From nobody Mon Feb  9 12:25:16 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.133.124 as permitted sender) client-ip=170.10.133.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=fail(p=quarantine dis=quarantine)  header.from=suse.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com
	with SMTPS id 1623814919607860.872881174889;
 Tue, 15 Jun 2021 20:41:59 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-306-VBt4OjM0NQ6aT4WWsOXJgg-1; Tue, 15 Jun 2021 23:41:56 -0400
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
 [10.5.11.13])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id DE9AF802B78;
	Wed, 16 Jun 2021 03:41:50 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 9B8A16090F;
	Wed, 16 Jun 2021 03:41:50 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 636AE1809CAD;
	Wed, 16 Jun 2021 03:41:50 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com
	[10.11.54.4])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 15G3fOOE014288 for <libvir-list@listman.util.phx.redhat.com>;
	Tue, 15 Jun 2021 23:41:24 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 70FCE209A519; Wed, 16 Jun 2021 03:41:24 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
	(mimecast05.extmail.prod.ext.rdu2.redhat.com [10.11.55.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 6BB63209A506
	for <libvir-list@redhat.com>; Wed, 16 Jun 2021 03:41:24 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com
 [205.139.110.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 504E4802E5E
	for <libvir-list@redhat.com>; Wed, 16 Jun 2021 03:41:24 +0000 (UTC)
Received: from de-smtp-delivery-102.mimecast.com
	(de-smtp-delivery-102.mimecast.com [194.104.111.102]) (Using TLS) by
	relay.mimecast.com with ESMTP id us-mta-336-BolPMCA8P1SDBdfs1qK2AQ-1;
	Tue, 15 Jun 2021 23:41:22 -0400
Received: from EUR05-VI1-obe.outbound.protection.outlook.com
	(mail-vi1eur05lp2172.outbound.protection.outlook.com [104.47.17.172])
	(Using TLS) by relay.mimecast.com with ESMTP id
	de-mta-4-1mpV7QgHPW6S9h0eytvSgQ-1; Wed, 16 Jun 2021 05:41:19 +0200
Received: from AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9)
	by AM9PR04MB7716.eurprd04.prod.outlook.com (2603:10a6:20b:280::11)
	with Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.18;
	Wed, 16 Jun 2021 03:41:18 +0000
Received: from AM8PR04MB7970.eurprd04.prod.outlook.com
	([fe80::d8b:c94:eae2:7b22]) by AM8PR04MB7970.eurprd04.prod.outlook.com
	([fe80::d8b:c94:eae2:7b22%6]) with mapi id 15.20.4242.018;
	Wed, 16 Jun 2021 03:41:18 +0000
Received: from localhost (192.150.154.128) by
	AM0PR02CA0209.eurprd02.prod.outlook.com (2603:10a6:20b:28f::16)
	with Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.21
	via Frontend Transport; Wed, 16 Jun 2021 03:41:18 +0000
X-MC-Unique: VBt4OjM0NQ6aT4WWsOXJgg-1
X-MC-Unique: BolPMCA8P1SDBdfs1qK2AQ-1
X-MC-Unique: 1mpV7QgHPW6S9h0eytvSgQ-1
From: Jim Fehlig <jfehlig@suse.com>
To: libvir-list@redhat.com
Subject: [PATCH 3/3] Apparmor: Add profile for virtxend
Date: Tue, 15 Jun 2021 21:41:04 -0600
Message-ID: <20210616034104.2490-4-jfehlig@suse.com>
In-Reply-To: <20210616034104.2490-1-jfehlig@suse.com>
References: <20210616034104.2490-1-jfehlig@suse.com>
X-Originating-IP: [192.150.154.128]
X-ClientProxiedBy: AM0PR02CA0209.eurprd02.prod.outlook.com
	(2603:10a6:20b:28f::16) To AM8PR04MB7970.eurprd04.prod.outlook.com
	(2603:10a6:20b:24f::9)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: c7b26458-ef4b-4147-d031-08d9307899d7
X-MS-TrafficTypeDiagnostic: AM9PR04MB7716:
X-Microsoft-Antispam-PRVS: 
 <AM9PR04MB7716DE93CC44AE8218047863C60F9@AM9PR04MB7716.eurprd04.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:4502
