From nobody Mon Feb 9 07:54:41 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=quarantine dis=quarantine) header.from=suse.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1623814925035136.53724699283737; Tue, 15 Jun 2021 20:42:05 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-210-AFBM7X0BPQCzaDxPiLtuBg-1; Tue, 15 Jun 2021 23:42:02 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 49181802B4F; Wed, 16 Jun 2021 03:41:57 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2CE136090F; Wed, 16 Jun 2021 03:41:57 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id ED7071809CAF; Wed, 16 Jun 2021 03:41:56 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 15G3fK38014254 for ; Tue, 15 Jun 2021 23:41:20 -0400 Received: by smtp.corp.redhat.com (Postfix) id 55A40209A519; Wed, 16 Jun 2021 03:41:20 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 50385209A506 for ; Wed, 16 Jun 2021 03:41:17 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id EACCE101A531 for ; Wed, 16 Jun 2021 03:41:16 +0000 (UTC) Received: from de-smtp-delivery-102.mimecast.com (de-smtp-delivery-102.mimecast.com [194.104.109.102]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-317-DFLaxzHVPWGIElzGMdyONw-1; Tue, 15 Jun 2021 23:41:14 -0400 Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05lp2171.outbound.protection.outlook.com [104.47.17.171]) (Using TLS) by relay.mimecast.com with ESMTP id de-mta-27-CizWH3AaPSq5gFRqcL_2cQ-1; Wed, 16 Jun 2021 05:41:12 +0200 Received: from AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9) by AM9PR04MB7716.eurprd04.prod.outlook.com (2603:10a6:20b:280::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.18; Wed, 16 Jun 2021 03:41:11 +0000 Received: from AM8PR04MB7970.eurprd04.prod.outlook.com ([fe80::d8b:c94:eae2:7b22]) by AM8PR04MB7970.eurprd04.prod.outlook.com ([fe80::d8b:c94:eae2:7b22%6]) with mapi id 15.20.4242.018; Wed, 16 Jun 2021 03:41:11 +0000 Received: from localhost (192.150.154.128) by AM0PR03CA0079.eurprd03.prod.outlook.com (2603:10a6:208:69::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.20 via Frontend Transport; Wed, 16 Jun 2021 03:41:11 +0000 X-MC-Unique: AFBM7X0BPQCzaDxPiLtuBg-1 X-MC-Unique: DFLaxzHVPWGIElzGMdyONw-1 X-MC-Unique: CizWH3AaPSq5gFRqcL_2cQ-1 From: Jim Fehlig To: libvir-list@redhat.com Subject: [PATCH 1/3] Apparmor: Add profile for virtqemud Date: Tue, 15 Jun 2021 21:41:02 -0600 Message-ID: <20210616034104.2490-2-jfehlig@suse.com> In-Reply-To: <20210616034104.2490-1-jfehlig@suse.com> References: <20210616034104.2490-1-jfehlig@suse.com> X-Originating-IP: [192.150.154.128] X-ClientProxiedBy: AM0PR03CA0079.eurprd03.prod.outlook.com (2603:10a6:208:69::20) To AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 23975e08-34d0-40fa-ca8b-08d9307895a1 X-MS-TrafficTypeDiagnostic: AM9PR04MB7716: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7691 X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0 X-Microsoft-Antispam-Message-Info: ZXQ9hDe2hmZs08oVax5M+YqfUmy6HF+PyN+qeQouoLqO90Sr17sMPh/J2CoM6xXdX0YujrI43XGIAjFdtp67UFIbsGSm2yAy8o2yYEMDasGDh7JewKGUOZTNQrL5r1X81tNfW+fmZHgLAPWD7b8E/3ZHqx7N4JH+caUAzDa2UNVwFHRpZNFgkvaWO7PnO7qacRT4wbG3QiGcXhDNQxg45DtRbsiNSg93m6JQh+2N7zB2j2Dh0ADPPlqgPfc0wsiW0/sJBjQ+StodQwC4+FBBI21RlJKgS9EEVr7lqBI+PPfJ1MBukTe/a7b0LmAXx8FiL9/HZCmeH4xX8ta1rCox4qTOJw+w/xOOQV9YxiqCBCtEM0iN1CzoUAuhTtzM13gDpjdHDmJCyD2Z+WjJcpmwC5l4SL7pba7Eo7M+VyaxMeneaLlzreHZQ0sfAt0+O0rBakLu9mgel55rnIDDIYCMS36ZW/NTEYgWJJEOsKx9RkdBkiwf/zaH50YYTqZkB8T8+giiPLVLflAfQiyxdP/cdf1S7z5mpZ36EQvGcisr9AKQ375LsC6TKyqLuWf/6qBYPSH2anI7FxsIUXxTB4q17jNtfp9HUFpghV6Xhom0VXs= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM8PR04MB7970.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(136003)(396003)(366004)(346002)(39850400004)(66556008)(66476007)(66946007)(956004)(6916009)(38100700002)(2616005)(16526019)(8676002)(5660300002)(6496006)(6666004)(2906002)(83380400001)(86362001)(4326008)(186003)(8936002)(1076003)(316002)(26005)(36756003)(6486002)(478600001); DIR:OUT; SFP:1101 X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?pQ289dEd6oSJMygnhGWsQjyybPD9U/f0d8XYE/rC8EZJP3zFGgXv7iMKxO/w?= =?us-ascii?Q?NBIpBiQtiSSpj7PG3z+Iok0P7w2rsfpZ9KlKOYE5uSXNqIbAOv4jhJJF5WhG?= =?us-ascii?Q?Gm+lTUYfg89Qte2Qt1MPEThYGXCDBpq1jdz/dJ3/+2dnSs5n8oVP5GRtjiUd?= =?us-ascii?Q?POT1a6dHCvaZchLxNMezwgfUri6ZO0qLAkIpr6j//ZW26hpvTBJLzhSfOmwO?= =?us-ascii?Q?ltEpJOmePc5AE06QE8iJdoiU8i4tcum6gYKhIvUFB6SFHXKX6767iR0ccJwY?= =?us-ascii?Q?ZZxdniGgC6AiOvzqilqr6vnwIAtdcwoO8+95nwhcpGB6Ux/8gx8Ox2rxCELT?= =?us-ascii?Q?HJH+E3i8cDvDZVVnwSdRITUW5X+GswPa15uMx6oRQXf/g9Xt/Hol3m7HGiLn?= =?us-ascii?Q?uIabnpN5jeFGls53y5bXfoQpf6PHJvw5AwlRJBnLAYE6GM3pmRwIeMNhKQrd?= =?us-ascii?Q?gd5krNaU+UXFCvf3kxVCXtKFAZe3ptRAxwZf0YNIgr8Vo84QnJIYnkxffSx3?= =?us-ascii?Q?vgG/XdOOtFIjWu61SYFjG3nqiOh41SdEdYSTMh3JAOAGe9uH+57Hhvr2rMdh?= =?us-ascii?Q?ld2oCm1dQU679SO0TiaacPBzv5gFpJXXicArYn3pOG/MHZoSEFkG1un7UfgL?= =?us-ascii?Q?YcR9kppi1PaDB204FHABxRmF5/fx4ljqMtk5XX09zJ5Fh1MeGvf4SyD4rM7h?= =?us-ascii?Q?uFpdRq6sDeOP8XQeHGsqD4mn7aFvU6/axdyKhCkBgq0MzjHV6nXzXf2+8DLy?= =?us-ascii?Q?QS2JQwH628HLITAehQ+a4FO57grVNPWq8nW79/2lbpE4NXOF0MGKNJyPuST6?= =?us-ascii?Q?yCuljq3nteCW6H7DFyGY1ABrpcKVxum98LGghs4seH3ajJ/J4AZFege3k5B7?= =?us-ascii?Q?5bgU0xlVs47s/vG/fE165ffeyxMEk5vGKmZczyuVGTSk/HUDagHubqp8qytU?= =?us-ascii?Q?f0YS7nras0eSMWOJhsspyqMlaFX/1ZlcrnzADkPYeAqVNWdwrlUdL7cj/3Jx?= =?us-ascii?Q?4tGDj/g4smi/7Sqn/QKT3nKEHBuodm7mXuXA5nUAB3VGVfaDli4GFPyDucZv?= =?us-ascii?Q?UJwuUFZuqDTg+Lvm+e5OraRoG++JjZ7SR5SfR6DaGxkW0uQtwcpq5BDHhvnG?= =?us-ascii?Q?WhS1oJAMvDW1LedQsFJfrVg/WqvYSxQK23n8wGNvSp97qfaI+3pyBtYsM7p/?= =?us-ascii?Q?Uwc1n0iYHwc3cjr6GwmL8DXATyNNpre8T3QkuBTdZD/oIIMtQbKI0bzI3ny+?= =?us-ascii?Q?wMWoqFC0plyOlu3OaQLnlOG3YABuI5JgU2oNEMiGvDpuubKM3m6Hq2JP42dJ?= =?us-ascii?Q?1Ib/cwfsoZnc9X5XLsnbrtVf?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: 23975e08-34d0-40fa-ca8b-08d9307895a1 X-MS-Exchange-CrossTenant-AuthSource: AM8PR04MB7970.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Jun 2021 03:41:11.7090 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 0HKHsepY3Cq1/K6IdpcwOiJkH4JBCNyULxY7no/sfl0tAbfdleqpuQUh26jX+plQphkVz18WXXTV4/C8iGybGw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR04MB7716 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 15G3fK38014254 X-loop: libvir-list@redhat.com Cc: apparmor@cboltz.de, christian.ehrhardt@canonical.