From nobody Mon Feb 9 12:25:06 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=quarantine dis=quarantine) header.from=suse.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 16238149062621009.2568551029221; Tue, 15 Jun 2021 20:41:46 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-529-LU2vWw_6Mjehu4RR5giSwQ-1; Tue, 15 Jun 2021 23:41:43 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 33F5436368; Wed, 16 Jun 2021 03:41:37 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4C6D25D6AD; Wed, 16 Jun 2021 03:41:36 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 2016A8E03; Wed, 16 Jun 2021 03:41:31 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 15G3fLAN014259 for ; Tue, 15 Jun 2021 23:41:21 -0400 Received: by smtp.corp.redhat.com (Postfix) id 477B110342D; Wed, 16 Jun 2021 03:41:21 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4127A103434 for ; Wed, 16 Jun 2021 03:41:21 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 246FA101A531 for ; Wed, 16 Jun 2021 03:41:21 +0000 (UTC) Received: from de-smtp-delivery-102.mimecast.com (de-smtp-delivery-102.mimecast.com [194.104.111.102]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-106-CsUOdfCANh62us_M5NsSsw-1; Tue, 15 Jun 2021 23:41:18 -0400 Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05lp2177.outbound.protection.outlook.com [104.47.17.177]) (Using TLS) by relay.mimecast.com with ESMTP id de-mta-2-mL3WWqMNOay4SxOS2zztGA-1; Wed, 16 Jun 2021 05:41:16 +0200 Received: from AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9) by AM9PR04MB7716.eurprd04.prod.outlook.com (2603:10a6:20b:280::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.18; Wed, 16 Jun 2021 03:41:15 +0000 Received: from AM8PR04MB7970.eurprd04.prod.outlook.com ([fe80::d8b:c94:eae2:7b22]) by AM8PR04MB7970.eurprd04.prod.outlook.com ([fe80::d8b:c94:eae2:7b22%6]) with mapi id 15.20.4242.018; Wed, 16 Jun 2021 03:41:15 +0000 Received: from localhost (192.150.154.128) by AM0PR03CA0105.eurprd03.prod.outlook.com (2603:10a6:208:69::46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.20 via Frontend Transport; Wed, 16 Jun 2021 03:41:14 +0000 X-MC-Unique: LU2vWw_6Mjehu4RR5giSwQ-1 X-MC-Unique: CsUOdfCANh62us_M5NsSsw-1 X-MC-Unique: mL3WWqMNOay4SxOS2zztGA-1 From: Jim Fehlig To: libvir-list@redhat.com Subject: [PATCH 2/3] Apparmor: Add profile for virtlxcd Date: Tue, 15 Jun 2021 21:41:03 -0600 Message-ID: <20210616034104.2490-3-jfehlig@suse.com> In-Reply-To: <20210616034104.2490-1-jfehlig@suse.com> References: <20210616034104.2490-1-jfehlig@suse.com> X-Originating-IP: [192.150.154.128] X-ClientProxiedBy: AM0PR03CA0105.eurprd03.prod.outlook.com (2603:10a6:208:69::46) To AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 2c87f0ea-23d1-48c1-3b9f-08d9307897bf X-MS-TrafficTypeDiagnostic: AM9PR04MB7716: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7219 X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0 X-Microsoft-Antispam-Message-Info: w/zC5H5YT+49+26cR+/WNWvnnk9/wKnRw+6al+h9dazwJe9IG9XjB9RhtAUX+mqJH1YpRSl4pqO03L3FjvGUZFaEvPx9n5xIhP8hZitamgXw98Nr8b1gtkEanNBipyo/6ZR7KR9nWGHexwlclJKwrvw9zDZLO49OAJddXmBiV7+YFGHWlNgyRU16PLHU3QL04PG0Drw3RgMApM4092A0urDLZffD70aLqtlQhRQeDB7+fD7EFdsQVjtvL8YXAMxYl9AqyBXoywnsxRGEasGy8IqQz6j26VHnlJdrPUmbcvpq3PdqOp3UcRZnVLaFLF84KI5ctgugQLKREX5+4BNET3mVajG8m/a/qntLqQISV+esjSNP72VOKb+tSVE0A4ig7ioiJHmdhVqiaa6xjQmrL6HP+vgUEkQaWLmFNJs+J5NdrAF8YVxgBuM9ytF/TxyaCHLxQlxljQf3Dkey+9JMz0ZBFSszVN5eOXpCzEJopEi1JU465Tu7/FrYEAcVddgVW/4YcVcUALbPQXs2neiDjCwFC2qy+/2Io/0K1A+6HSVY2NkYWEd3+hsy8tpklyPMY/ZGw1vS/u1niMYn/oTw/2q/hYsvk6fP6S6ezjqIpU+cVtTTJiaKVOn4rMCLIwzN7M1SbokqR0COPephDmTDUg== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM8PR04MB7970.