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0
X-Microsoft-Antispam-Message-Info: 
 bWdPV6aetQGwqP7eFtVKhjyRNpyuKfqdyKv5TvHy7ctxKfZr9LCGy6LkRNZGX3Ko4M8G2ExE5H3CszBMLXARaIU9MN3YyHyK0RXHnJEUmDzgM0Oapkv0nTbAigpN5uT7sKFYxc12iMqjRs6rj1LcPtzXFzNZSXVOUWU+TTRRcczlVNJQfWUeKrTD5wzYI7zFt25D0Y+fvSRImm7CqcSEqGFhgIJgvDBqVkrSKwoZQR0aPQgMrtLU03NJqPd9yuwrkhrNS0bSri0WB0lUUMaIrlMQtlFrxgefE963nUO5dFStqYLAVo9E0kQzGh3naGeyji4LeCJ6kloUTios+fNvYRJGksMq0axKyYnfXbvs9SIRfZ9ByXKT2rpwBeaLSuhAy+q3NGad+U9L+8DON14V02B3i6iITQ622t3zutNJv96zRpQMUz/hJjagMCXps2HRCsXTFY8GW6WAFLC0W06+VQF4pAR+5Xw0ZVj+//EyoShsCOdvyGvVyu5PT1v9W0T65mnAmeaxy/URMB6C02x3x00A3VC5xtFplikRuXVudjxdqoh7Izz1W7df7HTl0KEZ1pOpH7qukm5NJtFpY7oLdYZ4Vxitzbn+lpakCfLujyA=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
	IPV:NLI; SFV:NSPM; H:AM8PR04MB7970.eurprd04.prod.outlook.com;
	PTR:; CAT:NONE;
	SFS:(376002)(136003)(396003)(366004)(346002)(39850400004)(66556008)(66476007)(66946007)(956004)(6916009)(38100700002)(2616005)(16526019)(8676002)(5660300002)(6496006)(6666004)(2906002)(83380400001)(86362001)(4326008)(186003)(8936002)(1076003)(316002)(26005)(36756003)(6486002)(478600001);
	DIR:OUT; SFP:1101
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 =?us-ascii?Q?dwPA3EzbJOVBRRHoFPtFptlfXIjIjwzkKJmlkIEsRLjw27fOscEUyaIxiUB7?=
	=?us-ascii?Q?3IfY15wofelQorjMmK3U7X7Nr+8cC/c3CxHSXtskyew6tHKJImDvoLker9al?=
	=?us-ascii?Q?upTDShl7tdFQOuxHHgosbmM4zANMwejFFRUcA4wjD7PkK+BJLvNxoJrLmGCa?=
	=?us-ascii?Q?pg+3MfdxZpi7k5nFU08hOPkTwqT8N6Nba5GSESrpD5m9zuix/jHOZjBNDJK4?=
	=?us-ascii?Q?B7Fr+vkvvZB/QD4oLazf/fI969vx8DSVBiNcisqUI7jvQ1HmvaLQvEQyAFt+?=
	=?us-ascii?Q?/u6AFEcJh+Ywys/Z7hWbdEsBhm+OoS6krnSKtjwIdl459TcPIYjP3mH+X9Mn?=
	=?us-ascii?Q?sSJs0f7sVVVjfgu2KJfaNZGoHBFwzM43qbHD31Ek44kp06RPfBucpGG7VAws?=
	=?us-ascii?Q?zLkcSf718Lt4SVOAq1z58X81Y+wCVjglITZ0XxScjS7Vm/kLWlRd+lH4wmWX?=
	=?us-ascii?Q?Ys2+itsSEHB2gl5hd7nPl7Nr952C3DidMhemTnQdxf8lSPKqSEKbUs1izzST?=
	=?us-ascii?Q?M1WfltkWeVt+E0CGmZHrol+gukgjO1OTCV29XBvNTqesp4wGn1EvUaLKQVyb?=
	=?us-ascii?Q?RKgZEvJnJcdZb+LecAivbyXHhfYtGlHpLIYnUA5rDuStwdeP5zSxmUh0VCY1?=
	=?us-ascii?Q?L3KoS/sC+Xu5sZ9OjdtD/YNVFZip8rID8YmeozMhk8lmKFtbtooACkd6UQ+9?=
	=?us-ascii?Q?LfS0T64UvE+BFQx4HBdwfkZ5qru1Gg/k36mi2LJEnFHSW9SZysZun6aTrrnv?=
	=?us-ascii?Q?LfDOLQu9dpd9mk27j4+Qv3Gv6IBXu/n7q0f3YcJNolRNGAZJUNVJ6hZs8nez?=
	=?us-ascii?Q?9hTD71YVEAWJhrV8BPNe37VgTzO4nOD23/CJ2+rSrVUAN00hxVKfhZsLvqd7?=
	=?us-ascii?Q?hD5ITSJbYHo0VhyL/tIzYKbrKMR8B9WPLD46jN4Vum9WqmFv62NAjtR8+Zur?=
	=?us-ascii?Q?BM8DhWMlezklodhKv1OD54rxVLwgiGn76EkkpCodtoum7t9Sm8vARBM6n+Ns?=
	=?us-ascii?Q?9WfnCmIBIhxdZ5z63aqu6YrsSoMS9gWE+TiuCnnj0pBxTB/nwhQgtRjsOPxm?=
	=?us-ascii?Q?o3EThtYGDxdlZSaexrMjAC3LhLyJjRLf7N+Qbdd6hbvQkAvtp/aw7N8c9jRV?=
	=?us-ascii?Q?9dD5o+/SDwu1EgJFqDvcb+NVLXtAJ0e57h8pq+nWJWwLU+uXZoLElFPjAeOY?=
	=?us-ascii?Q?dgzzMfuPSnOKa0HJltNFT7ALMjRlstD+xm8ufjhMIJzUrwUrC7L9GTyeRa0K?=
	=?us-ascii?Q?9EeChJ4E9pIqakanrX7547k7TUHUB5FA3sqYw+glxZuWHSB69B4uL6doOD5y?=
	=?us-ascii?Q?NKuaAZcpkrS9M5OitVSZbH6N?=
X-OriginatorOrg: suse.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 c7b26458-ef4b-4147-d031-08d9307899d7
X-MS-Exchange-CrossTenant-AuthSource: AM8PR04MB7970.eurprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Jun 2021 03:41:18.7560 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 iOH0TGvKaWlwSV9UdWT3H0FDhWvy07V2/o3mh5OyVrCBIyzgOSbczOd2px1HOEeI8tmsXafSJpx2HW7cJoqYBQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR04MB7716
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
	Definition; Similar Internal Domain=false;
	Similar Monitored External Domain=false;
	Custom External Domain=false; Mimecast External Domain=false;
	Newly Observed Domain=false; Internal User Name=false;