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A new apparmor profile derived from the libvirtd profile, with non-QEMU related rules removed. Adopt the libvirt-qemu abstraction to work with the new profile. Signed-off-by: Jim Fehlig --- src/security/apparmor/libvirt-qemu | 6 + src/security/apparmor/meson.build | 1 + src/security/apparmor/usr.sbin.virtqemud.in | 135 ++++++++++++++++++++ 3 files changed, 142 insertions(+) diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/lib= virt-qemu index 85c9e61d6c..990bb0b2ba 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -16,9 +16,13 @@ =20 ptrace (readby, tracedby) peer=3Dlibvirtd, ptrace (readby, tracedby) peer=3D/usr/sbin/libvirtd, + ptrace (readby, tracedby) peer=3Dvirtqemud, + ptrace (readby, tracedby) peer=3D/usr/sbin/virtqemud, =20 signal (receive) peer=3Dlibvirtd, signal (receive) peer=3D/usr/sbin/libvirtd, + signal (receive) peer=3Dvirtqemud, + signal (receive) peer=3D/usr/sbin/virtqemud, =20 /dev/kvm rw, /dev/net/tun rw, @@ -221,6 +225,8 @@ # allow connect with openGraphicsFD to work unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirtd), unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3D/usr/sbin= /libvirtd), + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dvirtqemud= ), + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3D/usr/sbin= /virtqemud), =20 # for gathering information about available host resources /sys/devices/system/cpu/ r, diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meso= n.build index af43780211..56f308bf3a 100644 --- a/src/security/apparmor/meson.build +++ b/src/security/apparmor/meson.build @@ -1,6 +1,7 @@ apparmor_gen_profiles =3D [ 'usr.lib.libvirt.virt-aa-helper', 'usr.sbin.libvirtd', + 'usr.sbin.virtqemud', ] =20 apparmor_gen_profiles_conf =3D configuration_data() diff --git a/src/security/apparmor/usr.sbin.virtqemud.in b/src/security/app= armor/usr.sbin.virtqemud.in new file mode 100644 index 0000000000..b986241c74 --- /dev/null +++ b/src/security/apparmor/usr.sbin.virtqemud.in @@ -0,0 +1,135 @@ +#include +@{LIBVIRT}=3D"libvirt" + +profile virtqemud @sbindir@/virtqemud flags=3D(attach_disconnected) { + #include + #include + + capability kill, + capability net_admin, + capability net_raw, + capability setgid, + capability sys_admin, + capability sys_module, + capability sys_ptrace, + capability sys_pacct, + capability sys_nice, + capability sys_chroot, + capability setuid, + capability dac_override, + capability dac_read_search, + capability fowner, + capability chown, + capability setpcap, + capability mknod, + capability fsetid, + capability audit_write, + capability ipc_lock, + capability sys_rawio, + capability bpf, + capability perfmon, + + # Needed for vfio + capability sys_resource, + + mount options=3D(rw,rslave) -> /, + mount options=3D(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/, + umount /{var/,}run/libvirt/qemu/*.dev/, + + # libvirt provides any mounts under /dev to qemu namespaces + mount