1. Patchew
  2. Libvirt
  3. View series

[PATCH V2 0/4] Apparmor: Add profiles for hypervisor daemons

Jim Fehlig posted 4 patches 2 years, 10 months ago
Test syntax-check failed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20210622232747.21592-1-jfehlig@suse.com
There is a newer version of this series
src/security/apparmor/libvirt-qemu            |   5 +
src/security/apparmor/meson.build             |   2 +
.../usr.lib.libvirt.virt-aa-helper.in         |   4 +-
src/security/apparmor/usr.sbin.virtqemud.in   | 135 ++++++++++++++++++
src/security/apparmor/usr.sbin.virtxend.in    |  53 +++++++
5 files changed, 198 insertions(+), 1 deletion(-)
create mode 100644 src/security/apparmor/usr.sbin.virtqemud.in
create mode 100644 src/security/apparmor/usr.sbin.virtxend.in
[PATCH V2 0/4] Apparmor: Add profiles for hypervisor daemons
Posted by Jim Fehlig 2 years, 10 months ago 
and other improvements. V2 of

https://listman.redhat.com/archives/libvir-list/2021-June/msg00456.html

Changes since V1:
Removed many unneeded capabilities. I used the 'audit' qualifier as suggested
by cboltz to verify which capabilities were actually used. It's a difficult
task though, as it is nearly impossible for one person to exercise a driver
in all the ways thousands of users will push it :-). I was able to whittle
the virtxend profile quite a bit since xen doesn't need a lot in the way of
host capabilities.

Removed patch containing the virtlxcd profile since I'm unable to start any
lxc domains with virtlxcd.

Added patches to squelch denial messages from the virt-aa-helper profile.

Jim Fehlig (4):
  Apparmor: Add profile for virtqemud
  Apparmor: Add profile for virtxend
  Apparmor: Allow reading libnl's classid file
  Apparmor: Allow reading /etc/ssl/openssl.cnf

 src/security/apparmor/libvirt-qemu            |   5 +
 src/security/apparmor/meson.build             |   2 +
 .../usr.lib.libvirt.virt-aa-helper.in         |   4 +-
 src/security/apparmor/usr.sbin.virtqemud.in   | 135 ++++++++++++++++++
 src/security/apparmor/usr.sbin.virtxend.in    |  53 +++++++
 5 files changed, 198 insertions(+), 1 deletion(-)
 create mode 100644 src/security/apparmor/usr.sbin.virtqemud.in
 create mode 100644 src/security/apparmor/usr.sbin.virtxend.in

-- 
2.31.1
Re: [PATCH V2 0/4] Apparmor: Add profiles for hypervisor daemons
Posted by Christian Boltz 2 years, 10 months ago 
Hello,

[I'm not subscribed to libvir-list - please CC me in replies]

Am Mittwoch, 23. Juni 2021, 01:27:43 CEST schrieb Jim Fehlig:
> and other improvements. V2 of
> https://listman.redhat.com/archives/libvir-list/2021-June/msg00456.htm
> 
> Changes since V1:
> Removed many unneeded capabilities. I used the 'audit' qualifier as
> suggested by cboltz to verify which capabilities were actually used.
> It's a difficult task though, as it is nearly impossible for one
> person to exercise a driver in all the ways thousands of users will
> push it :-). I was able to whittle the virtxend profile quite a bit
> since xen doesn't need a lot in the way of host capabilities.

Your updated patches look good :-)

There's one thing I missed in the first review, but that might be worth 
a separate patch instead of updating this patchset:

Starting with AppArmor 3.0 userspace, profiles should have an abi rule 
in their preamble (as the first line):

abi <abi/3.0>,

Without this abi rule, network, dbus and unix will not be enforced.
Note that even without the abi/3.0 rule, (open)SUSE kernels support and 
enforce network rules since years, and Ubuntu kernels support all rule 
types.

Older AppArmor versions will ignore the abi line.


Adding the abi rule might mean that you'll have to add some network, 
dbus or unix rules to the profiles, therefore please do some testing 
instead of blindly adding the abi rule ;-)


Regards,

Christian Boltz
-- 
The Consultant's Curse:
        When the customer has beaten upon you long enough, give him
        what he asks for, instead of what he needs.  This is very strong
        medicine, and is normally only required once.
Re: [PATCH V2 0/4] Apparmor: Add profiles for hypervisor daemons
Posted by Jim Fehlig 2 years, 10 months ago 
On 6/23/21 1:17 PM, Christian Boltz wrote:
> Hello,
> 
> [I'm not subscribed to libvir-list - please CC me in replies]
> 
> Am Mittwoch, 23. Juni 2021, 01:27:43 CEST schrieb Jim Fehlig:
>> and other improvements. V2 of
>> https://listman.redhat.com/archives/libvir-list/2021-June/msg00456.htm
>>
>> Changes since V1:
>> Removed many unneeded capabilities. I used the 'audit' qualifier as
>> suggested by cboltz to verify which capabilities were actually used.
>> It's a difficult task though, as it is nearly impossible for one
>> person to exercise a driver in all the ways thousands of users will
>> push it :-). I was able to whittle the virtxend profile quite a bit
>> since xen doesn't need a lot in the way of host capabilities.
> 
> Your updated patches look good :-)

Thanks. The V3 I sent earlier contains a few more incremental improvements and 
can likely be merged IMO.

> There's one thing I missed in the first review, but that might be worth
> a separate patch instead of updating this patchset:
> 
> Starting with AppArmor 3.0 userspace, profiles should have an abi rule
> in their preamble (as the first line):
> 
> abi <abi/3.0>,

Definitely sounds like something for a separate patch.

> Without this abi rule, network, dbus and unix will not be enforced.
> Note that even without the abi/3.0 rule, (open)SUSE kernels support and
> enforce network rules since years, and Ubuntu kernels support all rule
> types.
> 
> Older AppArmor versions will ignore the abi line.
> 
> 
> Adding the abi rule might mean that you'll have to add some network,
> dbus or unix rules to the profiles, therefore please do some testing
> instead of blindly adding the abi rule ;-)

My relationship with apparmor is complicated. Even the slightest changes call 
for a fair bit of testing :-).

Regards,
Jim

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.