From nobody Wed May 8 20:05:58 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=quarantine dis=quarantine) header.from=suse.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1624404724771610.3100481555671; Tue, 22 Jun 2021 16:32:04 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-112-dp2AxCUKMhiqHZlhoodjcw-1; Tue, 22 Jun 2021 19:31:59 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 30953100CCCE; Tue, 22 Jun 2021 23:31:42 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9A0E25D6D1; Tue, 22 Jun 2021 23:31:40 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 2694B4A702; Tue, 22 Jun 2021 23:31:38 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 15MNVbOT002339 for ; Tue, 22 Jun 2021 19:31:37 -0400 Received: by smtp.corp.redhat.com (Postfix) id 065711014614; Tue, 22 Jun 2021 23:31:37 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast06.extmail.prod.ext.rdu2.redhat.com [10.11.55.22]) by smtp.corp.redhat.com (Postfix) with ESMTPS id ED5C41009BBC for ; Tue, 22 Jun 2021 23:31:29 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id AF8E71800269 for ; Tue, 22 Jun 2021 23:31:29 +0000 (UTC) Received: from de-smtp-delivery-102.mimecast.com (de-smtp-delivery-102.mimecast.com [194.104.109.102]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-294-ecE5KWZ4MEmmGcOF5IK60Q-1; Tue, 22 Jun 2021 19:31:20 -0400 Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05lp2108.outbound.protection.outlook.com [104.47.18.108]) (Using TLS) by relay.mimecast.com with ESMTP id de-mta-28-A10CJGxNMGCSUxrOvIRAvQ-1; Wed, 23 Jun 2021 01:27:55 +0200 Received: from AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9) by AM8PR04MB7203.eurprd04.prod.outlook.com (2603:10a6:20b:1d5::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.21; Tue, 22 Jun 2021 23:27:54 +0000 Received: from AM8PR04MB7970.eurprd04.prod.outlook.com ([fe80::d8b:c94:eae2:7b22]) by AM8PR04MB7970.eurprd04.prod.outlook.com ([fe80::d8b:c94:eae2:7b22%6]) with mapi id 15.20.4264.018; Tue, 22 Jun 2021 23:27:54 +0000 Received: from localhost (192.150.153.194) by FR0P281CA0043.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:48::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.9 via Frontend Transport; Tue, 22 Jun 2021 23:27:53 +0000 X-MC-Unique: dp2AxCUKMhiqHZlhoodjcw-1 X-MC-Unique: ecE5KWZ4MEmmGcOF5IK60Q-1 X-MC-Unique: A10CJGxNMGCSUxrOvIRAvQ-1 From: Jim Fehlig To: libvir-list@redhat.com Subject: [PATCH V2 1/4] Apparmor: Add profile for virtqemud Date: Tue, 22 Jun 2021 17:27:44 -0600 Message-ID: <20210622232747.21592-2-jfehlig@suse.com> In-Reply-To: <20210622232747.21592-1-jfehlig@suse.com> References: <20210622232747.21592-1-jfehlig@suse.com> X-Originating-IP: [192.150.153.194] X-ClientProxiedBy: FR0P281CA0043.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:48::8) To AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 8f897be4-ba24-438e-d8cb-08d935d55c5e X-MS-TrafficTypeDiagnostic: AM8PR04MB7203: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7691 X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0 X-Microsoft-Antispam-Message-Info: v4A+H8A++crGAS1vNGiBJCG7qFZegwa/AaSuhQTCTyg7XRSa5J7gqeuM32EdIAmfKiG3CFF02Hj5AnIps0mqLZrFjyDrV16DylShfksx1bxiDAsURGCHe7axd53uLy5vNn3j83FEzdL/T3B3Q6odQHW53GjwCFHZgGE3vzzLnf9AVXFvEMyuOeH/U+ILUB76wIW2gI69lu5zbAwLlYMQXSqioJEVBcCMnxbjtWiW0l3MIF4QpZz9DrIXFKJJradkHFfT5cj6+e6X252M43Gx1MaHyJtcwAJVCMY1WGa/0qjGZOCxx+SyqNVqEyxJm/WqkCLrafowz4vAcLc4YaUsysfCC+ONfTdrNZCg89eZWMwK2JHKUrrW1XaogOqf5f9W2DSJruk2ySTivLpMSrtnlC748chkwy0pLyxF5O2xYLtjXV4zsjAnteXWLtJhmsmBzie3ZyC8hhhpOnADDBsd9hzurs2XkKV+q/iG8BQ55sI3/HJ9qTzYRPNRt+FwGxRPA660Jh1VOJH6pxuJOx+yvWz9DoaZ2+gwgsn6bBQI7aZ+RvSabL6Gp9aRnqQvgk5UwJ/fg5YDCbYogeLi0yN2xDfe9/XQoFOTFMXbXuf4Lz0= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM8PR04MB7970.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(346002)(39850400004)(366004)(396003)(376002)(6916009)(478600001)(6496006)(8676002)(2906002)(86362001)(316002)(8936002)(186003)(4326008)(26005)(6486002)(16526019)(956004)(36756003)(1076003)(38100700002)(83380400001)(66556008)(66476007)(5660300002)(66946007)(6666004)(2616005); DIR:OUT; SFP:1101 X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?8MJrrb++65qKxsTOzZFx94amGrqCZiJbdKHXs/lxPdGS0PmsQDKMJQs/0z2r?= =?us-ascii?Q?t6esa8vdd7U/iFGwrWa20n1GmiQVHZGqA9+SwUrAQdLGKC09+lR1ijhYQraY?= =?us-ascii?Q?iJNKTJXhuFtm0yVRfRDqqHH406ZoBkeQFMrO5NUL45fvrE/D481tZQE3ZGwH?= =?us-ascii?Q?9dh8bHzpBwIivQZddX88boKnnPQR3DwcGT5F1H1cW/LEMtlpKWIjFGTdmV/N?= =?us-ascii?Q?CNBDRoKaSPS7LfQWOD8x4vi29HthRO3xx6ptbCtTPATwb03ERmmbjb2U86iH?= =?us-ascii?Q?fd6/bqMNSK0hK7eQHqlKVJJC6hdXbV73xp0dydzmIRu26pKdyxFfG8D9y9w4?= =?us-ascii?Q?6eOHVGkeS3WSF/+DN+GKy9PZJqiANPuk6gQKeT/PsR3BZzXEB3gYHWNWJEOm?= =?us-ascii?Q?Wj4tUlkISJRRathtvLZ/D1XWAQsXcuLU1z3eOfYBASPBiyb659av9yMjmT3C?= =?us-ascii?Q?rucDh9AwgQh/jrus/75nFraQyZqq1O4y41oA/pLHhSy8DDbkuR6ntT+SIf+e?= =?us-ascii?Q?+yBdHZAGpCtLL+dZH5Z2Txyy9NFQJ3WMpvux/sw3GqgBhPc/JrCjBS1mbmcu?= =?us-ascii?Q?EseExaKvVZr67OgAB2o4ueuvJkz2bbCoexNXvgAG/sYjAkDvhPAvax7na5AE?= =?us-ascii?Q?1BcOjty16UlALteX02t8jeqzwgLGeLx2a3ORa3NuI9HwFaCuHrF/5VNtYZx7?= =?us-ascii?Q?r6U8CcafEBG7l3gdrMCmUKd0e3KXxxn2t7J5j3ZCBdZ7ZVTBOrqa3Jdff0yf?= =?us-ascii?Q?coeKzZPMFRz0sniXGR6Ly0BzfaifFyp+IytZW6NVK/xXQJsMUq47Xnnb+b/X?= =?us-ascii?Q?xZul2iLIVzbr3Dr5zgaiiXt4EhYGeY5RON7rhPCV8fWg8RLB09O1fnYTalbt?= =?us-ascii?Q?djTDTuJ0b9ab8m0mWITOudjNUerlii7ZUuO+Pj9rHaY+oqmsQ/GhjazrBpBc?= =?us-ascii?Q?+yd6OUm45c88u1gDFYBFA1dAMThhUiQz1laq2jXw/2P7jL2NhbPVy7AXlVtr?= =?us-ascii?Q?6eXQM7E1DzWw7wRUVNGRYwlYg/7wj4dCAW1Vcp5Xe8Tq10nGkSyZ7QeJBmj8?= =?us-ascii?Q?wC7A3LswnQdOFzrd7PghLteMHbqndyXbnTxfvh50XfbDki3LFCJEvZzq6G39?= =?us-ascii?Q?fucZ1JJM0nSWbheMzrd36k8IB3PamUbRfytXFgdZjFRcIEOer2fez/QPn99h?= =?us-ascii?Q?Qs6cBOkzQVLMhccfO3BpJJ58yBhdX5lTObrO5rEydEs1jL9I5jPUjJl0Jdvw?= =?us-ascii?Q?u+uXCd31UntNBk0RUWqPgEABaYX4PzzG6SmouYG1H3IGf4pWhkaoA3c9xwHK?= =?us-ascii?Q?y4y+mEFtrvT5QQFYqoe0SlCr?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8f897be4-ba24-438e-d8cb-08d935d55c5e X-MS-Exchange-CrossTenant-AuthSource: AM8PR04MB7970.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jun 2021 23:27:54.6817 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: CPaQEfP8M/RVkhOVkMsFNKtN0FSEFV0jsmplWC0kkX4pkFr1pp56YDe/PfhwudDIak/2mxsjqK88/RyFIqfAcg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8PR04MB7203 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 15MNVbOT002339 X-loop: libvir-list@redhat.com Cc: apparmor@cboltz.de, christian.ehrhardt@canonical.