Re: [PATCH] apparmor: ceph config file names

On Thu, 07 Oct 2021, christian.ehrha...@canonical.com wrote: > From: Christian Ehrhardt > > If running multiple [1] clusters (uncommon) the ceph config file will be > derived from the cluster name. Therefore the rule to allow to read ceph > config files need to be opened up slightly to allow for

Re: [PATCH] apparmor: allow kvm-spice compat wrapper

only adds additional access. This should be no problem at all on SUSE. Outside of this rule, the apparmor userspace understands kernel differences and various rules and any modern SUSE would have a new enough parser to handle the various rules syntax we use in the current libvirt

Re: [PATCH v2] apparmor: allow libvirtd to call virtiofsd

644 > > --- a/src/security/apparmor/usr.sbin.libvirtd.in > > +++ b/src/security/apparmor/usr.sbin.libvirtd.in > > @@ -89,6 +89,7 @@ profile libvirtd @sbindir@/libvirtd > > flags=(attach_disconnected) { > >/usr/lib/xen-*/bin/libxl-save-helper PUx, > >/usr/lib/xen-*/bin/pygrub PUx, > >/usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx, > > + /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx, > > > ># Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to > ># read and run an ebtables script. > > -- > > 2.28.0 > > > > -- > Christian Ehrhardt > Staff Engineer, Ubuntu Server > Canonical Ltd > -- Jamie Strandboge | http://www.canonical.com

Re: [PATCH 8/8] apparmor: let qemu load old shared objects after upgrades

urity/apparmor/libvirt-qemu > @@ -168,6 +168,11 @@ >/usr/{lib,lib64}/qemu/*.so mr, >/usr/lib/@{multiarch}/qemu/*.so mr, > > + # let qemu load old shared objects after upgrades (LP: #1847361) > + /{var/,}run/qemu/*/*.so mr, > + # but explicitly deny writing to

Re: [PATCH 7/8] apparmor: allow virt-aa-helper to read openvswitch sockets

unfortunate and unexpected. What kind of probing does virt-aa-helper do on these? -- Jamie Strandboge | http://www.canonical.com

Re: [PATCH 6/8] apparmor: allow virt-aa-helper to read from tmp

**.qcow{,2} r, /**.qed r, /**.vmdk r, /**.vhd r, /**.[iI][sS][oO] r, /**/disk{,.*} r, Why are these not sufficient? What was the denial that triggered the issue? -- Jamie Strandboge | http://www.canonical.com

Re: [PATCH 5/8] apparmor: qemu access to @{PROC}/*/auxv for hw_cap

uxv r, +1 to apply. A code comment that is simply the first sentence of Stefan's commit message might be a nice touch, but that is not a blocker. -- Jamie Strandboge | http://www.canonical.com

Re: [PATCH 1/8] apparmor: allow default pki path

+94,8 @@ >/etc/pki/CA/* r, >/etc/pki/libvirt{,-spice,-vnc}/ r, >/etc/pki/libvirt{,-spice,-vnc}/** r, > + /etc/pki/qemu/ r, > + /etc/pki/qemu/** r, +1 to apply -- Jamie Strandboge | http://www.canonical.com

Re: [PATCH 2/8] apparmor: allow libvirtd to call pygrub

sr.sbin.libvirtd.in > +++ b/src/security/apparmor/usr.sbin.libvirtd.in > @@ -86,6 +86,7 @@ profile libvirtd @sbindir@/libvirtd > flags=(attach_disconnected) { >/usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, >/usr/{lib,lib64}/xen/bin/* Ux, >/usr/lib/xen-*/bin/

Re: [PATCH 4/8] apparmor: read only access to overcommit_memory

On Mon, 03 Aug 2020, Christian Ehrhardt wrote: > From: Jamie Strandboge > > Allow qemu to read @{PROC}/sys/vm/overcommit_memory. > This is read on guest start-up and (as read-only) not a > critical secret that has to stay hidden. > > Signed-off-by: Christian Ehrhardt &g

Re: [PATCH 3/8] apparmor: allow virt-aa-helper nameservices

e brings in network rules so this is actually a lot of access. Why is it reaching out to nss? Is it just cause some library happens to look at /etc/nsswitch.conf and pull in other things or does it actually need networking? I suspect the former. If my suspicion is true, perhaps instead: # vi

Re: [PATCH v2] apparmor: avoid denials on libpmem initialization

--- a/src/security/apparmor/libvirt-qemu > +++ b/src/security/apparmor/libvirt-qemu > @@ -227,3 +227,8 @@ ># required for sasl GSSAPI plugin >/etc/gss/mech.d/ r, >/etc/gss/mech.d/* r, > + > + # required by libpmem init to fts_open()/fts_read() the symlinks in &

Re: [PATCH] apparmor: avoid denials on libpmem initialization

On Wed, 08 Apr 2020, Jamie Strandboge wrote: > On Wed, 08 Apr 2020, Christian Ehrhardt wrote: > > > With libpmem support compiled into qemu it will trigger the following > > denials on every startup. > > apparmor="DENIED" operation="open" name="

