From nobody Sat Apr 27 16:04:58 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 216.205.24.124 as permitted sender) client-ip=216.205.24.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=fail(p=quarantine dis=quarantine)  header.from=suse.com
ARC-Seal: i=1; a=rsa-sha256; t=1623105271; cv=none;
	d=zohomail.com; s=zohoarc;
	b=lGw8KsWruU9sXMxXdx4uuUj7r2N53Zsy5T9kVWhKqDYxbD9P/oSV++YNatv23NH3IhWZ1XAX0oF1/c6VeaKLCK+uJFXnwmryRG21caqntw18fHzyFtRn05BOuerL4jxRsS6fDpl+OH67PmnkltrSk91f2iWDkqtbEJD/tfHbTPY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1623105271;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To;
	bh=3el6Bi+0BxY5DiwBuL/Mmfmr06y1Ccvza3lykAwmzkc=;
	b=EDcxSqh08raomXx7lsy6pCDPMDpiJwHDClmURumbMoP5GUTU37EEydeI6yDT6KdbjIXEIi9CmurJcAwBrTCuGRrKwntdzwE7DXSjdduV1o1bo2Fb3OMt0kSFfoIcbb/B84cs/I7Qoe3N/qreF49Dhr68J5VqsHEGaUpteMHzKzc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=fail header.from=<jfehlig@suse.com> (p=quarantine dis=quarantine)
 header.from=<jfehlig@suse.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com
	with SMTPS id 1623105271364272.4762078601224;
 Mon, 7 Jun 2021 15:34:31 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-109-YVjJYEJfP96ucwSJbMlRgQ-1; Mon, 07 Jun 2021 18:34:28 -0400
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
 [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 397A1107ACCD;
	Mon,  7 Jun 2021 22:34:22 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id D03215D9D5;
	Mon,  7 Jun 2021 22:34:20 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 6665544A5A;
	Mon,  7 Jun 2021 22:34:17 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com
	[10.11.54.4])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 157MYFUw021375 for <libvir-list@listman.util.phx.redhat.com>;
	Mon, 7 Jun 2021 18:34:15 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 7B0FF202811C; Mon,  7 Jun 2021 22:34:15 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
	(mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 760B42028118
	for <libvir-list@redhat.com>; Mon,  7 Jun 2021 22:34:12 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
	[205.139.110.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id A9DA6857D08
	for <libvir-list@redhat.com>; Mon,  7 Jun 2021 22:34:12 +0000 (UTC)
Received: from de-smtp-delivery-102.mimecast.com
	(de-smtp-delivery-102.mimecast.com [194.104.109.102]) (Using TLS) by
	relay.mimecast.com with ESMTP id us-mta-102-hdF9rGZ6MiqFXE3xeFU5Sg-1;
	Mon, 07 Jun 2021 18:34:10 -0400
Received: from EUR02-VE1-obe.outbound.protection.outlook.com
	(mail-ve1eur02lp2056.outbound.protection.outlook.com [104.47.6.56])
	(Using TLS) by relay.mimecast.com with ESMTP id
	de-mta-13-CNbTYLo8NQKKwBwDI5RaZw-1; Tue, 08 Jun 2021 00:34:08 +0200
Received: from AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9)
	by AM4PR0401MB2401.eurprd04.prod.outlook.com (2603:10a6:200:47::26)
	with Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4195.30;
	Mon, 7 Jun 2021 22:34:07 +0000
Received: from AM8PR04MB7970.eurprd04.prod.outlook.com
	([fe80::44f9:5a6e:fe98:1718]) by
	AM8PR04MB7970.eurprd04.prod.outlook.com
	([fe80::44f9:5a6e:fe98:1718%7]) with mapi id 15.20.4195.030;
	Mon, 7 Jun 2021 22:34:05 +0000
