From nobody Tue May  7 14:35:39 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1547506837227905.7868207597026;
 Mon, 14 Jan 2019 15:00:37 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com
 [10.5.11.22])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id C20A9C065F95;
	Mon, 14 Jan 2019 23:00:33 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 69D7D103BAB8;
	Mon, 14 Jan 2019 23:00:32 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id CB6EB41FB9;
	Mon, 14 Jan 2019 23:00:27 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com
	[10.5.11.22])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id x0EN0QGr012665 for <libvir-list@listman.util.phx.redhat.com>;
	Mon, 14 Jan 2019 18:00:26 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id D0322108BD12; Mon, 14 Jan 2019 23:00:26 +0000 (UTC)
Received: from mx1.redhat.com (ext-mx07.extmail.prod.ext.phx2.redhat.com
	[10.5.110.31])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id BF83E108BD14
	for <libvir-list@redhat.com>; Mon, 14 Jan 2019 23:00:26 +0000 (UTC)
Received: from smtp2.provo.novell.com (smtp2.provo.novell.com [137.65.250.81])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id A25BCC070E11
	for <libvir-list@redhat.com>; Mon, 14 Jan 2019 23:00:22 +0000 (UTC)
Received: from linux-tbji.provo.novell.com (prv-ext-foundry1int.gns.novell.com
	[137.65.251.240])
	by smtp2.provo.novell.com with ESMTP (NOT encrypted);
	Mon, 14 Jan 2019 16:00:20 -0700
From: Jim Fehlig <jfehlig@suse.com>
To: libvir-list@redhat.com
Date: Mon, 14 Jan 2019 16:00:08 -0700
Message-Id: <20190114230009.2314-2-jfehlig@suse.com>
In-Reply-To: <20190114230009.2314-1-jfehlig@suse.com>
References: <20190114230009.2314-1-jfehlig@suse.com>
MIME-Version: 1.0
X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 216
	matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com
	[10.5.110.31]); Mon, 14 Jan 2019 23:00:24 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com
 [10.5.110.31]);
	Mon, 14 Jan 2019 23:00:24 +0000 (UTC) for IP:'137.65.250.81'
	DOMAIN:'smtp2.provo.novell.com' HELO:'smtp2.provo.novell.com'
	FROM:'jfehlig@suse.com' RCPT:''
X-RedHat-Spam-Score: -2.301  (RCVD_IN_DNSWL_MED,
	SPF_PASS) 137.65.250.81 smtp2.provo.novell.com
	137.65.250.81 smtp2.provo.novell.com <jfehlig@suse.com>
X-Scanned-By: MIMEDefang 2.78 on 10.5.110.31
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
X-loop: libvir-list@redhat.com
Cc: apparmor@cboltz.de
Subject: [libvirt] [PATCH 1/2] apparmor: Add support for named profiles
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]);
 Mon, 14 Jan 2019 23:00:35 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"

Upstream apparmor is switching to named profiles. In short,

/usr/sbin/dnsmasq {

becomes

profile dnsmasq /usr/sbin/dnsmasq {

Consequently, any profiles that reference profiles in a peer=3D condition
need to be updated if the referenced profile switches to a named profile.
Apparmor commit 9ab45d81 switched dnsmasq to a named profile. ATM it is
the only named profile switch that has affected libvirt. Add rules to the
libvirtd profile to reference dnsmasq in peer=3D conditions by profile name.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
---
 src/security/apparmor/usr.sbin.libvirtd | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmo=
r/usr.sbin.libvirtd
index f0ffc53008..0db52c524c 100644
--- a/src/security/apparmor/usr.sbin.libvirtd
+++ b/src/security/apparmor/usr.sbin.libvirtd
@@ -52,9 +52,11 @@
=20
   ptrace (read,trace) peer=3Dunconfined,
   ptrace (read,trace) peer=3D/usr/sbin/libvirtd,
+  ptrace (read,trace) peer=3Ddnsmasq,
   ptrace (read,trace) peer=3D/usr/sbin/dnsmasq,
   ptrace (read,trace) peer=3Dlibvirt-*,
=20
+  signal (send) peer=3Ddnsmasq,
   signal (send) peer=3D/usr/sbin/dnsmasq,
   signal (read, send) peer=3Dlibvirt-*,
   signal (send) set=3D("kill", "term") peer=3Dunconfined,
--=20
2.19.2

