From nobody Sat May 4 10:41:14 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=quarantine dis=quarantine) header.from=suse.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1623814925035136.53724699283737; Tue, 15 Jun 2021 20:42:05 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-210-AFBM7X0BPQCzaDxPiLtuBg-1; Tue, 15 Jun 2021 23:42:02 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 49181802B4F; Wed, 16 Jun 2021 03:41:57 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2CE136090F; Wed, 16 Jun 2021 03:41:57 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id ED7071809CAF; Wed, 16 Jun 2021 03:41:56 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 15G3fK38014254 for ; Tue, 15 Jun 2021 23:41:20 -0400 Received: by smtp.corp.redhat.com (Postfix) id 55A40209A519; Wed, 16 Jun 2021 03:41:20 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 50385209A506 for ; Wed, 16 Jun 2021 03:41:17 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id EACCE101A531 for ; Wed, 16 Jun 2021 03:41:16 +0000 (UTC) Received: from de-smtp-delivery-102.mimecast.com (de-smtp-delivery-102.mimecast.com [194.104.109.102]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-317-DFLaxzHVPWGIElzGMdyONw-1; Tue, 15 Jun 2021 23:41:14 -0400 Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05lp2171.outbound.protection.outlook.com [104.47.17.171]) (Using TLS) by relay.mimecast.com with ESMTP id de-mta-27-CizWH3AaPSq5gFRqcL_2cQ-1; Wed, 16 Jun 2021 05:41:12 +0200 Received: from AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9) by AM9PR04MB7716.eurprd04.prod.outlook.com (2603:10a6:20b:280::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.18; Wed, 16 Jun 2021 03:41:11 +0000 Received: from AM8PR04MB7970.eurprd04.prod.outlook.com ([fe80::d8b:c94:eae2:7b22]) by AM8PR04MB7970.eurprd04.prod.outlook.com ([fe80::d8b:c94:eae2:7b22%6]) with mapi id 15.20.4242.018; Wed, 16 Jun 2021 03:41:11 +0000 Received: from localhost (192.150.154.128) by AM0PR03CA0079.eurprd03.prod.outlook.com (2603:10a6:208:69::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.20 via Frontend Transport; Wed, 16 Jun 2021 03:41:11 +0000 X-MC-Unique: AFBM7X0BPQCzaDxPiLtuBg-1 X-MC-Unique: DFLaxzHVPWGIElzGMdyONw-1 X-MC-Unique: CizWH3AaPSq5gFRqcL_2cQ-1 From: Jim Fehlig To: libvir-list@redhat.com Subject: [PATCH 1/3] Apparmor: Add profile for virtqemud Date: Tue, 15 Jun 2021 21:41:02 -0600 Message-ID: <20210616034104.2490-2-jfehlig@suse.com> In-Reply-To: <20210616034104.2490-1-jfehlig@suse.com> References: <20210616034104.2490-1-jfehlig@suse.com> X-Originating-IP: [192.150.154.128] X-ClientProxiedBy: AM0PR03CA0079.eurprd03.prod.outlook.com (2603:10a6:208:69::20) To AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 23975e08-34d0-40fa-ca8b-08d9307895a1 X-MS-TrafficTypeDiagnostic: AM9PR04MB7716: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7691 X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0 X-Microsoft-Antispam-Message-Info: ZXQ9hDe2hmZs08oVax5M+YqfUmy6HF+PyN+qeQouoLqO90Sr17sMPh/J2CoM6xXdX0YujrI43XGIAjFdtp67UFIbsGSm2yAy8o2yYEMDasGDh7JewKGUOZTNQrL5r1X81tNfW+fmZHgLAPWD7b8E/3ZHqx7N4JH+caUAzDa2UNVwFHRpZNFgkvaWO7PnO7qacRT4wbG3QiGcXhDNQxg45DtRbsiNSg93m6JQh+2N7zB2j2Dh0ADPPlqgPfc0wsiW0/sJBjQ+StodQwC4+FBBI21RlJKgS9EEVr7lqBI+PPfJ1MBukTe/a7b0LmAXx8FiL9/HZCmeH4xX8ta1rCox4qTOJw+w/xOOQV9YxiqCBCtEM0iN1CzoUAuhTtzM13gDpjdHDmJCyD2Z+WjJcpmwC5l4SL7pba7Eo7M+VyaxMeneaLlzreHZQ0sfAt0+O0rBakLu9mgel55rnIDDIYCMS36ZW/NTEYgWJJEOsKx9RkdBkiwf/zaH50YYTqZkB8T8+giiPLVLflAfQiyxdP/cdf1S7z5mpZ36EQvGcisr9AKQ375LsC6TKyqLuWf/6qBYPSH2anI7FxsIUXxTB4q17jNtfp9HUFpghV6Xhom0VXs= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM8PR04MB7970.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(136003)(396003)(366004)(346002)(39850400004)(66556008)(66476007)(66946007)(956004)(6916009)(38100700002)(2616005)(16526019)(8676002)(5660300002)(6496006)(6666004)(2906002)(83380400001)(86362001)(4326008)(186003)(8936002)(1076003)(316002)(26005)(36756003)(6486002)(478600001); DIR:OUT; SFP:1101 X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?pQ289dEd6oSJMygnhGWsQjyybPD9U/f0d8XYE/rC8EZJP3zFGgXv7iMKxO/w?