Re: [PATCH] apparmor: avoid denials on libpmem initialization

u list what files libpem init is looking at? I'm a bit uncomfortable with the glob here and would rather not guess that today's and all future files in /sys/bus/nd/devices are safe for all qemu processes to read. -- Jamie Strandboge | http://www.canonical.com

Re: [PATCH 1/6] apparmor: Fix parthelper, iohelper and virt-aa-helper paths in profiles

On Wed, 29 Jan 2020, Michal Privoznik wrote: > On 1/27/20 5:30 PM, Jamie Strandboge wrote: > > On Sat, 25 Jan 2020, Michal Privoznik wrote: > > > > > These helper binaries are installed under libexec dir not lib > > > dir. > > > > > > Sig

Re: [PATCH 4/6] apparmor: Rename virt-aa-helper profile

gest using this for the previous reasons: profile virt-aa-helper /usr/{lib,lib64,libexec}/libvirt/virt-aa-helper { The filename rename is fine though (the filename doesn't have to match the profile name or binary attachment, so picking what we expect to be the normal use case is fine). >#include > ># needed for searching directories > @@ -70,5 +70,5 @@ profile virt-aa-helper > /usr/{lib,lib64}/libvirt/virt-aa-helper { >/**.[iI][sS][oO] r, >/**/disk{,.*} r, > > - #include > + #include > } > -- > 2.24.1 > -- Jamie Strandboge | http://www.canonical.com

Re: [PATCH 6/6] apparmor: Allow some more BIOS/UEFI paths

r, > @@ -86,6 +87,7 @@ >/usr/share/qemu-kvm/** r, >/usr/share/qemu/** r, >/usr/share/seabios/** r, > + /usr/share/sgabios/** r, >/usr/share/slof/** r, >/usr/share/vgabios/** r, +1 to apply -- Jamie Strandboge | http://www.canonical.com

Re: [PATCH 3/6] docs: Fix virt-aa-helper location

ipulating AppArmor directly), and >an abstraction to be included by > /etc/apparmor.d/libvirt/TEMPLATE >(typically /etc/apparmor.d/abstractions/libvirt-qemu). +1 to apply -- Jamie Strandboge | http://www.canonical.com

Re: [PATCH 5/6] apparmor: Sort paths in blocks in libvirt-qemu profile

mix, > - /usr/bin/qemu-ppc64 rmix, > - /usr/bin/qemu-ppc64abi32 rmix, > - /usr/bin/qemu-ppc64le rmix, > - /usr/bin/qemu-s390x rmix, > - /usr/bin/qemu-sh4 rmix, > - /usr/bin/qemu-sh4eb rmix, > - /usr/bin/qemu-sparc rmix, > - /usr/bin/qemu-sparc32plus rmix, > - /usr/bin/qemu-sparc64 rmix, >/usr/bin/qemu-unicore32 rmix, >/usr/bin/qemu-x86_64 rmix, ># for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761) +1 to apply -- Jamie Strandboge | http://www.canonical.com

Re: [PATCH 1/6] apparmor: Fix parthelper, iohelper and virt-aa-helper paths in profiles

ix, > + /usr/libexec/libvirt_parthelper ix, > + /usr/libexec/libvirt_iohelper ix, >/etc/libvirt/hooks/** rmix, >/etc/xen/scripts/** rmix, > > -- > 2.24.1 > -- Jamie Strandboge | http://www.canonical.com

Re: [libvirt] [PATCH v2 3/3] virt-aa-helper: drop pointer checks in get_files

On Wed, 20 Nov 2019, Cole Robinson wrote: > On 11/19/19 4:31 PM, Jamie Strandboge wrote: > > On Thu, 14 Nov 2019, Christian Ehrhardt wrote: > > > >> It was mentioned that the pointers in loops like: > >> for (i = 0; i < ctl->def->nserials; i++) > &g

Re: [libvirt] [PATCH 1/2] virt-aa-helper: add rules for shmem devices

On Wed, 20 Nov 2019, Christian Ehrhardt wrote: > On Tue, Nov 19, 2019 at 10:25 PM Jamie Strandboge wrote: > > On Tue, 22 Oct 2019, Christian Ehrhardt wrote: > > > +for (i = 0; i < ctl->def->nshmems; i++) { > > > +if (ctl->def->shmems[i]) { &

Re: [libvirt] [PATCH 4/4] apparmor: let AppArmorSetSecurityImageLabel append rules

On Wed, 20 Nov 2019, Christian Ehrhardt wrote: > On Wed, Nov 20, 2019 at 3:40 PM Christian Ehrhardt > wrote: > > > > On Tue, Nov 19, 2019 at 10:12 PM Jamie Strandboge > > wrote: > > > > > > On Wed, 16 Oct 2019, Christian Ehrhardt wrote: > > >

