> Signed-off-by: Stefan Bader
> ---
> exam
rtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -53,6 +53,9 @@
>network packet dgram,
>network packet raw,
>
> + # for --p2p migrations
> + unix (send, receive) type=stream addr=none peer=(label=unconfined
> addr=none),
> +
This rule is fine, but for complete
share/seabios/** r,
> + /usr/share/misc/sgabios.bin r,
>/usr/share/ovmf/** r,
>/usr/share/OVMF/** r,
>/usr/share/AAVMF/** r,
+1 to apply
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
libvir-list
first focus
> on confining
># the guests. Guests will have a very restricted profile.
>/ r,
These rules are unfortunate, but it is important to note that this is
in the libvirtd profile, not the guest profiles. As mentioned in the
contextual diff, the profile is intentionally very
On Mon, 2017-12-04 at 12:03 +0100, Michal Privoznik wrote:
> On 12/01/2017 02:26 PM, Jamie Strandboge wrote:
> > On Thu, 2017-11-30 at 10:43 -0700, Jim Fehlig wrote:
> > > Noticed the following denial in audit.log when shutting down
> > > an apparmor confined domain
>
r,
> + @{PROC}/@{pid}/cmdline r,
Note this is an information leak and allows reading potentially
sensitive information, such as passwords given on the command line. Eg:
$ cat /proc/13335/cmdline | tr '\0' ' '
sh /tmp/testme --password=sensitive
Would it be po
ount options=(rw, move) /{var/,}run/libvirt/qemu/*.mqueue/->
> /dev/mqueue/,
> + mount options=(rw, move) /{var/,}run/libvirt/qemu/*.pts/ ->
> /dev/pts/,
> + mount options=(rw, move) /{var/,}run/libvirt/qemu/*.shm/ ->
> /dev/shm/,
>
These all look fine. I s
ptrace (trace) peer=/usr/sbin/dnsmasq,
>ptrace (trace) peer=libvirt-*,
>
> + signal (send) peer=/usr/sbin/dnsmasq,
> + signal (read, send) peer=libvirt-*,
> +
LGTM, thanks!
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
; @@ -10,6 +10,7 @@ profile virt-aa-helper
> /usr/{lib,lib64}/libvirt/virt-aa-helper {
>
># needed for when disk is on a network filesystem
>network inet,
> + network inet6,
>
>deny @{PROC}/[0-9]*/mounts r,
> @{PROC}/[0-9]*/net/psched r,
LGTM. Th
b/examples/apparmor/libvirt-qemu
> @@ -169,6 +169,9 @@
># for rbd
>/etc/ceph/ceph.conf r,
>
> + # for file-posix getting limits since 9103f1ce
> + /sys/devices/**/block/*/queue/max_segments r,
> +
># for ppc device-tree access
>@{PROC}/device-tree/ r,
&g
-e "s,, type='pflash'>$fwpath,g" "$template_xml" > "$test_xml"
> testme "0" "$title" "-r -u $valid_uuid" "$test_xml"
> else
> - echo "Skipping FW $title test. Could not find $fw
c with invalid domain name char ?" "-c -u $valid_uuid"
> "$test_xml"
> +sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,virt-
> aa-helper-test,virt-aa-helper-test-^,g" "$template_xml" > "$te
1 - 100 of 223 matches
Mail list logo