Received: from localhost (192.225.191.61) by
	AM3PR04CA0133.eurprd04.prod.outlook.com (2603:10a6:207::17)
	with Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4195.22
	via Frontend Transport; Mon, 7 Jun 2021 22:34:04 +0000
X-MC-Unique: YVjJYEJfP96ucwSJbMlRgQ-1
X-MC-Unique: hdF9rGZ6MiqFXE3xeFU5Sg-1
X-MC-Unique: CNbTYLo8NQKKwBwDI5RaZw-1
From: Jim Fehlig <jfehlig@suse.com>
To: libvir-list@redhat.com
Subject: [PATCH] apparmor: Add denied capabilities
Date: Mon,  7 Jun 2021 16:34:01 -0600
Message-ID: <20210607223401.18869-1-jfehlig@suse.com>
X-Originating-IP: [192.225.191.61]
X-ClientProxiedBy: AM3PR04CA0133.eurprd04.prod.outlook.com (2603:10a6:207::17)
	To AM8PR04MB7970.eurprd04.prod.outlook.com
	(2603:10a6:20b:24f::9)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 9177de15-d3ef-4649-1caa-08d92a045b3a
X-MS-TrafficTypeDiagnostic: AM4PR0401MB2401:
X-Microsoft-Antispam-PRVS: 
 <AM4PR0401MB240185F8259EEED6CE725349C6389@AM4PR0401MB2401.eurprd04.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:6108
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0
X-Microsoft-Antispam-Message-Info: 
 EY2zWeBG8x8nnInm7EyO4bkf70K9Da2flV+ULzlnFPZ2DunHMCBVz7Sa6akKUgGni/44oX/AeflUU7SVD1n2a4mYw7DqMShW8lxfsOcfdPdH4HsPXUb/hHgmH2UWdrTo9McfKDg4RBjSy51s/urtqtilysakHbyUlHYhfVlEiE2MUuxwiPTKI2vj4F/JpLFEZ+ax0A92N7KWVnJGIQR9ZIT+ozWsT7wuz3c+JVJ7cFfxHan12oKvvcIsVGuVQT1FbYl++ztMR/7UQjYG5/GfdP1XkWHt3yVwoTNG5xrOkD3khXPNFc84ksc6S+cfjEuti4K8pcsiQJoQpmcA6xFtjgiXqI9udpl7DKnX3k0nZF4h+8LmelSeqvIqIJKgVni73+jgxVp7/tkKRk21hyEPvuqQAbr1kNAg2XKnHPj58o6Zh3oZc367mKiKnD7mSmpoCXW+PIVSsV5JNClqskPvRBvt/ANb/ZDOsyPw+yEfal8KRjl5IZ8QYyj+tQhwlHeVdeA/NmlI2DxCxHOg6Uzw/C05r71NeuSfLtHCS1mS6Jhdn02kvYhTKNo8sahtVtFexHGdXAumJhwBFgemI7GxzNzg/pxxpn/owGGRRQRxzSk=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
	IPV:NLI; SFV:NSPM; H:AM8PR04MB7970.eurprd04.prod.outlook.com;
	PTR:; CAT:NONE;
	SFS:(376002)(39860400002)(136003)(396003)(366004)(346002)(316002)(36756003)(2906002)(6496006)(8676002)(38100700002)(26005)(16526019)(66556008)(66476007)(66946007)(83380400001)(1076003)(6486002)(8936002)(86362001)(956004)(2616005)(5660300002)(4326008)(6916009)(186003)(6666004)(478600001);
	DIR:OUT; SFP:1101
X-MS-Exchange-AntiSpam-MessageData: 
 =?us-ascii?Q?Iyb4AU5iFlwJqtDxjDIkgcdWfDKOmicSIGc/bPk8OG0gT+B3OBFnFch0PsUb?=
	=?us-ascii?Q?nS4XH1MgxvTXXr09RPCwnsPUF34cIzgzHm1id/60nmJr3aRnf9ojCVQyT0VO?=
	=?us-ascii?Q?xM5IY37OnWKGMleYFUdezXMfLwDntn/UlRHiXYZgqHjBbE9biXFe5I6KLAu2?=
	=?us-ascii?Q?OD6myvnADxUS+W1Kmg/n3Cl915HYmPWJebPr+xNMVjsnODf4NU9s2aftC2Nn?=
	=?us-ascii?Q?t+y4sHK184lY+Wet0hA1R0BgKvsOhdCwNq0xAZD4ZZGg+/M6uBO0JN2CD7b4?=
	=?us-ascii?Q?uB2V0i7HWoI2a02K0QFMv0D2VoF6yC50iZVgDJn8yj1b7ZzT9FyKD1KYxJqR?=
	=?us-ascii?Q?ViV1hKQdQNgAFzTreDaZD3FVe9DNIij5ENMlOcOes5vv5ICJnM/IT8/UWAjC?=
	=?us-ascii?Q?yf1Uh0V7iZIqLPZvzScpbtA9y+TEf8z6GERjg9myyFsj0SnbyTqv4faYaEkB?=
	=?us-ascii?Q?haszDytDNMw9FMdazjQ6uisSUlz1lvvhl9nkTaQnAiutfbW8uweVWScH3UTm?=
	=?us-ascii?Q?BnFj1YtyVbIwxcIDkMYzCGyrmqr/eFthnsqd8RMJ8eY8LdXvbx+BVu1yBY0z?=
	=?us-ascii?Q?ti2goZP1uOfbXyZ7W2azf8GmKTwVcwHQ2faPkboDihaufBmYoTcGt+k/jlxO?=
	=?us-ascii?Q?MfS1rn7H/YlHdBUCNEjevxBcJC/M8fXo5LDWVCVyXWisQLV+eBJis6b0U+FG?=
	=?us-ascii?Q?3xroDs5YTAQ0mNQr6QSj8Tju+l5Z4x6qnTaedf8SwRE2wefsbFM7hvNAVVTH?=