Re: [libvirt] [patch 1/1] virt-aa-helper: Add support for smartcard host-certificates

buf, " \"%s/{,*}" rk,\n", sc_db); Is it possible that the certificates might be in a lower directory? Ie, is '**' warranted? > > + case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH: > > +break; > > +case VIR_DOM

Re: [libvirt] [PATCH v2 3/3] virt-aa-helper: drop pointer checks in get_files

gt;fss[i]->fsdriver == > VIR_DOMAIN_FS_DRIVER_TYPE_PATH || > ctl->def->fss[i]->fsdriver == > VIR_DOMAIN_FS_DRIVER_TYPE_DEFAULT) && > ctl->def->fss[i]->src) { > @@ -1166,16 +1160,14 @@ get_files(vahControl * ctl) >

Re: [libvirt] [PATCH 1/2] virt-aa-helper: add rules for shmem devices

_IVSHMEM: > + /* until exposed, recreate > qemuDomainPrepareShmemChardev */ > +if (virAsprintf(&mem_path, > "/var/lib/libvirt/shmem-%s-sock", > +shmem->name) < 0) > + g

Re: [libvirt] [PATCH 4/4] apparmor: let AppArmorSetSecurityImageLabel append rules

that making this change will result in scenarios where the rule is (correctly) added, but previous rules are not removed. Can you comment on if this is working correctly? Is it possible to have tests that demonstrate everything is working as intended? -- Jamie Strandboge | http://w

Re: [libvirt] [PATCH 3/4] apparmor: refactor AppArmorSetSecurityImageLabel

rn -1; > } > -rc = 0; > > - cleanup: > -VIR_FREE(profile_name); > - > -return rc; > +return reload_profile(mgr, def, src->path, false); The logic of the refactor looks fine, but note by calling reload_profile() here, it will call virDomainDefGetSecuri

Re: [libvirt] [PATCH 2/4] apparmor: drop useless call to get_profile_name

> - > -rc = 0; > - cleanup: > -VIR_FREE(profile_name); > - > -return rc; > +return 0; > } > > static int LGTM. I don't recall why this was there initially but guessing it was obviated by a refactor at some point (perhaps before I initially submitted). -- Jamie Strandboge | http://www.canonical.com signature.asc Description: PGP signature -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 1/4] virt-aa-helper: clarify command line options

-u | --uuid uuid (profile name)\n" > +"-h | --helpthis help\n" > +" Extra File:\n" > +"-f | --add-file add file to a profile > generated from XML\n" > +&q

Re: [libvirt] [PATCH] security: AppArmor profile fixes for swtpm

ot; \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" a,\n", > +" \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" w,\n", > LOCALSTATEDIR, ctl->def->name); > virBufferAsprintf(&buf, > " \"%s/libvirt/qemu/

Re: [libvirt] [PATCH] virt-aa-helper: Actually fix AppArmor profile

self/fd/ is redundant with the next rule. > + @{PROC}/@{pid}/fd/ r, This access LGTM. +1 to apply. -- Jamie Strandboge | http://www.canonical.com signature.asc Description: PGP signature -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] security: aa-helper: allow virt-aa-helper to read .vhd images

.lib.libvirt.virt-aa-helper > +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper > @@ -63,6 +63,7 @@ profile virt-aa-helper > /usr/{lib,lib64}/libvirt/virt-aa-helper { >/**.qcow{,2} r, >/**.qed r, >/**.vmdk r, > + /**.vhd r, This looks fine. +1 to apply.

Re: [libvirt] [PATCH] apparmor: Add openGraphicsFD rule for named profile

end, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), > ># for gathering information about available host resources +1 to apply. Thanks for chasing this down. -- Jamie Strandboge | http://www.canonical.com signature.asc Description: PGP signature -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] security: apparmor: make vhost-net access a static rule

On Wed, 20 Mar 2019, Christian Ehrhardt wrote: > On Wed, Mar 20, 2019 at 8:45 AM Christian Ehrhardt > wrote: > > > > On Mon, Mar 4, 2019 at 11:42 AM Christian Ehrhardt > > wrote: > > > > > > On Fri, Mar 1, 2019 at 5:56 PM Jamie Strandboge > &

Re: [libvirt] [PATCH 1/2] apparmor: Check libvirtd profile status by name

rc = -1; > +if (rc < 0) { > +rc = profile_status("libvirtd", 1); > +/* Error or unconfined should all result in -1*/ > +if (rc < 0) > +rc = -1; > +} LGTM. +1 to apply. Thanks! -- Jamie Strandboge |

Re: [libvirt] [PATCH 2/2] security: aa-helper: gl devices in sysfs at arbitrary depth

t(&buf, " \"/dev/dri/\" r,\n"); > -virBufferAddLit(&buf, " > \"/sys/devices/*/*/{uevent,vendor,device,subsystem_vendor,subsystem_device}\" > r,\n"); > -virBufferAddLit(&buf, " > \"/sys/devices/*/*/drm/