= =?us-ascii?Q?NBIpBiQtiSSpj7PG3z+Iok0P7w2rsfpZ9KlKOYE5uSXNqIbAOv4jhJJF5WhG?= =?us-ascii?Q?Gm+lTUYfg89Qte2Qt1MPEThYGXCDBpq1jdz/dJ3/+2dnSs5n8oVP5GRtjiUd?= =?us-ascii?Q?POT1a6dHCvaZchLxNMezwgfUri6ZO0qLAkIpr6j//ZW26hpvTBJLzhSfOmwO?= =?us-ascii?Q?ltEpJOmePc5AE06QE8iJdoiU8i4tcum6gYKhIvUFB6SFHXKX6767iR0ccJwY?= =?us-ascii?Q?ZZxdniGgC6AiOvzqilqr6vnwIAtdcwoO8+95nwhcpGB6Ux/8gx8Ox2rxCELT?= =?us-ascii?Q?HJH+E3i8cDvDZVVnwSdRITUW5X+GswPa15uMx6oRQXf/g9Xt/Hol3m7HGiLn?= =?us-ascii?Q?uIabnpN5jeFGls53y5bXfoQpf6PHJvw5AwlRJBnLAYE6GM3pmRwIeMNhKQrd?= =?us-ascii?Q?gd5krNaU+UXFCvf3kxVCXtKFAZe3ptRAxwZf0YNIgr8Vo84QnJIYnkxffSx3?= =?us-ascii?Q?vgG/XdOOtFIjWu61SYFjG3nqiOh41SdEdYSTMh3JAOAGe9uH+57Hhvr2rMdh?= =?us-ascii?Q?ld2oCm1dQU679SO0TiaacPBzv5gFpJXXicArYn3pOG/MHZoSEFkG1un7UfgL?= =?us-ascii?Q?YcR9kppi1PaDB204FHABxRmF5/fx4ljqMtk5XX09zJ5Fh1MeGvf4SyD4rM7h?= =?us-ascii?Q?uFpdRq6sDeOP8XQeHGsqD4mn7aFvU6/axdyKhCkBgq0MzjHV6nXzXf2+8DLy?= =?us-ascii?Q?QS2JQwH628HLITAehQ+a4FO57grVNPWq8nW79/2lbpE4NXOF0MGKNJyPuST6?= =?us-ascii?Q?yCuljq3nteCW6H7DFyGY1ABrpcKVxum98LGghs4seH3ajJ/J4AZFege3k5B7?= =?us-ascii?Q?5bgU0xlVs47s/vG/fE165ffeyxMEk5vGKmZczyuVGTSk/HUDagHubqp8qytU?= =?us-ascii?Q?f0YS7nras0eSMWOJhsspyqMlaFX/1ZlcrnzADkPYeAqVNWdwrlUdL7cj/3Jx?= =?us-ascii?Q?4tGDj/g4smi/7Sqn/QKT3nKEHBuodm7mXuXA5nUAB3VGVfaDli4GFPyDucZv?= =?us-ascii?Q?UJwuUFZuqDTg+Lvm+e5OraRoG++JjZ7SR5SfR6DaGxkW0uQtwcpq5BDHhvnG?= =?us-ascii?Q?WhS1oJAMvDW1LedQsFJfrVg/WqvYSxQK23n8wGNvSp97qfaI+3pyBtYsM7p/?= =?us-ascii?Q?Uwc1n0iYHwc3cjr6GwmL8DXATyNNpre8T3QkuBTdZD/oIIMtQbKI0bzI3ny+?= =?us-ascii?Q?wMWoqFC0plyOlu3OaQLnlOG3YABuI5JgU2oNEMiGvDpuubKM3m6Hq2JP42dJ?= =?us-ascii?Q?1Ib/cwfsoZnc9X5XLsnbrtVf?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: 23975e08-34d0-40fa-ca8b-08d9307895a1 X-MS-Exchange-CrossTenant-AuthSource: AM8PR04MB7970.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Jun 2021 03:41:11.7090 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 0HKHsepY3Cq1/K6IdpcwOiJkH4JBCNyULxY7no/sfl0tAbfdleqpuQUh26jX+plQphkVz18WXXTV4/C8iGybGw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR04MB7716 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 15G3fK38014254 X-loop: libvir-list@redhat.com Cc: apparmor@cboltz.de, christian.ehrhardt@canonical.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A new apparmor profile derived from the libvirtd profile, with non-QEMU related rules removed. Adopt the libvirt-qemu abstraction to work with the new profile. Signed-off-by: Jim Fehlig --- src/security/apparmor/libvirt-qemu | 6 + src/security/apparmor/meson.build | 1 + src/security/apparmor/usr.sbin.virtqemud.in | 135 ++++++++++++++++++++ 3 files changed, 142 insertions(+) diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/lib= virt-qemu index 85c9e61d6c..990bb0b2ba 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -16,9 +16,13 @@ =20 ptrace (readby, tracedby) peer=3Dlibvirtd, ptrace (readby, tracedby) peer=3D/usr/sbin/libvirtd, + ptrace (readby, tracedby) peer=3Dvirtqemud, + ptrace (readby, tracedby) peer=3D/usr/sbin/virtqemud, =20 signal (receive) peer=3Dlibvirtd, signal (receive) peer=3D/usr/sbin/libvirtd, + signal (receive) peer=3Dvirtqemud, + signal (receive) peer=3D/usr/sbin/virtqemud, =20 /dev/kvm rw, /dev/net/tun rw, @@ -221,6 +225,8 @@ # allow connect with openGraphicsFD to work unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirtd), unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3D/usr/sbin= /libvirtd), + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dvirtqemud= ), + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3D/usr/sbin= /virtqemud), =20 # for gathering information about available host resources /sys/devices/system/cpu/ r, diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meso= n.build index af43780211..56f308bf3a 100644 --- a/src/security/apparmor/meson.build +++ b/src/security/apparmor/meson.build @@ -1,6 +1,7 @@ apparmor_gen_profiles =3D [ 'usr.lib.libvirt.virt-aa-helper', 'usr.sbin.libvirtd', + 'usr.sbin.virtqemud', ] =20 apparmor_gen_profiles_conf =3D configuration_data() diff --git a/src/security/apparmor/usr.sbin.virtqemud.in b/src/security/app= armor/usr.sbin.virtqemud.in new file mode 100644 index 0000000000..b986241c74 --- /dev/null +++ b/src/security/apparmor/usr.sbin.virtqemud.in @@ -0,0 +1,135 @@ +#include +@{LIBVIRT}=3D"libvirt" + +profile virtqemud @sbindir@/virtqemud flags=3D(attach_disconnected) { + #include + #include + + capability kill, + capability net_admin, + capability net_raw, + capability setgid, + capability sys_admin, + capability sys_module, + capability sys_ptrace, + capability sys_pacct, + capability sys_nice, + capability sys_chroot, + capability setuid, + capability dac_override, + capability dac_read_search, + capability fowner, + capability chown, + capability setpcap, + capability mknod, + capability fsetid, + capability audit_write, + capability ipc_lock, + capability sys_rawio, + capability bpf, + capability perfmon, + + # Needed for vfio + capability sys_resource, + + mount options=3D(rw,rslave) -> /, + mount options=3D(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/, + umount /{var/,}run/libvirt/qemu/*.dev/, + + # libvirt provides any mounts under /dev to qemu namespaces + mount options=3D(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/, + mount options=3D(rw, move) /dev/** -> /{,var/}run/libvirt/qemu/*{,/}, + mount options=3D(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/, + mount options=3D(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**, + + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + network netlink raw, + network packet dgram, + network packet raw, + + # for --p2p migrations + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d addr=3Dnone), + + ptrace (read,trace) peer=3Dunconfined, + ptrace (read,trace) peer=3D@{profile_name}, + ptrace (read,trace) peer=3Ddnsmasq, + ptrace (read,trace) peer=3D/usr/sbin/dnsmasq, + ptrace (read,trace) peer=3Dlibvirt-*, + + signal (send) peer=3Ddnsmasq, + signal (send) peer=3D/usr/sbin/dnsmasq, + signal (read, send) peer=3Dlibvirt-*, + signal (send) set=3D("kill", "term") peer=3Dunconfined, + + # For communication/control to qemu-bridge-helper + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirtd/= /qemu_bridge_helper), + signal (send) set=3D("term") peer=3Dlibvirtd//qemu_bridge_helper, + + # allow connect with openGraphicsFD, direction reversed in newer versions + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirt-[= 0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*), + # unconfined also required if guests run without security module + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d), + + # required if guests run unconfined seclabel type=3D'none' but libvirtd = is confined + signal (read, send) peer=3Dunconfined, + + # Very lenient profile for libvirtd since we want to first focus on conf= ining + # the guests. Guests will have a very restricted profile. + / r, + /** rwmkl, + + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, + @sbindir@/virtlogd pix, + @sbindir@/* PUx, + /{usr/,}lib/udev/scsi_id PUx, + /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx, + /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx, + + # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to + # read and run an ebtables script. + /var/lib/libvirt/virtd* ixr, + + # force the use of virt-aa-helper + audit deny /{usr/,}sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + @libexecdir@/* PUxr, + @libexecdir@/libvirt_parthelper ix, + @libexecdir@/libvirt_iohelper ix, + /etc/libvirt/hooks/** rmix, + + # allow changing to our UUID-based named profiles + change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-= 9a-f]*, + + /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_h= elper, + # child profile for bridge helper process + profile qemu_bridge_helper { + #include + + capability setuid, + capability setgid, + capability setpcap, + capability net_admin, + + network inet stream, + + # For communication/control from libvirtd + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirtd= ), + signal (receive) set=3D("term") peer=3D/usr/sbin/libvirtd, + signal (receive) set=3D("term") peer=3Dlibvirtd, + + /dev/net/tun rw, + /etc/qemu/** r, + owner @{PROC}/*/status r, + + /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, + } +} --=20 2.31.1 From nobody Sat May 4 10:41:14 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=quarantine dis=quarantine) header.from=suse.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 16238149062621009.2568551029221; Tue, 15 Jun 2021 20:41:46 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-529-LU2vWw_6Mjehu4RR5giSwQ-1; Tue, 15 Jun 2021 23:41:43 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 33F5436368; Wed, 16 Jun 2021 03:41:37 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4C6D25D6AD; Wed, 16 Jun 2021 03:41:36 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 2016A8E03; Wed, 16 Jun 2021 03:41:31 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 15G3fLAN014259 for ; Tue, 15 Jun 2021 23:41:21 -0400 Received: by smtp.corp.redhat.com (Postfix) id 477B110342D; Wed, 16 Jun 2021 03:41:21 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4127A103434 for ; Wed, 16 Jun 2021 03:41:21 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 246FA101A531 for ; Wed, 16 Jun 2021 03:41:21 +0000 (UTC) Received: from de-smtp-delivery-102.mimecast.com (de-smtp-delivery-102.mimecast.com [194.104.111.102]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-106-CsUOdfCANh62us_M5NsSsw-1; Tue, 15 Jun 2021 23:41:18 -0400 Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05lp2177.outbound.protection.outlook.com [104.47.17.177]) (Using TLS) by relay.mimecast.com with ESMTP id de-mta-2-mL3WWqMNOay4SxOS2zztGA-1; Wed, 16 Jun 2021 05:41:16 +0200 Received: from AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9) by AM9PR04MB7716.eurprd04.prod.outlook.com (2603:10a6:20b:280::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.18; Wed, 16 Jun 2021 03:41:15 +0000 Received: from AM8PR04MB7970.eurprd04.prod.outlook.com ([fe80::d8b:c94:eae2:7b22]) by AM8PR04MB7970.eurprd04.prod.outlook.com ([fe80::d8b:c94:eae2:7b22%6]) with mapi id 15.20.4242.018; Wed, 16 Jun 2021 03:41:15 +0000 Received: from localhost (192.150.154.128) by AM0PR03CA0105.eurprd03.prod.outlook.com (2603:10a6:208:69::46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.20 via Frontend Transport; Wed, 16 Jun 2021 03:41:14 +0000 X-MC-Unique: LU2vWw_6Mjehu4RR5giSwQ-1 X-MC-Unique: CsUOdfCANh62us_M5NsSsw-1 X-MC-Unique: mL3WWqMNOay4SxOS2zztGA-1 From: Jim Fehlig To: libvir-list@redhat.com Subject: [PATCH 2/3] Apparmor: Add profile for virtlxcd Date: Tue, 15 Jun 2021 21:41:03 -0600 Message-ID: <20210616034104.2490-3-jfehlig@suse.com> In-Reply-To: <20210616034104.2490-1-jfehlig@suse.com> References: <20210616034104.2490-1-jfehlig@suse.com> X-Originating-IP: [192.150.154.128] X-ClientProxiedBy: AM0PR03CA0105.eurprd03.prod.outlook.com (2603:10a6:208:69::46) To AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 2c87f0ea-23d1-48c1-3b9f-08d9307897bf X-MS-TrafficTypeDiagnostic: AM9PR04MB7716: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7219 X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0 X-Microsoft-Antispam-Message-Info: w/zC5H5YT+49+26cR+/WNWvnnk9/wKnRw+6al+h9dazwJe9IG9XjB9RhtAUX+mqJH1YpRSl4pqO03L3FjvGUZFaEvPx9n5xIhP8hZitamgXw98Nr8b1gtkEanNBipyo/6ZR7KR9nWGHexwlclJKwrvw9zDZLO49OAJddXmBiV7+YFGHWlNgyRU16PLHU3QL04PG0Drw3RgMApM4092A0urDLZffD70aLqtlQhRQeDB7+fD7EFdsQVjtvL8YXAMxYl9AqyBXoywnsxRGEasGy8IqQz6j26VHnlJdrPUmbcvpq3PdqOp3UcRZnVLaFLF84KI5ctgugQLKREX5+4BNET3mVajG8m/a/qntLqQISV+esjSNP72VOKb+tSVE0A4ig7ioiJHmdhVqiaa6xjQmrL6HP+vgUEkQaWLmFNJs+J5NdrAF8YVxgBuM9ytF/TxyaCHLxQlxljQf3Dkey+9JMz0ZBFSszVN5eOXpCzEJopEi1JU465Tu7/FrYEAcVddgVW/4YcVcUALbPQXs2neiDjCwFC2qy+/2Io/0K1A+6HSVY2NkYWEd3+hsy8tpklyPMY/ZGw1vS/u1niMYn/oTw/2q/hYsvk6fP6S6ezjqIpU+cVtTTJiaKVOn4rMCLIwzN7M1SbokqR0COPephDmTDUg== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM8PR04MB7970.