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(136003)(396003)(366004)(346002)(39850400004)(66556008)(66476007)(66946007)(956004)(6916009)(38100700002)(2616005)(16526019)(8676002)(5660300002)(6496006)(6666004)(2906002)(83380400001)(86362001)(4326008)(186003)(8936002)(1076003)(316002)(26005)(36756003)(6486002)(478600001)(156123004); DIR:OUT; SFP:1101 X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?Te2vkul44LS5SjP/Cts4GMyrMI0ZLt14WduDSQ2CLelqzc7VNVoGuLFDoTxH?= =?us-ascii?Q?l7M5/c8r0Wdjz6YlzfNksx/SCvkE754Lj1DNbiR4Q7j+oNtngsJn6NgQZS0f?= =?us-ascii?Q?GcT36hGrCx2WmhQOM4s8TiMN2GyCQrvFbgfi/BMaF7YUFxkimd/8X8OuBzCE?= =?us-ascii?Q?zNGO3J5Fr23C6XePYYlPX3f/kVrTb1T5JVhP9RjKYnDPVbxO3yIvBmdaZjNY?= =?us-ascii?Q?EcY1iL7GVMmy1sQBj7FgC+OqxvU+x+ekVaWoPbXt9gWS7T7HzYihCyj0nJey?= =?us-ascii?Q?LpAvzQ9LfIbXz5hdPy1mT597PWqnZkGjGznWMFrdUqcVRLIfyglckPkZ0U1B?= =?us-ascii?Q?IsbT+Op0iSOOVcNXE7cM/cPe0vyQBUBSJMTX+uwcPvcmGzgPR16+TB4jAhap?= =?us-ascii?Q?+UuKvFfpeLRWC/P5X+PGe58LHUd+KDRyp7hkdD/zbOYpFQ6FDD2+LaCbWvjx?= =?us-ascii?Q?UfB7wvCpqrwW5FFZjVDTEW71rZ/BXsF/iEJCvDnq4CgLaN1vC0hnCoZ5w6Gd?= =?us-ascii?Q?NxzRBaQxQrikGuLXnsoaS3nxcWsns0cXZSboOVEyvQAbnyO4JCjvsFDziyDm?= =?us-ascii?Q?8gkTuEqO7XmS3+ow2G3UQV/Zsx7hz6YbjSW1kbbaExOe8QRYAnel0yB+ZXaN?= =?us-ascii?Q?sXD4YMYAihY0zZhHvDvE/IpLhdsRepEspRASLLMjl9oBVaS3esLcVr2+NwAS?= =?us-ascii?Q?y7C4ZRgGq5qVOqBzanQBHP6Gwh+Q4biv/vwO91UfYwiCxxQ4bhqCUR+4PFa+?= =?us-ascii?Q?1G+dzJY0ihYj6Z54XbQQ5NdfgpqoOGDRk1UGiBb8w9tc/3G8QMEkUWE4LtSn?= =?us-ascii?Q?PDoiZV1i+2YFrzaYqBCh9TJihs80Loqc4Cr/0LK9PeCrJPCuY+OzwZg/qIOC?= =?us-ascii?Q?tqbbPdxe8T2Y7QkSHM/30tMUjOcJoQG3y/esUvOy34qNnPmbGzAMYKd0Bzs6?= =?us-ascii?Q?pNZxltnesJUGgsLw0JzaSb1xmlWoTj8idzR/hSxAIxj6uVabra2Iz19aQNmo?= =?us-ascii?Q?f8BLE4htzHpziS1NxcoFpdPL0C0hZku6YtQyht9gUHXqxkr1C6tH4rW74Azb?= =?us-ascii?Q?mDNhhcriko3Eo8LiziBmvXApC6GaZcx9vOYDv8wdq/mj3MzXEUDNtHUk8iQ6?= =?us-ascii?Q?D22nXcv/43030XLARSbVcy2og0/GomB20G/gei+Z3qqW8UJcgVtSxQ/8VJbm?= =?us-ascii?Q?+FU1UF+7aSD0rk8I5gw/9UllDyt0agnja827dxKq9X0FOw5UQn44ANkQa8aH?= =?us-ascii?Q?WOSVtmXtYkjmC+Ww0E7qH+BkmCdwD2Ub+AbZNwYhVvMaGFgNe+upYwHx6wLR?= =?us-ascii?Q?zj3kZzIS4sHw9Lr975bVUiSv?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2c87f0ea-23d1-48c1-3b9f-08d9307897bf X-MS-Exchange-CrossTenant-AuthSource: AM8PR04MB7970.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Jun 2021 03:41:15.2275 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 267QgpdUSsF3ZU8gUqhmJMFia3YOO5opK9W9VTEfc6vtuhNuaqJFQ23t4ks5f1O9GBT+mLFrIBT91p03XKrrng== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR04MB7716 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 15G3fLAN014259 X-loop: libvir-list@redhat.com Cc: apparmor@cboltz.de, christian.ehrhardt@canonical.