Re: [libvirt] [PATCH 1/2] security: aa-helper: nvidia rules for gl devices

_platform.d/*\" r,\n"); > +virBufferAddLit(&buf, " \"/proc/modules\" r,\n"); > + virBufferAddLit(&buf, " \"/proc/driver/nvidia/params\" r,\n"); > +virBufferAddLit(&buf, " \"/dev/nvidiactl\&quo

Re: [libvirt] [PATCH 2/2] apparmor: Add ptrace and signal rules for named profile

eam, > > + ptrace (readby, tracedby) peer=libvirtd, >ptrace (readby, tracedby) peer=/usr/sbin/libvirtd, > > + signal (receive) peer=libvirtd, >signal (receive) peer=/usr/sbin/libvirtd, > >/dev/net/tun rw, +1 to commit -- Jamie Strandboge | http:

Re: [libvirt] [PATCH] security: apparmor: make vhost-net access a static rule

d configuration*. Conditionally adding the access would provide benefit when 'user = "root"' is set in qemu.conf or the device itself has different permissions that allow the access (eg, 660 root:kvm). I maintain a preference for updating the profile on hotplug events. I'm

Re: [libvirt] [PATCH v2 2/2] security: aa-helper: generate more rules for gl devices

iarch}/dri/*.so*\" mr,\n"); virBufferAddLit(&buf, " \"/usr/lib/fglrx/dri/*.so*\" mr,\n"); This is slightly futureproofed with the trailing '*'. On my system, the '**' wasn't needed, but if you observe systems where it is, feel free to kee

Re: [libvirt] [PATCH v2 1/2] security: aa-helper: allow virt-aa-helper to read /dev/dri

On Mon, 18 Feb 2019, Christian Ehrhardt wrote: > > + # for gl enabled graphics > + /dev/dri/{,*} r, > + +1 to include -- Jamie Strandboge | http://www.canonical.com signature.asc Description: PGP signature -- libvir-list mailing list libvir-list@redh

Re: [libvirt] [PATCH 2/2] security: aa-helper: generate more rules for gl devices

ng to prevent it since VMs run as non-root and /var/lib/libvirt is 755. Perhaps get rid of owner and make this an explicit denial rule to silence the denial (with a code comment)? > +virBufferAddLit(&buf, " # Probe DRI device attributes\n"); > +virBufferAddLit(&buf, " \"/dev/dri/\" r,\n"); > +virBufferAddLit(&buf, " > \"/sys/devices/*/*/{uevent,vendor,device,subsystem_vendor,subsystem_device}\" > r,\n"); > +virBufferAddLit(&buf, " > \"/sys/devices/*/*/drm/*/{uevent,vendor,device,subsystem_vendor,subsystem_device}\" > r,\n"); These are fine. -- Jamie Strandboge | http://www.canonical.com signature.asc Description: PGP signature -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 1/2] security: aa-helper: allow virt-aa-helper to read /dev/dri

apparmor/usr.lib.libvirt.virt-aa-helper > @@ -19,6 +19,9 @@ profile virt-aa-helper > /usr/{lib,lib64}/libvirt/virt-aa-helper { > >/etc/libnl-3/classid r, > > + # for gl enabled graphics > + /dev/dri/{,*} r, > + This looks fine. -- Jamie Strandboge |

Re: [libvirt] [PATCH v2] virt-aa-helper: generate rules for gl enabled graphics devices

.*rw,$" > > +sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e > "s,, rendernode='/dev/dri/testegl1'/>,g" "$template_xml" > > "$test_xml" > +testme "0" "dri egl" "

Re: [libvirt] [PATCH 2/2] apparmor: convert libvirtd profile to a named profile

er=/usr/sbin/libvirtd, > + signal (receive) set=("term") peer=libvirtd, > > /dev/net/tun rw, > /etc/qemu/** r, This also LGTM. It'd be nice if there was a mechanism to specify the parent profile like we can the current profile, but we can't now a

Re: [libvirt] [PATCH 1/2] apparmor: Add support for named profiles

er=/usr/sbin/dnsmasq, >ptrace (read,trace) peer=libvirt-*, > > + signal (send) peer=dnsmasq, >signal (send) peer=/usr/sbin/dnsmasq, >signal (read, send) peer=libvirt-*, >signal (send) set=("kill", "term") peer=unconfined, This LGTM. -- Jamie

Re: [libvirt] [PATCH] apparmor: fix ptrace rules with kernel 4.18

, receive) type=stream addr=none peer=(label=unconfined > addr=none), > > - ptrace (trace) peer=unconfined, > - ptrace (trace) peer=/usr/sbin/libvirtd, > - ptrace (trace) peer=/usr/sbin/dnsmasq, > - ptrace (trace) peer=libvirt-*, > + ptrace (read,trace) pe