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A new apparmor profile derived from the libvirtd profile, with non-QEMU related rules removed. Adopt the libvirt-qemu abstraction to work with the new profile. Signed-off-by: Jim Fehlig Reviewed-by: Christian Ehrhardt --- src/security/apparmor/libvirt-qemu | 3 + src/security/apparmor/meson.build | 1 + src/security/apparmor/usr.sbin.virtqemud.in | 135 ++++++++++++++++++++ 3 files changed, 139 insertions(+) diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/lib= virt-qemu index 85c9e61d6c..3e31ed4981 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -16,9 +16,11 @@ =20 ptrace (readby, tracedby) peer=3Dlibvirtd, ptrace (readby, tracedby) peer=3D/usr/sbin/libvirtd, + ptrace (readby, tracedby) peer=3Dvirtqemud, =20 signal (receive) peer=3Dlibvirtd, signal (receive) peer=3D/usr/sbin/libvirtd, + signal (receive) peer=3Dvirtqemud, =20 /dev/kvm rw, /dev/net/tun rw, @@ -221,6 +223,7 @@ # allow connect with openGraphicsFD to work unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirtd), unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3D/usr/sbin= /libvirtd), + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dvirtqemud= ), =20 # for gathering information about available host resources /sys/devices/system/cpu/ r, diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meso= n.build index af43780211..56f308bf3a 100644 --- a/src/security/apparmor/meson.build +++ b/src/security/apparmor/meson.build @@ -1,6 +1,7 @@ apparmor_gen_profiles =3D [ 'usr.lib.libvirt.virt-aa-helper', 'usr.sbin.libvirtd', + 'usr.sbin.virtqemud', ] =20 apparmor_gen_profiles_conf =3D configuration_data() diff --git a/src/security/apparmor/usr.sbin.virtqemud.in b/src/security/app= armor/usr.sbin.virtqemud.in new file mode 100644 index 0000000000..b986241c74 --- /dev/null +++ b/src/security/apparmor/usr.sbin.virtqemud.in @@ -0,0 +1,135 @@ +#include +@{LIBVIRT}=3D"libvirt" + +profile virtqemud @sbindir@/virtqemud flags=3D(attach_disconnected) { + #include + #include + + capability kill, + capability net_admin, + capability net_raw, + capability setgid, + capability sys_admin, + capability sys_module, + capability sys_ptrace, + capability sys_pacct, + capability sys_nice, + capability sys_chroot, + capability setuid, + capability dac_override, + capability dac_read_search, + capability fowner, + capability chown, + capability setpcap, + capability mknod, + capability fsetid, + capability audit_write, + capability ipc_lock, + capability sys_rawio, + capability bpf, + capability perfmon, + + # Needed for vfio + capability sys_resource, + + mount options=3D(rw,rslave) -> /, + mount options=3D(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/, + umount /{var/,}run/libvirt/qemu/*.dev/, + + # libvirt provides any mounts under /dev to qemu namespaces + mount options=3D(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/, + mount options=3D(rw, move) /dev/** -> /{,var/}run/libvirt/qemu/*{,/}, + mount options=3D(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/, + mount options=3D(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**, + + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + network netlink raw, + network packet dgram, + network