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
From nobody Tue May  7 14:35:39 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1547506838713839.1034059170186;
 Mon, 14 Jan 2019 15:00:38 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com
 [10.5.11.23])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id CD9EE88E50;
	Mon, 14 Jan 2019 23:00:35 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id F37AA19C7C;
	Mon, 14 Jan 2019 23:00:34 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id A0C021800540;
	Mon, 14 Jan 2019 23:00:34 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
	[10.5.11.14])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id x0EN0WTX012680 for <libvir-list@listman.util.phx.redhat.com>;
	Mon, 14 Jan 2019 18:00:32 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 8AA805DE89; Mon, 14 Jan 2019 23:00:32 +0000 (UTC)
Received: from mx1.redhat.com (ext-mx09.extmail.prod.ext.phx2.redhat.com
	[10.5.110.38])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 81B695D969
	for <libvir-list@redhat.com>; Mon, 14 Jan 2019 23:00:24 +0000 (UTC)
Received: from smtp2.provo.novell.com (smtp2.provo.novell.com [137.65.250.81])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 0F73FDF86A
	for <libvir-list@redhat.com>; Mon, 14 Jan 2019 23:00:23 +0000 (UTC)
Received: from linux-tbji.provo.novell.com (prv-ext-foundry1int.gns.novell.com
	[137.65.251.240])
	by smtp2.provo.novell.com with ESMTP (NOT encrypted);
	Mon, 14 Jan 2019 16:00:21 -0700
From: Jim Fehlig <jfehlig@suse.com>
To: libvir-list@redhat.com
Date: Mon, 14 Jan 2019 16:00:09 -0700
Message-Id: <20190114230009.2314-3-jfehlig@suse.com>
In-Reply-To: <20190114230009.2314-1-jfehlig@suse.com>
References: <20190114230009.2314-1-jfehlig@suse.com>
MIME-Version: 1.0
X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 216
	matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com
	[10.5.110.38]); Mon, 14 Jan 2019 23:00:23 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com
 [10.5.110.38]);
	Mon, 14 Jan 2019 23:00:23 +0000 (UTC) for IP:'137.65.250.81'
	DOMAIN:'smtp2.provo.novell.com' HELO:'smtp2.provo.novell.com'
	FROM:'jfehlig@suse.com' RCPT:''
X-RedHat-Spam-Score: -2.301  (RCVD_IN_DNSWL_MED,
	SPF_PASS) 137.65.250.81 smtp2.provo.novell.com
	137.65.250.81 smtp2.provo.novell.com <jfehlig@suse.com>
X-Scanned-By: MIMEDefang 2.78 on 10.5.110.38
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-loop: libvir-list@redhat.com
Cc: apparmor@cboltz.de
Subject: [libvirt] [PATCH 2/2] apparmor: convert libvirtd profile to a named
	profile
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]);
 Mon, 14 Jan 2019 23:00:36 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
---

Optional patch that may need a bit of coorindation with upstream apparmor
since the dnsmasq profile currently has 'peer=3D/usr/sbin/libvirtd'.

 src/security/apparmor/usr.sbin.libvirtd | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmo=
r/usr.sbin.libvirtd
index 0db52c524c..29f9936ad9 100644
--- a/src/security/apparmor/usr.sbin.libvirtd
+++ b/src/security/apparmor/usr.sbin.libvirtd
@@ -2,7 +2,7 @@
 #include <tunables/global>
 @{LIBVIRT}=3D"libvirt"
=20
-/usr/sbin/libvirtd flags=3D(attach_disconnected) {
+profile libvirtd /usr/sbin/libvirtd flags=3D(attach_disconnected) {
   #include <abstractions/base>
   #include <abstractions/dbus>
=20
@@ -51,7 +51,7 @@
   unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine=
d addr=3Dnone),
=20
   ptrace (read,trace) peer=3Dunconfined,
-  ptrace (read,trace) peer=3D/usr/sbin/libvirtd,
+  ptrace (read,trace) peer=3D@{profile_name},
   ptrace (read,trace) peer=3Ddnsmasq,
   ptrace (read,trace) peer=3D/usr/sbin/dnsmasq,
   ptrace (read,trace) peer=3Dlibvirt-*,
@@ -123,6 +123,7 @@
    # For communication/control from libvirtd
    unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3D/usr/sbi=
n/libvirtd),
    signal (receive) set=3D("term") peer=3D/usr/sbin/libvirtd,
+   signal (receive) set=3D("term") peer=3Dlibvirtd,
=20
    /dev/net/tun rw,
    /etc/qemu/** r,
--=20
2.19.2

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list