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(136003)(396003)(366004)(346002)(39850400004)(66556008)(66476007)(66946007)(956004)(6916009)(38100700002)(2616005)(16526019)(8676002)(5660300002)(6496006)(6666004)(2906002)(83380400001)(86362001)(4326008)(186003)(8936002)(1076003)(316002)(26005)(36756003)(6486002)(478600001)(156123004); DIR:OUT; SFP:1101 X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?Te2vkul44LS5SjP/Cts4GMyrMI0ZLt14WduDSQ2CLelqzc7VNVoGuLFDoTxH?= =?us-ascii?Q?l7M5/c8r0Wdjz6YlzfNksx/SCvkE754Lj1DNbiR4Q7j+oNtngsJn6NgQZS0f?= =?us-ascii?Q?GcT36hGrCx2WmhQOM4s8TiMN2GyCQrvFbgfi/BMaF7YUFxkimd/8X8OuBzCE?= =?us-ascii?Q?zNGO3J5Fr23C6XePYYlPX3f/kVrTb1T5JVhP9RjKYnDPVbxO3yIvBmdaZjNY?= =?us-ascii?Q?EcY1iL7GVMmy1sQBj7FgC+OqxvU+x+ekVaWoPbXt9gWS7T7HzYihCyj0nJey?= =?us-ascii?Q?LpAvzQ9LfIbXz5hdPy1mT597PWqnZkGjGznWMFrdUqcVRLIfyglckPkZ0U1B?= =?us-ascii?Q?IsbT+Op0iSOOVcNXE7cM/cPe0vyQBUBSJMTX+uwcPvcmGzgPR16+TB4jAhap?= =?us-ascii?Q?+UuKvFfpeLRWC/P5X+PGe58LHUd+KDRyp7hkdD/zbOYpFQ6FDD2+LaCbWvjx?= =?us-ascii?Q?UfB7wvCpqrwW5FFZjVDTEW71rZ/BXsF/iEJCvDnq4CgLaN1vC0hnCoZ5w6Gd?= =?us-ascii?Q?NxzRBaQxQrikGuLXnsoaS3nxcWsns0cXZSboOVEyvQAbnyO4JCjvsFDziyDm?= =?us-ascii?Q?8gkTuEqO7XmS3+ow2G3UQV/Zsx7hz6YbjSW1kbbaExOe8QRYAnel0yB+ZXaN?= =?us-ascii?Q?sXD4YMYAihY0zZhHvDvE/IpLhdsRepEspRASLLMjl9oBVaS3esLcVr2+NwAS?= =?us-ascii?Q?y7C4ZRgGq5qVOqBzanQBHP6Gwh+Q4biv/vwO91UfYwiCxxQ4bhqCUR+4PFa+?= =?us-ascii?Q?1G+dzJY0ihYj6Z54XbQQ5NdfgpqoOGDRk1UGiBb8w9tc/3G8QMEkUWE4LtSn?= =?us-ascii?Q?PDoiZV1i+2YFrzaYqBCh9TJihs80Loqc4Cr/0LK9PeCrJPCuY+OzwZg/qIOC?= =?us-ascii?Q?tqbbPdxe8T2Y7QkSHM/30tMUjOcJoQG3y/esUvOy34qNnPmbGzAMYKd0Bzs6?= =?us-ascii?Q?pNZxltnesJUGgsLw0JzaSb1xmlWoTj8idzR/hSxAIxj6uVabra2Iz19aQNmo?= =?us-ascii?Q?f8BLE4htzHpziS1NxcoFpdPL0C0hZku6YtQyht9gUHXqxkr1C6tH4rW74Azb?= =?us-ascii?Q?mDNhhcriko3Eo8LiziBmvXApC6GaZcx9vOYDv8wdq/mj3MzXEUDNtHUk8iQ6?= =?us-ascii?Q?D22nXcv/43030XLARSbVcy2og0/GomB20G/gei+Z3qqW8UJcgVtSxQ/8VJbm?= =?us-ascii?Q?+FU1UF+7aSD0rk8I5gw/9UllDyt0agnja827dxKq9X0FOw5UQn44ANkQa8aH?= =?us-ascii?Q?WOSVtmXtYkjmC+Ww0E7qH+BkmCdwD2Ub+AbZNwYhVvMaGFgNe+upYwHx6wLR?= =?us-ascii?Q?zj3kZzIS4sHw9Lr975bVUiSv?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2c87f0ea-23d1-48c1-3b9f-08d9307897bf X-MS-Exchange-CrossTenant-AuthSource: AM8PR04MB7970.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Jun 2021 03:41:15.2275 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 267QgpdUSsF3ZU8gUqhmJMFia3YOO5opK9W9VTEfc6vtuhNuaqJFQ23t4ks5f1O9GBT+mLFrIBT91p03XKrrng== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR04MB7716 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 15G3fLAN014259 X-loop: libvir-list@redhat.com Cc: apparmor@cboltz.de, christian.ehrhardt@canonical.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A new apparmor profile derived from the libvirtd profile, with non-LXC related rules removed. Adopt the libvirt-lxc abstraction to work with the new profile. Signed-off-by: Jim Fehlig --- src/security/apparmor/libvirt-lxc | 4 +- src/security/apparmor/meson.build | 1 + src/security/apparmor/usr.sbin.virtlxcd.in | 89 ++++++++++++++++++++++ 3 files changed, 93 insertions(+), 1 deletion(-) diff --git a/src/security/apparmor/libvirt-lxc b/src/security/apparmor/libv= irt-lxc index 0c8b812743..331f43fbbc 100644 --- a/src/security/apparmor/libvirt-lxc +++ b/src/security/apparmor/libvirt-lxc @@ -1,8 +1,10 @@ #include =20 - # Allow receiving signals from libvirtd + # Allow receiving signals from libvirtd and virtlxcd signal (receive) peer=3Dlibvirtd, signal (receive) peer=3D/usr/sbin/libvirtd, + signal (receive) peer=3Dvirtlxcd, + signal (receive) peer=3D/usr/sbin/virtlxcd, =20 umount, =20 diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meso= n.build index 56f308bf3a..64db8fdde6 100644 --- a/src/security/apparmor/meson.build +++ b/src/security/apparmor/meson.build @@ -1,6 +1,7 @@ apparmor_gen_profiles =3D [ 'usr.lib.libvirt.virt-aa-helper', 'usr.sbin.libvirtd', + 'usr.sbin.virtlxcd', 'usr.sbin.virtqemud', ] =20 diff --git a/src/security/apparmor/usr.sbin.virtlxcd.in b/src/security/appa= rmor/usr.sbin.virtlxcd.in new file mode 100644 index 0000000000..73a87ca37a --- /dev/null +++ b/src/security/apparmor/usr.sbin.virtlxcd.in @@ -0,0 +1,89 @@ +#include +@{LIBVIRT}=3D"libvirt" + +profile virtlxcd @sbindir@/virtlxcd flags=3D(attach_disconnected) { + #include + #include + + capability kill, + capability net_admin, + capability net_raw, + capability setgid, + capability sys_admin, + capability sys_module, + capability sys_ptrace, + capability sys_pacct, + capability sys_nice, + capability sys_chroot, + capability setuid, + capability dac_override, + capability dac_read_search, + capability fowner, + capability chown, + capability setpcap, + capability mknod, + capability fsetid, + capability audit_write, + capability ipc_lock, + capability sys_rawio, + capability bpf, + capability perfmon, + + mount options=3D(rw,rslave) -> /, + + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + network netlink raw, + network packet dgram, + network packet raw, + + ptrace (read,trace) peer=3Dunconfined, + ptrace (read,trace) peer=3D@{profile_name}, + ptrace (read,trace) peer=3Ddnsmasq, + ptrace (read,trace) peer=3D/usr/sbin/dnsmasq, + ptrace (read,trace) peer=3Dlibvirt-*, + + signal (send) peer=3Ddnsmasq, + signal (send) peer=3D/usr/sbin/dnsmasq, + signal (read, send) peer=3Dlibvirt-*, + signal (send) set=3D("kill", "term") peer=3Dunconfined, + + # unconfined also required if guests run without security module + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d), + + # required if guests run unconfined seclabel type=3D'none' but libvirtd = is confined + signal (read, send) peer=3Dunconfined, + + # Very lenient profile for libvirtd since we want to first focus on conf= ining + # the guests. Guests will have a very restricted profile. + / r, + /** rwmkl, + + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, + @sbindir@/virtlogd pix, + @sbindir@/* PUx, + /{usr/,}lib/udev/scsi_id PUx, + + # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to + # read and run an ebtables script. + /var/lib/libvirt/virtd* ixr, + + # force the use of virt-aa-helper + audit deny /{usr/,}sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + @libexecdir@/* PUxr, + @libexecdir@/libvirt_parthelper ix, + @libexecdir@/libvirt_iohelper ix, + /etc/libvirt/hooks/** rmix, + + # allow changing to our UUID-based named profiles + change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-= 9a-f]*, +} --=20 2.31.1 From nobody Sat May 4 10:41:14 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=quarantine dis=quarantine) header.from=suse.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1623814919607860.872881174889; Tue, 15 Jun 2021 20:41:59 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-306-VBt4OjM0NQ6aT4WWsOXJgg-1; Tue, 15 Jun 2021 23:41:56 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id DE9AF802B78; Wed, 16 Jun 2021 03:41:50 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9B8A16090F; Wed, 16 Jun 2021 03:41:50 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 636AE1809CAD; Wed, 16 Jun 2021 03:41:50 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 15G3fOOE014288 for ; Tue, 15 Jun 2021 23:41:24 -0400 Received: by smtp.corp.redhat.com (Postfix) id 70FCE209A519; Wed, 16 Jun 2021 03:41:24 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast05.extmail.prod.ext.rdu2.redhat.com [10.11.55.