packet raw, + + # for --p2p migrations + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d addr=3Dnone), + + ptrace (read,trace) peer=3Dunconfined, + ptrace (read,trace) peer=3D@{profile_name}, + ptrace (read,trace) peer=3Ddnsmasq, + ptrace (read,trace) peer=3D/usr/sbin/dnsmasq, + ptrace (read,trace) peer=3Dlibvirt-*, + + signal (send) peer=3Ddnsmasq, + signal (send) peer=3D/usr/sbin/dnsmasq, + signal (read, send) peer=3Dlibvirt-*, + signal (send) set=3D("kill", "term") peer=3Dunconfined, + + # For communication/control to qemu-bridge-helper + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirtd/= /qemu_bridge_helper), + signal (send) set=3D("term") peer=3Dlibvirtd//qemu_bridge_helper, + + # allow connect with openGraphicsFD, direction reversed in newer versions + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirt-[= 0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*), + # unconfined also required if guests run without security module + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d), + + # required if guests run unconfined seclabel type=3D'none' but libvirtd = is confined + signal (read, send) peer=3Dunconfined, + + # Very lenient profile for libvirtd since we want to first focus on conf= ining + # the guests. Guests will have a very restricted profile. + / r, + /** rwmkl, + + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, + @sbindir@/virtlogd pix, + @sbindir@/* PUx, + /{usr/,}lib/udev/scsi_id PUx, + /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx, + /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx, + + # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to + # read and run an ebtables script. + /var/lib/libvirt/virtd* ixr, + + # force the use of virt-aa-helper + audit deny /{usr/,}sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + @libexecdir@/* PUxr, + @libexecdir@/libvirt_parthelper ix, + @libexecdir@/libvirt_iohelper ix, + /etc/libvirt/hooks/** rmix, + + # allow changing to our UUID-based named profiles + change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-= 9a-f]*, + + /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_h= elper, + # child profile for bridge helper process + profile qemu_bridge_helper { + #include + + capability setuid, + capability setgid, + capability setpcap, + capability net_admin, + + network inet stream, + + # For communication/control from libvirtd + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirtd= ), + signal (receive) set=3D("term") peer=3D/usr/sbin/libvirtd, + signal (receive) set=3D("term") peer=3Dlibvirtd, + + /dev/net/tun rw, + /etc/qemu/** r, + owner @{PROC}/*/status r, + + /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, + } +} --=20 2.31.1 From nobody Wed May 8 20:05:58 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=quarantine dis=quarantine) header.from=suse.