From nobody Mon Feb  9 02:42:59 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 63.128.21.124 as permitted sender) client-ip=63.128.21.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=fail(p=none dis=none)  header.from=canonical.com
ARC-Seal: i=1; a=rsa-sha256; t=1598431297; cv=none;
	d=zohomail.com; s=zohoarc;
	b=JdXrq/ZmO+paDcXc3TzN5vbsDXYB8S8+99+PEADgkioFP1vYFItmxJ9zQlDNXVQpGDF9+zKLaSJyfcru7FFhY+sTc7/uAItlex+M6jXgMm+sNtsaw3ass/z9mc1urBfKMR2MkYx03pjEBT2RxhtTf8s4cmP/nmiGJA0Uw9O1nKw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1598431297;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To;
	bh=MWK/ymKlpnfWA0uZ4LWU4fMSvT3FAsvfx8KScwubk9c=;
	b=oGFI+v2XQf0eknMX/fVHZDCXCJYFROGNrhaXTo4uvnMBMn1ghBlFuxarPMAGF3/BGcR3E3wa0ekOoC0wedfxfU1A0T9DGvPsHIQ5YiQ84CEAzU2ZaIE08sUBzTHaJ2cCFQq6basdsKCUXTQcawKsxob6Ui/IfRMx4WRRjyVaMys=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=fail header.from=<christian.ehrhardt@canonical.com> (p=none dis=none)
 header.from=<christian.ehrhardt@canonical.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.zohomail.com
	with SMTPS id 1598431297874749.6974391411942;
 Wed, 26 Aug 2020 01:41:37 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-556-OaDMtdVPN7KY7Ppl7DQPhQ-1; Wed, 26 Aug 2020 04:41:34 -0400
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com
 [10.5.11.23])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id D83AF10059A8;
	Wed, 26 Aug 2020 08:41:28 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 411F719C58;
	Wed, 26 Aug 2020 08:41:27 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 34442668E7;
	Wed, 26 Aug 2020 08:41:26 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com
	[10.11.54.4])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 07Q8fOc5024693 for <libvir-list@listman.util.phx.redhat.com>;
	Wed, 26 Aug 2020 04:41:24 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id C1F6C20227B1; Wed, 26 Aug 2020 08:41:23 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
	(mimecast05.extmail.prod.ext.rdu2.redhat.com [10.11.55.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 6088D20227B0
	for <libvir-list@redhat.com>; Wed, 26 Aug 2020 08:41:20 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
	[205.139.110.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 829F5800BED
	for <libvir-list@redhat.com>; Wed, 26 Aug 2020 08:41:20 +0000 (UTC)
Received: from youngberry.canonical.com (youngberry.canonical.com
	[91.189.89.112]) (Using TLS) by relay.mimecast.com with ESMTP id
	us-mta-4-nwPTv_dNOi6kWLlqMqfQ3w-1; Wed, 26 Aug 2020 04:41:18 -0400
Received: from 2.general.paelzer.uk.vpn ([10.172.196.173]
	helo=Keschdeichel.fritz.box) by youngberry.canonical.com with esmtpsa
	(TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
	(envelope-from <christian.ehrhardt@canonical.com>)
	id 1kAqzc-00035h-QI; Wed, 26 Aug 2020 08:41:16 +0000
X-MC-Unique: OaDMtdVPN7KY7Ppl7DQPhQ-1
X-MC-Unique: nwPTv_dNOi6kWLlqMqfQ3w-1
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
To: libvir-list@redhat.com, Jamie Strandboge <jamie@ubuntu.com>,
	Kevin Locke <kevin@kevinlocke.name>
Subject: [RFC] apparmor: add subprofile for virtiofsd
Date: Wed, 26 Aug 2020 10:41:15 +0200
Message-Id: <20200826084115.4060767-1-christian.ehrhardt@canonical.com>
MIME-Version: 1.0
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
	Definition; Similar Internal Domain=false;
	Similar Monitored External Domain=false;
	Custom External Domain=false; Mimecast External Domain=false;
	Newly Observed Domain=false; Internal User Name=false;
	Custom Display Name List=false; Reply-to Address Mismatch=false;
	Targeted Threat Dictionary=false;
	Mimecast Threat Dictionary=false; Custom Threat Dictionary=false;
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-loop: libvir-list@redhat.com
Cc: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>,
	Andrea Bolognani <abologna@redhat.com>,
	Christian Ehrhardt <christian.ehrhardt@canonical.com>
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0.001
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