Re: [libvirt] [PATCH v2 5/5] apparmor: allow to preserve /dev mountpoints into qemu namespaces

n/libvirt/qemu/*{/,} -> > /dev/**, +1 for the rules. Please change '{var/,}' to '{,var/}' and '{/,}' to '{,/}' since, while equivalent, the latter is a more widely use rule style (I recognize that the previous rules used '{var/,}'). -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH v2 4/5] apparmor: allow qemu-smb access in /tmp

expressed in libvirt XML it should be added on demand > via > + # virt-aa-helper instead. > + owner /tmp/qemu-smb.*/{,**} rw, > ># for file-posix getting limits since 9103f1ce >/sys/devices/**/block/*/queue/max_segments r, -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH v2 3/5] apparmor: allow expected /tmp access patterns

want more unique paths per rule. > + /{,var/}tmp/ r, > + owner /{,var/}tmp/**/ r, > + ># for file-posix getting limits since 9103f1ce >/sys/devices/**/block/*/queue/max_segments r, Thanks for the changes! The comments seem longer than 80 characters, but +1 to commit as is. -- Ja

Re: [libvirt] [PATCH 4/4] apparmor: allow to preserve /dev mountpoints into qemu namespaces

ev to qemu namespaces > + mount options=(rw, move) /dev/ -> /{var/,}run/libvirt/qemu/*.dev/, > + mount options=(rw, move) /dev/**{/,} -> > /{var/,}run/libvirt/qemu/*{/,}, What are you trying to convey with this rule? As written, the '{/,}' is redundant since '**&#

Re: [libvirt] [PATCH 3/4] apparmor: allow expected /tmp access patterns

t is designed in such a way that this doesn't matter. I'd much rather not call this 'sort of safe' but instead call out the problem, justify why the rule should be there and perhaps add a TODO that once smb is supported in domain xml that this rule will be added conditionally.

Re: [libvirt] [PATCH 2/4] apparmor: add mediation rules for unconfined guests

hanges: > - 3b1d19e6 AppArmor: add rules needed with additional mediation > features > - b482925c apparmor: support ptrace checks > > Signed-off-by: Christian Ehrhardt > Acked-by: Jamie Strandboge > Acked-by: intrigeri > --- > examples/apparmor/usr.sbin.libvirtd | 3 ++

Re: [libvirt] [PATCH 1/4] apparmor: allow openGraphicsFD for virt manager >1.4

ithout security module > + unix (send, receive) type=stream addr=none > peer=(label=unconfined), Makes sense. This libvirtd policy is meant to be super restrictive, so +1 to apply. -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] apparmor: fix vfio usage without initial hostdev

emu > +++ b/examples/apparmor/libvirt-qemu > @@ -193,6 +193,9 @@ >deny /dev/shm/lttng-ust-wait-* r, >deny /run/shm/lttng-ust-wait-* r, > > + # for vfio hotplug on systems without static vfio (LP: #1775777) > + /dev/vfio/vfio rw, > + Makes sense. If the guest doesn&

Re: [libvirt] [PATCH v4 5/5] virt-aa-helper: test: check for expected profile content

ate_xml" > "$test_xml" > mkfifo "$tmpdir/parallel.pipe.in" "$tmpdir/parallel.pipe.out" > -testme "0" "parallel (pipe)" "-r -u $valid_uuid" "$test_xml" > +testme "0" "parallel (pipe)" "-r

Re: [libvirt] [PATCH v3 5/5] virt-aa-helper: test: check for expected profile content

sk1,g" -e > "s,, path='$tmpdir/parallel.pipe'/> port='0'/>,g" "$template_xml" > "$test_xml" > mkfifo "$tmpdir/parallel.pipe.in" "$tmpdir/parallel.pipe.out" > -testme "0" "parallel (pipe)"

Re: [libvirt] [PATCH v3 4/5] virt-aa-helper: generate rules for nvdimm memory

;/tmp/nvdimm-base" rw, > > Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1757085 > > Acked-by: Jamie Strandboge > Signed-off-by: Christian Ehrhardt > --- > src/security/virt-aa-helper.c | 8 > tests/virt-aa-helper-test | 3 +++ > 2 fi

Re: [libvirt] [PATCH v3 3/5] virt-aa-helper: generate rules for passthrough input devices

t_xml > sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e > "s,, socket='/var/lib/libvirt/qemu/myself.vnc'> address='0.0.0.0'/>,g" "$template_xml" > "$test_xml" > testme "0" "vnc socke

Re: [libvirt] [PATCH v3 2/5] security, apparmor: add (Set|Restore)InputLabel

tLabel, > + .domainRestoreSecurityInputLabel= AppArmorRestoreInputLabel, > + > .domainSetSecurityDaemonSocketLabel = > AppArmorSetSecurityDaemonSocketLabel, > .domainSetSecuritySocketLabel = > AppArmorSetSecuritySocketLabel, > .domainClearSecuritySocketLabel = > AppArmorClearSecuritySocketLabel, +1 to apply -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH v3 1/5] security, apparmor: add (Set|Restore)MemoryLabel

river = { > .domainSetSecurityImageLabel= > AppArmorSetSecurityImageLabel, > .domainRestoreSecurityImageLabel= > AppArmorRestoreSecurityImageLabel, > > +.domainSetSecurityMemoryLabel = AppArmorSetMemoryLabel, > +.domainRestoreSecurityMemoryLabel = >