	=?us-ascii?Q?dvse4pBWO5/V1wIa3o3GDt4vSck28p90FwjxG6mIQUGRe0n1UfoYGbaRvibu?=
	=?us-ascii?Q?wSYwtnMVAI2fNhvmzj8x6y2MmMswapjRJ5tkIgR0Ldo0+17GDD+eGVHSW8uF?=
	=?us-ascii?Q?px0wphqBpg4RLt3UPXKAqvFf4vBq73Lm30IlpzXuKkIHBSYtpyNo5sdx6Z1p?=
	=?us-ascii?Q?q0mymPPY/Y2L2PTnoHzYRXcjCQTE+Qt+BwcQaY9vPobxrCUW9BfLZqBJz4TS?=
	=?us-ascii?Q?5vqYNQNpb0yXRmFEnC7d3gCKvVHKd6l4S4CkCyB8VwpFgXRlO1nlv8IjHyrv?=
	=?us-ascii?Q?514LywCyj10GtQAsH/HYd815VGxg23ypCKfNH6bZfdvrMeIiKOE8PKjUCc3Z?=
	=?us-ascii?Q?2K/BCJJmAv4WJUP3izoA88TrtqbfVCmWHj1RoLpwXeS++sBdhTYuJ7CXWb/j?=
	=?us-ascii?Q?8uhO3uM2h27B1dCGJYhEZ2HQv/VM6TZ3mJcD6bmQYRuX8OlR1b4POw8OQ3tY?=
	=?us-ascii?Q?0wgtY7umju7NjMx5LVwVHhyOTkk5b/2uDIqJyolz69I9TYlEiZ1+mR0hAh2O?=
	=?us-ascii?Q?Ubs0LD25CU2+ja0ieRq+HpZK?=
X-OriginatorOrg: suse.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 9177de15-d3ef-4649-1caa-08d92a045b3a
X-MS-Exchange-CrossTenant-AuthSource: AM8PR04MB7970.eurprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jun 2021 22:34:04.9820 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 Ro0aHcpFUmrAZ4xKqQ5diDwVTvKILTiWS0Hor2iMbnBxKdMVizRbXRmsl0TMt195lDcwBx85NR5+D1Zw5yBPng==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0401MB2401
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
	Definition; Similar Internal Domain=false;
	Similar Monitored External Domain=false;
	Custom External Domain=false; Mimecast External Domain=false;
	Newly Observed Domain=false; Internal User Name=false;
	Custom Display Name List=false; Reply-to Address Mismatch=false;
	Targeted Threat Dictionary=false;
	Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-MIME-Autoconverted: from quoted-printable to 8bit by
	lists01.pubmisc.prod.ext.phx2.redhat.com id 157MYFUw021375
X-loop: libvir-list@redhat.com
Cc: christian.ehrhardt@canonical.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://listman.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The audit log contains the following denials from libvirtd

apparmor=3D"DENIED" operation=3D"capable" profile=3D"libvirtd" pid=3D6012 c=
omm=3D"daemon-init" capability=3D17  capname=3D"sys_rawio"
apparmor=3D"DENIED" operation=3D"capable" profile=3D"libvirtd" pid=3D6012 c=
omm=3D"rpc-worker" capability=3D39  capname=3D"bpf"
apparmor=3D"DENIED" operation=3D"capable" profile=3D"libvirtd" pid=3D6012 c=
omm=3D"rpc-worker" capability=3D38  capname=3D"perfmon"

Squelch the denials and allow the capabilities in the libvirtd
apparmor profile.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Neal Gompa <ngompa13@gmail.com>
---

I'm not really sure when these denials first started appearing, nor
have I noticed any problems they are causing. Likely I have not exercised
the affected functionality.

 src/security/apparmor/usr.sbin.libvirtd.in | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/appa=
rmor/usr.sbin.libvirtd.in
index bf4563e1e8..928782b709 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -25,6 +25,9 @@ profile libvirtd @sbindir@/libvirtd flags=3D(attach_disco=
nnected) {
   capability fsetid,
   capability audit_write,
   capability ipc_lock,
+  capability sys_rawio,
+  capability bpf,
+  capability perfmon,
=20
   # Needed for vfio
   capability sys_resource,
--=20
2.31.1