This is a continuation of
https://www.redhat.com/archives/libvir-list/2020-August/msg00804.html
https://www.redhat.com/archives/libvir-list/2020-August/msg00922.html

It still has too many weak points left, but should be great as an RFC
already. virtiofsd works for me using that profile, but we need to:
- agree on common paths to expect for virtiofsd
- get the post pivot_root rules under control

---

virtiofsd runs as root and is reachable from the guest, to limit
the exploit potential this adds a apparmor subprofile to virtiofsd
as spawned by libvirt to limit it.

Known TODOs:
- rules after pivot_root need not to allow everything
- settle on common paths with the community

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
 src/security/apparmor/libvirt-qemu         |  3 ++
 src/security/apparmor/usr.sbin.libvirtd.in | 46 ++++++++++++++++++++++
 2 files changed, 49 insertions(+)

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/lib=
virt-qemu
index a03e9e2c94..668fc72f27 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -221,6 +221,9 @@
   unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirtd),
   unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3D/usr/sbin=
/libvirtd),
=20
+  # allow to connect to virtiofsd
+  unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirtd/=
/virtiofsd),
+
   # for gathering information about available host resources
   /sys/devices/system/cpu/ r,
   /sys/devices/system/node/ r,
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/appa=
rmor/usr.sbin.libvirtd.in
index 4518e8f865..f878398b4b 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -133,4 +133,50 @@ profile libvirtd @sbindir@/libvirtd flags=3D(attach_di=
sconnected) {
=20
    /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
   }
+
+  # child profile for virtiofsd helper process
+  /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd Cx -> virtiofsd,
+  profile virtiofsd flags=3D(attach_disconnected) {
+   #include <abstractions/base>
+   #include <abstractions/libvirt-qemu>
+
+   capability sys_admin,
+   capability sys_resource,
+
+   # init phase
+   / r,
+   mount options=3D(rw, rslave)  -> /,
+   umount /,
+   mount options=3D(rw, nosuid, nodev, noexec, relatime)  -> @{PROC},
+   owner /proc/sys/fs/file-max r,
+
+   # For communication/control from libvirtd
+   unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirtd=
),
+   signal (receive) set=3D("term") peer=3D/usr/sbin/libvirtd,
+   signal (receive) set=3D("term") peer=3Dlibvirtd,
+   owner /var/lib/libvirt/qemu/domain-*/fs[0-9]{[0-9],}-fs.pid w,
+   /var/lib/libvirt/qemu/domain-*/fs[0-9]{[0-9],}-fs.sock rw,
+   /var/lib/libvirt/qemu/ram/*/ram-node[0-9]{[0-9],} rw,
+
+   # For communication with confined and unconfined guests
+   unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirt-=
[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
+   unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfin=
ed),
+
+   /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd rmix,
+
+   # Common host paths to share from are allowed by default
+   # Further paths should be added as local override
+   # TODO - community to settle on a list of common paths to allow
+   owner /var/lib/libvirt/virtiofsd/*/ r,
+   mount options=3D(rw, bind)  -> /var/lib/libvirt/virtiofsd/*/,
+   pivot_root /var/lib/libvirt/virtiofsd/*/,
+
+   # TODO - after pivot_root the rules for the actual file access by the g=
uest
+   # through virtiofsd would need to start with / which is too open
+   /** rw,
+
+   # Site-specific additions and overrides. See local/README for details.
+   #include <local/usr.lib.qemu.virtiofsd>
+  }
+
 }
--=20
2.28.0