Re: [libvirt] [PATCH v2 4/5] virt-aa-helper: generate rules for nvdimm memory

sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e > "s,, evdev='$disk2' />,g" "$template_xml" > "$test_xml" > testme "0" "input dev passthrough" "-r -u $valid_uuid" "$test_xml"

Re: [libvirt] [PATCH v2 3/5] virt-aa-helper: generate rules for passthrough input devices

s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e > "s,, socket='/var/lib/libvirt/qemu/myself.vnc'> address='0.0.0.0'/>,g" "$template_xml" > "$test_xml" > testme "0" "vnc socket" "-r -u $valid_uui

Re: [libvirt] [PATCH v2 2/5] security, apparmor: add (Set|Restore)InputLabel

@@ virSecurityDriver virAppArmorSecurityDriver = { > .domainSetSecurityMemoryLabel = AppArmorSetMemoryLabel, > .domainRestoreSecurityMemoryLabel = > AppArmorRestoreMemoryLabel, > > +.domainSetSecurityInputLabel= AppArmorSetInputLabel, > + .domainRestoreSecurityInputL

Re: [libvirt] [PATCH v2 1/5] security, apparmor: add (Set|Restore)MemoryLabel

emoryLabel = AppArmorSetMemoryLabel, > + .domainRestoreSecurityMemoryLabel = > AppArmorRestoreMemoryLabel, > + > .domainSetSecurityDaemonSocketLabel = > AppArmorSetSecurityDaemonSocketLabel, > .domainSetSecuritySocketLabel = > AppArmorSetSecuritySocketLabel, > .domainClearSecuritySocketLabel = > AppArmorClearSecuritySocketLabel, -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 4/4] virt-aa-helper: generate rules for nvdimm memory

t;mems[i]->nvdimmPath, > "rw") != 0) > +goto cleanup; > +} > + } > + > if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) { > for (i = 0; i < ctl->def->nnets; i++) { > virDomainNetDefPtr net = ctl->def->

Re: [libvirt] [PATCH 3/4] virt-aa-helper: generate rules for passthrough input devices

ot;) != 0) > +goto cleanup; > +} > +} > + > for (i = 0; i < ctl->def->nnets; i++) { > if (ctl->def->nets[i] && > ctl->def->nets[i]->type == > VIR_DOMAIN_NET_TYPE_VHOSTUSER && Adding test cases for this would be good. -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 2/4] security, apparmor: add (Set|Restore)InputLabel

.domainRestoreSecurityInputLabel= AppArmorRestoreInputLabel, > + > .domainSetSecurityDaemonSocketLabel = > AppArmorSetSecurityDaemonSocketLabel, > .domainSetSecuritySocketLabel = > AppArmorSetSecuritySocketLabel, > .domainClearSecuritySocketLabel = &

Re: [libvirt] [PATCH 1/4] security, apparmor: add (Set|Restore)MemoryLabel

-1115,6 +1162,9 @@ virSecurityDriver virAppArmorSecurityDriver = { > .domainSetSecurityImageLabel= > AppArmorSetSecurityImageLabel, > .domainRestoreSecurityImageLabel= > AppArmorRestoreSecurityImageLabel, > > +.domainSetSecurityMemoryLabel = AppArmorSetMemoryLabel, >

Re: [libvirt] [PATCH] apparmor: add ro rule for sasl GSSAPI plugin on /etc/gss/mech.d/

+ # required for sasl GSSAPI plugin > + /etc/gss/mech.d/ r, > + /etc/gss/mech.d/* r, LGTM. +1 Thanks! -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] apparmor: allow libvirt to send term signal to unconfined

(read, send) peer=libvirt-*, > > - signal (send) set=("kill") peer=unconfined, > > + signal (send) set=("kill", "term") peer=unconfined, > LGTM too. +1 to apply. -- Jamie Strandboge | http://www.canonical.com signature.asc Description: Thi

Re: [libvirt] [PATCH] apparmor: fix virt-aa-helper profile

armor/usr.lib.libvirt.virt-aa-helper > @@ -51,7 +51,7 @@ profile virt-aa-helper > /usr/{lib,lib64}/libvirt/virt-aa-helper { >/var/lib/libvirt/images/** r, >/{media,mnt,opt,srv}/** r, ># For virt-sandbox > - /run/libvirt/**/[sv]d[a-z] r > + /{,var/}run/libvirt/**/[sv]d[a-

Re: [libvirt] [PATCH] virt-aa-helper: handle more disk images

} r, >/**.qed r, >/**.vmdk r, These profile changes LGTM. +1 to apply them. Like intrigeri, I'll let someone else ACK the build system changes. -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part -- libv

Re: [libvirt] [PATCH 06/12] apparmor, libvirt-qemu: Allow access to hugepage mounts