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1624405023435911.4124042428584; Tue, 22 Jun 2021 16:37:03 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-445-C6GjLJ68MjybXpk8Tij_eg-1; Tue, 22 Jun 2021 19:36:15 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 74E0D56B21; Tue, 22 Jun 2021 23:36:09 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 312016E0B6; Tue, 22 Jun 2021 23:36:09 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id CCDF41809C99; Tue, 22 Jun 2021 23:36:08 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 15MNa7M0002859 for ; Tue, 22 Jun 2021 19:36:07 -0400 Received: by smtp.corp.redhat.com (Postfix) id ECFB110EE963; Tue, 22 Jun 2021 23:36:06 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E864910F1CDA for ; Tue, 22 Jun 2021 23:36:04 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1A3E389B846 for ; Tue, 22 Jun 2021 23:36:04 +0000 (UTC) Received: from de-smtp-delivery-102.mimecast.com (de-smtp-delivery-102.mimecast.com [194.104.109.102]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-343-lzDfbTIXNvCQ-Lm-ac2vuw-1; Tue, 22 Jun 2021 19:36:01 -0400 Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05lp2104.outbound.protection.outlook.com [104.47.18.104]) (Using TLS) by relay.mimecast.com with ESMTP id de-mta-21-bsW_bFNYO_a4Za-PqhwWeg-1; Wed, 23 Jun 2021 01:27:59 +0200 Received: from AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9) by AM8PR04MB7203.eurprd04.prod.outlook.com (2603:10a6:20b:1d5::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.21; Tue, 22 Jun 2021 23:27:58 +0000 Received: from AM8PR04MB7970.eurprd04.prod.outlook.com ([fe80::d8b:c94:eae2:7b22]) by AM8PR04MB7970.eurprd04.prod.outlook.com ([fe80::d8b:c94:eae2:7b22%6]) with mapi id 15.20.4264.018; Tue, 22 Jun 2021 23:27:58 +0000 Received: from localhost (192.150.153.194) by FR0P281CA0037.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:48::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.7 via Frontend Transport; Tue, 22 Jun 2021 23:27:57 +0000 X-MC-Unique: C6GjLJ68MjybXpk8Tij_eg-1 X-MC-Unique: lzDfbTIXNvCQ-Lm-ac2vuw-1 X-MC-Unique: bsW_bFNYO_a4Za-PqhwWeg-1 From: Jim Fehlig To: libvir-list@redhat.com Subject: [PATCH V2 2/4] Apparmor: Add profile for virtxend Date: Tue, 22 Jun 2021 17:27:45 -0600 Message-ID: <20210622232747.21592-3-jfehlig@suse.com> In-Reply-To: <20210622232747.21592-1-jfehlig@suse.com> References: <20210622232747.21592-1-jfehlig@suse.com> X-Originating-IP: [192.150.153.194] X-ClientProxiedBy: FR0P281CA0037.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:48::19) To AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: a23f1748-9621-4c43-5db1-08d935d55eb2 X-MS-TrafficTypeDiagnostic: AM8PR04MB7203: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:4714 X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0 X-Microsoft-Antispam-Message-Info: ONd1JQ4vzqOMdSogssR+5SdO2FPG+6fO4x26hw6Jx+8Ye3AxboN6I1UriUlb4pv0pQT6Gfi/2OJSiuiKCbOTBm6UivsijNUHMcKT6VOstZ1imT9dfqQflseTVem+3XnIMyEUZTYS4zlUa1AnZOnBJrLdrfLtj2WG84UfeQuzwh0BY4VnoDoE34Gy77hIkgCP25XIeyIsgJGQrZc8qPytd2r2XiQtvO6IRKjYn7KMNP0bggOWJkesPRhtHXqdnWRXCk/5uAQF4dzMAUxYR13iAoIUE8xNJuX+jgzMhobSlcU6JI6KO+282gD04PE1H4WJIMMzic8IgbdW4f/QfvQeBg3NogOi1o2i4M+6VcdqiCieyc2qPpU/tIGnTG0j1nTCFMiPxKze6Fd6PxGf2gNNb6kzTyIxLEOj9aXnlN04yZnfkhvOWnYgh36dRHp38qOV32lIA0BCBfTnKzLZ/bi2NbOe1V7GNSXmBcx4ncncf992f5TNsrRdKEKOgTdagK22guNsS1cPF1FbsG+dAI0+hO/NxSp++g7i7SmFmi4TM95XPQ2OMmVilYEJ9gnJCIA0/SzclEytJIikkJZwsSRC4LLypTiHi4+e0HLOwSn2Kvc= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM8PR04MB7970.