options=3D(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/, + mount options=3D(rw, move) /dev/** -> /{,var/}run/libvirt/qemu/*{,/}, + mount options=3D(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/, + mount options=3D(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**, + + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + network netlink raw, + network packet dgram, + network packet raw, + + # for --p2p migrations + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d addr=3Dnone), + + ptrace (read,trace) peer=3Dunconfined, + ptrace (read,trace) peer=3D@{profile_name}, + ptrace (read,trace) peer=3Ddnsmasq, + ptrace (read,trace) peer=3D/usr/sbin/dnsmasq, + ptrace (read,trace) peer=3Dlibvirt-*, + + signal (send) peer=3Ddnsmasq, + signal (send) peer=3D/usr/sbin/dnsmasq, + signal (read, send) peer=3Dlibvirt-*, + signal (send) set=3D("kill", "term") peer=3Dunconfined, + + # For communication/control to qemu-bridge-helper + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirtd/= /qemu_bridge_helper), + signal (send) set=3D("term") peer=3Dlibvirtd//qemu_bridge_helper, + + # allow connect with openGraphicsFD, direction reversed in newer versions + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirt-[= 0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*), + # unconfined also required if guests run without security module + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d), + + # required if guests run unconfined seclabel type=3D'none' but libvirtd = is confined + signal (read, send) peer=3Dunconfined, + + # Very lenient profile for libvirtd since we want to first focus on conf= ining + # the guests. Guests will have a very restricted profile. + / r, + /** rwmkl, + + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, + @sbindir@/virtlogd pix, + @sbindir@/* PUx, + /{usr/,}lib/udev/scsi_id PUx, + /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx, + /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx, + + # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to + # read and run an ebtables script. + /var/lib/libvirt/virtd* ixr, + + # force the use of virt-aa-helper + audit deny /{usr/,}sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + @libexecdir@/* PUxr, + @libexecdir@/libvirt_parthelper ix, + @libexecdir@/libvirt_iohelper ix, + /etc/libvirt/hooks/** rmix, + + # allow changing to our UUID-based named profiles + change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-= 9a-f]*, + + /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_h= elper, + # child profile for bridge helper process + profile qemu_bridge_helper { + #include + + capability setuid, + capability setgid, + capability setpcap, + capability net_admin, + + network inet stream, + + # For communication/control from libvirtd + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirtd= ), + signal (receive) set=3D("term") peer=3D/usr/sbin/libvirtd, + signal (receive) set=3D("term") peer=3Dlibvirtd, + + /dev/net/tun rw, + /etc/qemu/** r, + owner @{PROC}/*/status r, + + /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, + } +} --=20 2.31.1