On Wed, 2017-12-20 at 14:43 +0100, Christian Ehrhardt wrote: > On Tue, Dec 19, 2017 at 5:21 PM, Jamie Strandboge m> wrote: > > On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote: > > > From: Serge Hallyn > > > > > > Allows owner access to hugep

Re: [libvirt] [PATCH v2] apparmor, libvirt-qemu: add default pki path of libvirt-spice

P: #901272) > - /etc/pki/CA/ r, > - /etc/pki/CA/* r, > - /etc/pki/libvirt/ r, > - /etc/pki/libvirt/** r, > - > # for save and resume >/{usr/,}bin/dash rmix, >/{usr/,}bin/dd rmix, +1 to apply. Thanks for the patch and intrigeri for the feedback. -- Jamie S

Re: [libvirt] [PATCH v2] apparmor, virt-aa-helper: Allow access to /sys/bus/usb/devices

On Wed, 2017-12-20 at 11:56 +0100, Christian Ehrhardt wrote: > From: Jamie Strandboge > > Required to generate correct profiles when using usb passthrough. > > Bug-Ubuntu: https://bugs.launchpad.net/bugs/565691 > > Signed-off-by: Stefan Bader > Signed-off-by: Christ

Re: [libvirt] [PATCH v2] apparmor, libvirt-qemu: Allow qemu-block-extra libraries

On Wed, 2017-12-20 at 08:41 +0100, Christian Ehrhardt wrote: > From: Jamie Strandboge > > Allows (multi-arch enabled) access to libraries under the > /usr/lib/@{multiarch}/qemu/*.so path in the Debian/Ubuntu > qemu-block-extra package and all such libs for the paths >

Re: [libvirt] [PATCH 11/12] apparmor, virt-aa-helper: Allow access to ecryptfs files

On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote: > From: Jamie Strandboge > > Bug-Ubuntu: https://bugs.launchpad.net/bugs/591769 > > Signed-off-by: Stefan Bader > --- > examples/apparmor/usr.lib.libvirt.virt-aa-helper | 4 > 1 file changed, 4 inserti

Re: [libvirt] [PATCH 12/12] apparmor, virt-aa-helper: Allow access to /sys/bus/usb/devices

On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote: > From: Jamie Strandboge > > Required to generate correct profiles when using usb passthrough. > > Bug-Ubuntu: https://bugs.launchpad.net/bugs/565691 > > Signed-off-by: Stefan Bader > --- > examples/appar

Re: [libvirt] [PATCH 10/12] apparmor, libvirtd: Allow ixr to /var/lib/libvirt/virtd*

On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote: > From: Jamie Strandboge > > This is required for the ebtables functionality added in > libvirt 0.8.0. > > Signed-off-by: Stefan Bader > --- > examples/apparmor/usr.sbin.libvirtd | 4 > 1 file changed

Re: [libvirt] [PATCH 09/12] apparmor, libvirt-qemu: qemu won't call qemu-nbd

/usr/bin/qemu-mipsel rmix, >/usr/bin/qemu-mipsn32 rmix, >/usr/bin/qemu-mipsn32el rmix, > - /usr/bin/qemu-nbd rmix, >/usr/bin/qemu-or32 rmix, >/usr/bin/qemu-ppc rmix, > /usr/bin/qemu-ppc64 rmix, Nice catch. +1 to apply. -- Jamie Strandboge | http:/

Re: [libvirt] [PATCH 06/12] apparmor, libvirt-qemu: Allow access to hugepage mounts

curity_manager.c, is it possible that these rules can be removed and vm-specific ones added dynamically with virt-aa-helper? -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 08/12] apparmor, libvirt-qemu: add generic base vfio device

212,6 @@ ># silence refusals to open lttng files (see LP: #1432644) >deny /dev/shm/lttng-ust-wait-* r, >deny /run/shm/lttng-ust-wait-* r, > + > + # for vfio (LP: #1678322) > + /dev/vfio/vfio rw, Why not just also add this rule iff there is a vfio-specific device rule? Ie

Re: [libvirt] [PATCH 07/12] apparmor, libvirt-qemu: add default pki path of lbvirt-spice

irt-spice (LP: #1690140) > + /etc/pki/libvirt-spice/ r, > + /etc/pki/libvirt-spice/** r, > + +1 to apply -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 05/12] apparmor, libvirt-qemu: Allow qemu-block-extra libraries

On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote: > From: Jamie Strandboge > > Allows (multi-arch enabled) access to libraries under the > /usr/lib/@{multiarch}/qemu/*.so path in the Debian/Ubuntu > qemu-block-extra package. > > Bug-Ubuntu: https://bugs.launc

Re: [libvirt] [PATCH 02/12] apparmor, libvirt-qemu: Silence lttng related deny messages

/dev/shm/lttng-ust-wait-* r, > + deny /run/shm/lttng-ust-wait-* r, +1 to apply. These are noisy and not needed by typical guests. -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 04/12] apparmor, libvirt-qemu: Allow read access to max_mem_regions