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A new apparmor profile derived from the libvirtd profile, with non-LXC related rules removed. Adopt the libvirt-lxc abstraction to work with the new profile. Signed-off-by: Jim Fehlig --- src/security/apparmor/libvirt-lxc | 4 +- src/security/apparmor/meson.build | 1 + src/security/apparmor/usr.sbin.virtlxcd.in | 89 ++++++++++++++++++++++ 3 files changed, 93 insertions(+), 1 deletion(-) diff --git a/src/security/apparmor/libvirt-lxc b/src/security/apparmor/libv= irt-lxc index 0c8b812743..331f43fbbc 100644 --- a/src/security/apparmor/libvirt-lxc +++ b/src/security/apparmor/libvirt-lxc @@ -1,8 +1,10 @@ #include =20 - # Allow receiving signals from libvirtd + # Allow receiving signals from libvirtd and virtlxcd signal (receive) peer=3Dlibvirtd, signal (receive) peer=3D/usr/sbin/libvirtd, + signal (receive) peer=3Dvirtlxcd, + signal (receive) peer=3D/usr/sbin/virtlxcd, =20 umount, =20 diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meso= n.build index 56f308bf3a..64db8fdde6 100644 --- a/src/security/apparmor/meson.build +++ b/src/security/apparmor/meson.build @@ -1,6 +1,7 @@ apparmor_gen_profiles =3D [ 'usr.lib.libvirt.virt-aa-helper', 'usr.sbin.libvirtd', + 'usr.sbin.virtlxcd', 'usr.sbin.virtqemud', ] =20 diff --git a/src/security/apparmor/usr.sbin.virtlxcd.in b/src/security/appa= rmor/usr.sbin.virtlxcd.in new file mode 100644 index 0000000000..73a87ca37a --- /dev/null +++ b/src/security/apparmor/usr.sbin.virtlxcd.in @@ -0,0 +1,89 @@ +#include +@{LIBVIRT}=3D"libvirt" + +profile virtlxcd @sbindir@/virtlxcd flags=3D(attach_disconnected) { + #include + #include + + capability kill, + capability net_admin, + capability net_raw, + capability setgid, + capability sys_admin, + capability sys_module, + capability sys_ptrace, + capability sys_pacct, + capability sys_nice, + capability sys_chroot, + capability setuid, + capability dac_override, + capability dac_read_search, + capability fowner, + capability chown, + capability setpcap, + capability mknod, + capability fsetid, + capability audit_write, + capability ipc_lock, + capability sys_rawio, + capability bpf, + capability perfmon, + + mount options=3D(rw,rslave) -> /, + + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + network netlink raw, + network packet dgram, + network packet raw, + + ptrace (read,trace) peer=3Dunconfined, + ptrace (read,trace) peer=3D@{profile_name}, + ptrace (read,trace) peer=3Ddnsmasq, + ptrace (read,trace) peer=3D/usr/sbin/dnsmasq, + ptrace (read,trace) peer=3Dlibvirt-*, + + signal (send) peer=3Ddnsmasq, + signal (send) peer=3D/usr/sbin/dnsmasq, + signal (read, send) peer=3Dlibvirt-*, + signal (send) set=3D("kill", "term") peer=3Dunconfined, + + # unconfined also required if guests run without security module + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d), + + # required if guests run unconfined seclabel type=3D'none' but libvirtd = is confined + signal (read, send) peer=3Dunconfined, + + # Very lenient profile for libvirtd since we want to first focus on conf= ining + # the guests. Guests will have a very restricted profile. + / r, + /** rwmkl, + + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, + @sbindir@/virtlogd pix, + @sbindir@/* PUx, + /{usr/,}lib/udev/scsi_id PUx, + + # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to + # read and run an ebtables script. + /var/lib/libvirt/virtd* ixr, + + # force the use of virt-aa-helper + audit deny /{usr/,}sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + @libexecdir@/* PUxr, + @libexecdir@/libvirt_parthelper ix, + @libexecdir@/libvirt_iohelper ix, + /etc/libvirt/hooks/** rmix, + + # allow changing to our UUID-based named profiles + change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-= 9a-f]*, +} --=20 2.31.1