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6BB63209A506 for ; Wed, 16 Jun 2021 03:41:24 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 504E4802E5E for ; Wed, 16 Jun 2021 03:41:24 +0000 (UTC) Received: from de-smtp-delivery-102.mimecast.com (de-smtp-delivery-102.mimecast.com [194.104.111.102]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-336-BolPMCA8P1SDBdfs1qK2AQ-1; Tue, 15 Jun 2021 23:41:22 -0400 Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05lp2172.outbound.protection.outlook.com [104.47.17.172]) (Using TLS) by relay.mimecast.com with ESMTP id de-mta-4-1mpV7QgHPW6S9h0eytvSgQ-1; Wed, 16 Jun 2021 05:41:19 +0200 Received: from AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9) by AM9PR04MB7716.eurprd04.prod.outlook.com (2603:10a6:20b:280::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.18; Wed, 16 Jun 2021 03:41:18 +0000 Received: from AM8PR04MB7970.eurprd04.prod.outlook.com ([fe80::d8b:c94:eae2:7b22]) by AM8PR04MB7970.eurprd04.prod.outlook.com ([fe80::d8b:c94:eae2:7b22%6]) with mapi id 15.20.4242.018; Wed, 16 Jun 2021 03:41:18 +0000 Received: from localhost (192.150.154.128) by AM0PR02CA0209.eurprd02.prod.outlook.com (2603:10a6:20b:28f::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.21 via Frontend Transport; Wed, 16 Jun 2021 03:41:18 +0000 X-MC-Unique: VBt4OjM0NQ6aT4WWsOXJgg-1 X-MC-Unique: BolPMCA8P1SDBdfs1qK2AQ-1 X-MC-Unique: 1mpV7QgHPW6S9h0eytvSgQ-1 From: Jim Fehlig To: libvir-list@redhat.com Subject: [PATCH 3/3] Apparmor: Add profile for virtxend Date: Tue, 15 Jun 2021 21:41:04 -0600 Message-ID: <20210616034104.2490-4-jfehlig@suse.com> In-Reply-To: <20210616034104.2490-1-jfehlig@suse.com> References: <20210616034104.2490-1-jfehlig@suse.com> X-Originating-IP: [192.150.154.128] X-ClientProxiedBy: AM0PR02CA0209.eurprd02.prod.outlook.com (2603:10a6:20b:28f::16) To AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: c7b26458-ef4b-4147-d031-08d9307899d7 X-MS-TrafficTypeDiagnostic: AM9PR04MB7716: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:4502 X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0 X-Microsoft-Antispam-Message-Info: bWdPV6aetQGwqP7eFtVKhjyRNpyuKfqdyKv5TvHy7ctxKfZr9LCGy6LkRNZGX3Ko4M8G2ExE5H3CszBMLXARaIU9MN3YyHyK0RXHnJEUmDzgM0Oapkv0nTbAigpN5uT7sKFYxc12iMqjRs6rj1LcPtzXFzNZSXVOUWU+TTRRcczlVNJQfWUeKrTD5wzYI7zFt25D0Y+fvSRImm7CqcSEqGFhgIJgvDBqVkrSKwoZQR0aPQgMrtLU03NJqPd9yuwrkhrNS0bSri0WB0lUUMaIrlMQtlFrxgefE963nUO5dFStqYLAVo9E0kQzGh3naGeyji4LeCJ6kloUTios+fNvYRJGksMq0axKyYnfXbvs9SIRfZ9ByXKT2rpwBeaLSuhAy+q3NGad+U9L+8DON14V02B3i6iITQ622t3zutNJv96zRpQMUz/hJjagMCXps2HRCsXTFY8GW6WAFLC0W06+VQF4pAR+5Xw0ZVj+//EyoShsCOdvyGvVyu5PT1v9W0T65mnAmeaxy/URMB6C02x3x00A3VC5xtFplikRuXVudjxdqoh7Izz1W7df7HTl0KEZ1pOpH7qukm5NJtFpY7oLdYZ4Vxitzbn+lpakCfLujyA= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM8PR04MB7970.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(136003)(396003)(366004)(346002)(39850400004)(66556008)(66476007)(66946007)(956004)(6916009)(38100700002)(2616005)(16526019)(8676002)(5660300002)(6496006)(6666004)(2906002)(83380400001)(86362001)(4326008)(186003)(8936002)(1076003)(316002)(26005)(36756003)(6486002)(478600001); DIR:OUT; SFP:1101 X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?dwPA3EzbJOVBRRHoFPtFptlfXIjIjwzkKJmlkIEsRLjw27fOscEUyaIxiUB7?= =?us-ascii?Q?3IfY15wofelQorjMmK3U7X7Nr+8cC/c3CxHSXtskyew6tHKJImDvoLker9al?= =?us-ascii?Q?upTDShl7tdFQOuxHHgosbmM4zANMwejFFRUcA4wjD7PkK+BJLvNxoJrLmGCa?= =?us-ascii?Q?pg+3MfdxZpi7k5nFU08hOPkTwqT8N6Nba5GSESrpD5m9zuix/jHOZjBNDJK4?= =?us-ascii?Q?B7Fr+vkvvZB/QD4oLazf/fI969vx8DSVBiNcisqUI7jvQ1HmvaLQvEQyAFt+?= =?us-ascii?Q?/u6AFEcJh+Ywys/Z7hWbdEsBhm+OoS6krnSKtjwIdl459TcPIYjP3mH+X9Mn?= =?us-ascii?Q?sSJs0f7sVVVjfgu2KJfaNZGoHBFwzM43qbHD31Ek44kp06RPfBucpGG7VAws?= =?us-ascii?Q?zLkcSf718Lt4SVOAq1z58X81Y+wCVjglITZ0XxScjS7Vm/kLWlRd+lH4wmWX?= =?us-ascii?Q?Ys2+itsSEHB2gl5hd7nPl7Nr952C3DidMhemTnQdxf8lSPKqSEKbUs1izzST?= =?us-ascii?Q?M1WfltkWeVt+E0CGmZHrol+gukgjO1OTCV29XBvNTqesp4wGn1EvUaLKQVyb?= =?us-ascii?Q?RKgZEvJnJcdZb+LecAivbyXHhfYtGlHpLIYnUA5rDuStwdeP5zSxmUh0VCY1?= =?us-ascii?Q?L3KoS/sC+Xu5sZ9OjdtD/YNVFZip8rID8YmeozMhk8lmKFtbtooACkd6UQ+9?= =?us-ascii?Q?LfS0T64UvE+BFQx4HBdwfkZ5qru1Gg/k36mi2LJEnFHSW9SZysZun6aTrrnv?= =?us-ascii?Q?LfDOLQu9dpd9mk27j4+Qv3Gv6IBXu/n7q0f3YcJNolRNGAZJUNVJ6hZs8nez?= =?us-ascii?Q?9hTD71YVEAWJhrV8BPNe37VgTzO4nOD23/CJ2+rSrVUAN00hxVKfhZsLvqd7?