From nobody Sat May  4 07:32:29 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1513324431133848.9716237265026;
 Thu, 14 Dec 2017 23:53:51 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
 [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id C1F548047E;
	Fri, 15 Dec 2017 07:53:46 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id CCF735D967;
	Fri, 15 Dec 2017 07:53:45 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 879CF1800BDC;
	Fri, 15 Dec 2017 07:53:43 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com
	[10.5.11.12])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id vBF7rgwp023361 for <libvir-list@listman.util.phx.redhat.com>;
	Fri, 15 Dec 2017 02:53:42 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 54EDC60C8A; Fri, 15 Dec 2017 07:53:42 +0000 (UTC)
Received: from mx1.redhat.com (ext-mx02.extmail.prod.ext.phx2.redhat.com
	[10.5.110.26])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 4E73860CA7
	for <libvir-list@redhat.com>; Fri, 15 Dec 2017 07:53:40 +0000 (UTC)
Received: from youngberry.canonical.com (youngberry.canonical.com
	[91.189.89.112]) (using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 68B81883BC
	for <libvir-list@redhat.com>; Fri, 15 Dec 2017 07:53:39 +0000 (UTC)
Received: from 1.general.paelzer.uk.vpn ([10.172.196.172]
	helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa
	(TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76)
	(envelope-from <christian.ehrhardt@canonical.com>)
	id 1ePknP-0006id-CD; Fri, 15 Dec 2017 07:52:39 +0000
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
To: Libvirt Devel <libvir-list@redhat.com>
Date: Fri, 15 Dec 2017 08:52:35 +0100
Message-Id: 
 <1513324355-21259-1-git-send-email-christian.ehrhardt@canonical.com>
X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 207
	matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com
	[10.5.110.26]); Fri, 15 Dec 2017 07:53:39 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com
 [10.5.110.26]);
	Fri, 15 Dec 2017 07:53:39 +0000 (UTC) for IP:'91.189.89.112'
	DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com'
	FROM:'christian.ehrhardt@canonical.com' RCPT:''
X-RedHat-Spam-Score: -5.01  (RCVD_IN_DNSWL_HI,
	T_RP_MATCHES_RCVD) 91.189.89.112 youngberry.canonical.com
	91.189.89.112 youngberry.canonical.com
	<christian.ehrhardt@canonical.com>
X-Scanned-By: MIMEDefang 2.78 on 10.5.110.26
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-loop: libvir-list@redhat.com
Cc: Jamie Strandboge <jamie.strandboge@canonical.com>,
	Guido Guenther <agx@sigxcpu.org>, intrigeri <intrigeri+libvirt@boum.org>,
	Christian Ehrhardt <christian.ehrhardt@canonical.com>
Subject: [libvirt] [PATCH] apparmor: add ptrace/mediation rules for
	unconfined guests
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]);
 Fri, 15 Dec 2017 07:53:49 +0000 (UTC)
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

If a guest runs unconfined <seclabel type=3D'none'>, but libvirtd is
confined then the peer for signal/ptrace can only be detected as
'unconfined'. That triggers issues like:
   apparmor=3D"DENIED" operation=3D"signal"
   profile=3D"/usr/sbin/libvirtd" pid=3D22395 comm=3D"libvirtd"
   requested_mask=3D"send" denied_mask=3D"send" signal=3Dterm peer=3D"uncon=
fined"

To fix this add unconfined as an allowed peer for those operations.

I discussed with the apparmor folks, right now there is no better
separation to be made in this case. But there might be further down the
road with "policy namespaces with scope and view control + stacking"

This is more a use-case addition than a fix to the following two changes:
 - 3b1d19e6 AppArmor: add rules needed with additional mediation features
 - b482925c apparmor: support ptrace checks

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
 examples/apparmor/usr.sbin.libvirtd | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sb=
in.libvirtd
index 8d61d15..23e8aa3 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -61,6 +61,10 @@
   signal (send) peer=3D/usr/sbin/dnsmasq,
   signal (read, send) peer=3Dlibvirt-*,
=20
+  # required if guests run unconfined seclabel type=3D'none' but libvirtd =
is confined
+  signal (read, send) peer=3Dunconfined,
+  ptrace (trace) peer=3Dunconfined,
+
   # Very lenient profile for libvirtd since we want to first focus on conf=
ining
   # the guests. Guests will have a very restricted profile.
   / r,
--=20
2.7.4

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list