	Custom Display Name List=false; Reply-to Address Mismatch=false;
	Targeted Threat Dictionary=false;
	Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-MIME-Autoconverted: from quoted-printable to 8bit by
	lists01.pubmisc.prod.ext.phx2.redhat.com id 15G3fOOE014288
X-loop: libvir-list@redhat.com
Cc: apparmor@cboltz.de, christian.ehrhardt@canonical.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://listman.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

A new apparmor profile derived from the libvirtd profile, with non-Xen
related rules removed.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
---
 src/security/apparmor/meson.build          |  1 +
 src/security/apparmor/usr.sbin.virtxend.in | 78 ++++++++++++++++++++++
 2 files changed, 79 insertions(+)

diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meso=
n.build
index 64db8fdde6..aca0c46881 100644
--- a/src/security/apparmor/meson.build
+++ b/src/security/apparmor/meson.build
@@ -3,6 +3,7 @@ apparmor_gen_profiles =3D [
   'usr.sbin.libvirtd',
   'usr.sbin.virtlxcd',
   'usr.sbin.virtqemud',
+  'usr.sbin.virtxend',
 ]
=20
 apparmor_gen_profiles_conf =3D configuration_data()
diff --git a/src/security/apparmor/usr.sbin.virtxend.in b/src/security/appa=
rmor/usr.sbin.virtxend.in
new file mode 100644
index 0000000000..9472d99afb
--- /dev/null
+++ b/src/security/apparmor/usr.sbin.virtxend.in
@@ -0,0 +1,78 @@
+#include <tunables/global>
+
+profile virtxend @sbindir@/virtxend flags=3D(attach_disconnected) {
+  #include <abstractions/base>
+  #include <abstractions/dbus>
+
+  capability kill,
+  capability net_admin,
+  capability net_raw,
+  capability setgid,
+  capability sys_admin,
+  capability sys_module,
+  capability sys_ptrace,
+  capability sys_pacct,
+  capability sys_nice,
+  capability sys_chroot,
+  capability setuid,
+  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+  capability chown,
+  capability setpcap,
+  capability mknod,
+  capability fsetid,
+  capability audit_write,
+  capability ipc_lock,
+  capability sys_rawio,
+  capability bpf,
+  capability perfmon,
+
+  network inet stream,
+  network inet dgram,
+  network inet6 stream,
+  network inet6 dgram,
+  network netlink raw,
+  network packet dgram,
+  network packet raw,
+
+  # for --p2p migrations
+  unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine=
d addr=3Dnone),
+
+  ptrace (read,trace) peer=3Dunconfined,
+  ptrace (read,trace) peer=3Ddnsmasq,
+  ptrace (read,trace) peer=3D/usr/sbin/dnsmasq,
+
+  signal (send) peer=3Ddnsmasq,
+  signal (send) peer=3D/usr/sbin/dnsmasq,
+  signal (send) set=3D("kill", "term") peer=3Dunconfined,
+
+  # Very lenient profile for libvirtd since we want to first focus on conf=
ining
+  # the guests. Guests will have a very restricted profile.
+  / r,
+  /** rwmkl,
+
+  /bin/* PUx,
+  /sbin/* PUx,
+  /usr/bin/* PUx,
+  @sbindir@/virtlogd pix,
+  @sbindir@/* PUx,
+  /{usr/,}lib/udev/scsi_id PUx,
+  /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
+  /usr/{lib,lib64}/xen/bin/* Ux,
+  /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx,
+  /usr/{lib,libexec}/xen-*/bin/pygrub PUx,
+
+  # force the use of virt-aa-helper
+  audit deny /{usr/,}sbin/apparmor_parser rwxl,
+  audit deny /etc/apparmor.d/libvirt/** wxl,
+  audit deny /sys/kernel/security/apparmor/features rwxl,
+  audit deny /sys/kernel/security/apparmor/matching rwxl,
+  audit deny /sys/kernel/security/apparmor/.* rwxl,
+  /sys/kernel/security/apparmor/profiles r,
+  @libexecdir@/* PUxr,
+  @libexecdir@/libvirt_parthelper ix,
+  @libexecdir@/libvirt_iohelper ix,
+  /etc/libvirt/hooks/** rmix,
+  /etc/xen/scripts/** rmix,
+}
--=20
2.31.1