= =?us-ascii?Q?hD5ITSJbYHo0VhyL/tIzYKbrKMR8B9WPLD46jN4Vum9WqmFv62NAjtR8+Zur?= =?us-ascii?Q?BM8DhWMlezklodhKv1OD54rxVLwgiGn76EkkpCodtoum7t9Sm8vARBM6n+Ns?= =?us-ascii?Q?9WfnCmIBIhxdZ5z63aqu6YrsSoMS9gWE+TiuCnnj0pBxTB/nwhQgtRjsOPxm?= =?us-ascii?Q?o3EThtYGDxdlZSaexrMjAC3LhLyJjRLf7N+Qbdd6hbvQkAvtp/aw7N8c9jRV?= =?us-ascii?Q?9dD5o+/SDwu1EgJFqDvcb+NVLXtAJ0e57h8pq+nWJWwLU+uXZoLElFPjAeOY?= =?us-ascii?Q?dgzzMfuPSnOKa0HJltNFT7ALMjRlstD+xm8ufjhMIJzUrwUrC7L9GTyeRa0K?= =?us-ascii?Q?9EeChJ4E9pIqakanrX7547k7TUHUB5FA3sqYw+glxZuWHSB69B4uL6doOD5y?= =?us-ascii?Q?NKuaAZcpkrS9M5OitVSZbH6N?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: c7b26458-ef4b-4147-d031-08d9307899d7 X-MS-Exchange-CrossTenant-AuthSource: AM8PR04MB7970.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Jun 2021 03:41:18.7560 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: iOH0TGvKaWlwSV9UdWT3H0FDhWvy07V2/o3mh5OyVrCBIyzgOSbczOd2px1HOEeI8tmsXafSJpx2HW7cJoqYBQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR04MB7716 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 15G3fOOE014288 X-loop: libvir-list@redhat.com Cc: apparmor@cboltz.de, christian.ehrhardt@canonical.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A new apparmor profile derived from the libvirtd profile, with non-Xen related rules removed. Signed-off-by: Jim Fehlig --- src/security/apparmor/meson.build | 1 + src/security/apparmor/usr.sbin.virtxend.in | 78 ++++++++++++++++++++++ 2 files changed, 79 insertions(+) diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meso= n.build index 64db8fdde6..aca0c46881 100644 --- a/src/security/apparmor/meson.build +++ b/src/security/apparmor/meson.build @@ -3,6 +3,7 @@ apparmor_gen_profiles =3D [ 'usr.sbin.libvirtd', 'usr.sbin.virtlxcd', 'usr.sbin.virtqemud', + 'usr.sbin.virtxend', ] =20 apparmor_gen_profiles_conf =3D configuration_data() diff --git a/src/security/apparmor/usr.sbin.virtxend.in b/src/security/appa= rmor/usr.sbin.virtxend.in new file mode 100644 index 0000000000..9472d99afb --- /dev/null +++ b/src/security/apparmor/usr.sbin.virtxend.in @@ -0,0 +1,78 @@ +#include + +profile virtxend @sbindir@/virtxend flags=3D(attach_disconnected) { + #include + #include + + capability kill, + capability net_admin, + capability net_raw, + capability setgid, + capability sys_admin, + capability sys_module, + capability sys_ptrace, + capability sys_pacct, + capability sys_nice, + capability sys_chroot, + capability setuid, + capability dac_override, + capability dac_read_search, + capability fowner, + capability chown, + capability setpcap, + capability mknod, + capability fsetid, + capability audit_write, + capability ipc_lock, + capability sys_rawio, + capability bpf, + capability perfmon, + + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + network netlink raw, + network packet dgram, + network packet raw, + + # for --p2p migrations + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d addr=3Dnone), + + ptrace (read,trace) peer=3Dunconfined, + ptrace (read,trace) peer=3Ddnsmasq, + ptrace (read,trace) peer=3D/usr/sbin/dnsmasq, + + signal (send) peer=3Ddnsmasq, + signal (send) peer=3D/usr/sbin/dnsmasq, + signal (send) set=3D("kill", "term") peer=3Dunconfined, + + # Very lenient profile for libvirtd since we want to first focus on conf= ining + # the guests. Guests will have a very restricted profile. + / r, + /** rwmkl, + + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, + @sbindir@/virtlogd pix, + @sbindir@/* PUx, + /{usr/,}lib/udev/scsi_id PUx, + /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, + /usr/{lib,lib64}/xen/bin/* Ux, + /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx, + /usr/{lib,libexec}/xen-*/bin/pygrub PUx, + + # force the use of virt-aa-helper + audit deny /{usr/,}sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + @libexecdir@/* PUxr, + @libexecdir@/libvirt_parthelper ix, + @libexecdir@/libvirt_iohelper ix, + /etc/libvirt/hooks/** rmix, + /etc/xen/scripts/** rmix, +} --=20 2.31.1