>/sys/devices/system/node/node[0-9]*/meminfo r, >/sys/devices/system/cpu/ r, > > + /sys/module/vhost/parameters/max_mem_regions r, > + +1 to apply -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed mes

Re: [libvirt] [PATCH 03/12] apparmor, libvirt-qemu: Allow read access to sysfs system info

On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote: > From: Jamie Strandboge > > Newer qemu wants to read > /sys/devices/system/node/ > /sys/devices/system/cpu/ > /sys/devices/system/node/node[0-9]*/meminfo > > Signed-off-by: Stefan Bader > --- > exam

Re: [libvirt] [PATCH] apparmor: allow unix stream for p2p migrations

rtd > +++ b/examples/apparmor/usr.sbin.libvirtd > @@ -53,6 +53,9 @@ >network packet dgram, >network packet raw, > > + # for --p2p migrations > + unix (send, receive) type=stream addr=none peer=(label=unconfined > addr=none), > + This rule is fine, but for complete

Re: [libvirt] [PATCH 01/12] apparmor, libvirt-qemu: Allow use of sgabios

share/seabios/** r, > + /usr/share/misc/sgabios.bin r, >/usr/share/ovmf/** r, >/usr/share/OVMF/** r, >/usr/share/AAVMF/** r, +1 to apply -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part -- libvir-list

Re: [libvirt] [PATCH] apparmor: add ptrace/mediation rules for unconfined guests

first focus > on confining ># the guests. Guests will have a very restricted profile. >/ r, These rules are unfortunate, but it is important to note that this is in the libvirtd profile, not the guest profiles. As mentioned in the contextual diff, the profile is intentionally very

Re: [libvirt] [PATCH] apparmor: allow qemu abstraction to read /proc/pid/cmdline

On Mon, 2017-12-04 at 12:03 +0100, Michal Privoznik wrote: > On 12/01/2017 02:26 PM, Jamie Strandboge wrote: > > On Thu, 2017-11-30 at 10:43 -0700, Jim Fehlig wrote: > > > Noticed the following denial in audit.log when shutting down > > > an apparmor confined domain >

Re: [libvirt] [PATCH] apparmor: allow qemu abstraction to read /proc/pid/cmdline

r, > + @{PROC}/@{pid}/cmdline r, Note this is an information leak and allows reading potentially sensitive information, such as passwords given on the command line. Eg: $ cat /proc/13335/cmdline | tr '\0' ' ' sh /tmp/testme --password=sensitive Would it be po

Re: [libvirt] [PATCH 2/2] AppArmor: use fine-grained mount rules instead of a blanket catch-all one

ount options=(rw, move) /{var/,}run/libvirt/qemu/*.mqueue/-> > /dev/mqueue/, > + mount options=(rw, move) /{var/,}run/libvirt/qemu/*.pts/ -> > /dev/pts/, > + mount options=(rw, move) /{var/,}run/libvirt/qemu/*.shm/ -> > /dev/shm/, > These all look fine. I s

Re: [libvirt] [PATCH 1/2] AppArmor: add rules needed with additional mediation features brought by Linux 4.14.

ptrace (trace) peer=/usr/sbin/dnsmasq, >ptrace (trace) peer=libvirt-*, > > + signal (send) peer=/usr/sbin/dnsmasq, > + signal (read, send) peer=libvirt-*, > + LGTM, thanks! -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 2/2] apparmor, virt-aa-helper: allow ipv6

; @@ -10,6 +10,7 @@ profile virt-aa-helper > /usr/{lib,lib64}/libvirt/virt-aa-helper { > ># needed for when disk is on a network filesystem >network inet, > + network inet6, > >deny @{PROC}/[0-9]*/mounts r, > @{PROC}/[0-9]*/net/psched r, LGTM. Th

Re: [libvirt] [PATCH 1/2] apparmor: allow qemu to read max_segments

b/examples/apparmor/libvirt-qemu > @@ -169,6 +169,9 @@ ># for rbd >/etc/ceph/ceph.conf r, > > + # for file-posix getting limits since 9103f1ce > + /sys/devices/**/block/*/queue/max_segments r, > + ># for ppc device-tree access >@{PROC}/device-tree/ r, &g

Re: [libvirt] [PATCH 2/2] virt-aa-helper-test: only fails go to stdout by default

-e "s,, type='pflash'>$fwpath,g" "$template_xml" > "$test_xml" > testme "0" "$title" "-r -u $valid_uuid" "$test_xml" > else > - echo "Skipping FW $title test. Could not find $fw

Re: [libvirt] [PATCH 1/2] virt-aa-helper: apparmor wildcards to forbidden chars

c with invalid domain name char ?" "-c -u $valid_uuid" > "$test_xml" > +sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,virt- > aa-helper-test,virt-aa-helper-test-^,g" "$template_xml" > "$te

  1   2   3   >