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(346002)(39850400004)(366004)(396003)(376002)(6916009)(478600001)(6496006)(8676002)(2906002)(86362001)(316002)(8936002)(186003)(4326008)(26005)(6486002)(16526019)(956004)(36756003)(1076003)(38100700002)(83380400001)(66556008)(66476007)(5660300002)(66946007)(6666004)(2616005); DIR:OUT; SFP:1101 X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?qUaa9cnPqdc63KBlhkVAuu8ZGT9SA6//6SrZjkExq6uho9NI8XTaqcaPeZoO?= =?us-ascii?Q?TwnYtiyoZEVcVfM9kK9jbPcsN3WZCdylR0Zzi5wvIiUpfo63P+G4+jdDRGsk?= =?us-ascii?Q?hFOKMv5phzjbDiqsLHQD/iDcU7LCPSwtp3gadpmpsCCwk7vN5guDgAvrbP4L?= =?us-ascii?Q?Enuquby2nxXauZCXhfGaCL9S1P0+Scu5gu/175iw2M7zPnYcIM/Ztyx1QWYS?= =?us-ascii?Q?X6NLoYA929UcHIQib54VLHVM1/JwKG5VwvLL4a8Fjragc2hhfkTUnmqAV9BP?= =?us-ascii?Q?6xiKbjuwiu+ab/9fU/VIxWKeLuNFSSOj/NWOqE0RqHa6QHdHUAHnlNnzkKlC?= =?us-ascii?Q?r8ek0rrPYo9ACV/G9kO/Toh039avcz25+LfAQ5TZ2QkEq4fzA45cUWjJYZDB?= =?us-ascii?Q?B1xlVRM4r3Ej2kJY/cwn/stgOEis3CM2qY5ECIIoPi7SPWdXF7PpSUizsCl3?= =?us-ascii?Q?zEwJqPGxJ2Mx1iejP1v/ktt0ysbSwy2nPOMSv1EgMifHSjtP82LRxoIJfjVX?= =?us-ascii?Q?DS7Zls+Qm2rr4vUtg2xpCf52wWSBFmd0jsX2+GhOxO5v72hSz5NRNAI9yHi8?= =?us-ascii?Q?+NvvqQYfrFQ3hL/P1czaUlhH3AkoJHuPXxjQdy+aIr7nPC5dumnPCnqjWk0z?= =?us-ascii?Q?yptsNOZ2IZsCMFk4Sr4YhEkJhX5UQ8dlpgfAb1e+z2CV2X0T6RjY4l1rB1tD?= =?us-ascii?Q?guesZtnO/XMndGEUerHarfTSfHaevSXjEiJOIimw4BfF28JrhiRIBk8yaZPw?= =?us-ascii?Q?iZr/OlXb3hLNQHyY7N8HqpOMP3qLQDzbLgFfh7EUDSwvGTpt2rn7vnl9ysbC?= =?us-ascii?Q?e2Uu8Ld9udzCfoq+agGpavtyy65qYhIC3Zi641vjWN0ZmGjfT9p/0O0ro0d/?= =?us-ascii?Q?pQrsFE+9vvToXx0FmT0pkDGuO5L5pj4+tjegBcBDvzF6ls9i18ZyL4Tqkf8u?= =?us-ascii?Q?ZUXP9LUd4N6rcwcNnTboZsbipIV/+v6uvPD/h/tAv2lntyVqYk0eNrYiQeCM?= =?us-ascii?Q?QOu/Bq5fG1uNC5tpVqQ7YVakUp6ksmhHkzrrhI/exsdGV6YCqLjpPK+fu3VK?= =?us-ascii?Q?EjtQfGtdRnhhyd4hTy/nwKnFtibBjzO+OOt/krMbLBtJoslvqQhK/KH43yhV?= =?us-ascii?Q?WP5dT4FFOIkqVG5nCOpe4/9T8QW8/jt2+PcMT5AExevIeYNuin0QvroQNR9S?= =?us-ascii?Q?Q8wScx2eaC+Yu/Z46DnireAOlADBL6pIaEJxL/kTWT9axJDOquEKh2kgk8Bh?= =?us-ascii?Q?ErBEczh+1i9cpiv40n11NRBi8MgAT6Qw4LF5TwDPOG+/KABGEmh9MZby9fdU?= =?us-ascii?Q?6orgxKt7qW3/BT3aeGu6fIWn?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: a23f1748-9621-4c43-5db1-08d935d55eb2 X-MS-Exchange-CrossTenant-AuthSource: AM8PR04MB7970.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jun 2021 23:27:58.5606 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 9THsmJnsX+FTmQHD+BoEslmgMg21wPOvNcWmntjPBeelE3EtZF3jrpribdYTMnUamd8fq+yR+09r6z6fCeq/ww== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8PR04MB7203 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 15MNa7M0002859 X-loop: libvir-list@redhat.com Cc: apparmor@cboltz.de, christian.ehrhardt@canonical.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A new apparmor profile initially derived from the libvirtd profile. All rules were prefixed with the 'audit' qualifier to verify they are actually used by virtxend. It turns out that several, beyond the obvious ones, can be dropped in the resulting virtxend profile. Signed-off-by: Jim Fehlig --- src/security/apparmor/meson.build | 1 + src/security/apparmor/usr.sbin.virtxend.in | 53 ++++++++++++++++++++++ 2 files changed, 54 insertions(+) diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meso= n.build index 56f308bf3a..990f00b4f3 100644 --- a/src/security/apparmor/meson.build +++ b/src/security/apparmor/meson.build @@ -2,6 +2,7 @@ apparmor_gen_profiles =3D [ 'usr.lib.libvirt.virt-aa-helper', 'usr.sbin.libvirtd', 'usr.sbin.virtqemud', + 'usr.sbin.virtxend', ] =20 apparmor_gen_profiles_conf =3D configuration_data() diff --git a/src/security/apparmor/usr.sbin.virtxend.in b/src/security/appa= rmor/usr.sbin.virtxend.in new file mode 100644 index 0000000000..37c31bb104 --- /dev/null +++ b/src/security/apparmor/usr.sbin.virtxend.in @@ -0,0 +1,53 @@ +#include + +profile virtxend @sbindir@/virtxend flags=3D(attach_disconnected) { + #include + #include + + capability kill, + capability setgid, + capability setuid, + + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + network netlink raw, + network packet dgram, + network packet raw, + + # for --p2p migrations + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d addr=3Dnone), + + ptrace (read,trace) peer=3Dunconfined, + + signal (send) set=3D("kill", "term", "hup") peer=3Dunconfined, + + # Very lenient profile for virtxend + / r, + /** rwmkl, + + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, + @sbindir@/virtlogd pix, + @sbindir@/* PUx, + /{usr/,}lib/udev/scsi_id PUx, + /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, + /usr/{lib,lib64}/xen/bin/* Ux, + /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx, + /usr/{lib,libexec}/xen-*/bin/pygrub PUx, + + # force the use of virt-aa-helper + audit deny /{usr/,}sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + @libexecdir@/* PUxr, + @libexecdir@/libvirt_parthelper ix, + @libexecdir@/libvirt_iohelper ix, + /etc/libvirt/hooks/** rmix, + /etc/xen/scripts/** rmix, +} --=20 2.31.1 From nobody Wed May 8 20:05:58 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=quarantine dis=quarantine) header.from=suse.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 162440498200115.536019088342869; Tue, 22 Jun 2021 16:36:22 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-13-9Tg4VW7pPkmWb-qAHbkBwg-1; Tue, 22 Jun 2021 19:36:19 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 3C4EA56B3C; Tue, 22 Jun 2021 23:36:13 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 20AE660877; Tue, 22 Jun 2021 23:36:13 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id DEF6E1809CB2; Tue, 22 Jun 2021 23:36:12 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 15MNa7DB002867 for ; Tue, 22 Jun 2021 19:36:07 -0400 Received: by smtp.corp.redhat.com (Postfix) id 5721121417F2; Tue, 22 Jun 2021 23:36:07 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast05.extmail.prod.ext.rdu2.redhat.com [10.11.55.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5175721417DA for ; Tue, 22 Jun 2021 23:36:04 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 60F6A80015A for ; Tue, 22 Jun 2021 23:36:04 +0000 (UTC) Received: from de-smtp-delivery-102.mimecast.com (de-smtp-delivery-102.mimecast.com [194.104.111.102]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-120-YX3h8c6WNQy391-NMVx0MA-1; Tue, 22 Jun 2021 19:36:02 -0400 Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05lp2104.outbound.protection.outlook.com [104.47.18.104]) (Using TLS) by relay.mimecast.com with ESMTP id de-mta-32-qf8MQMEJOiO0ShazVg3jgA-1; Wed, 23 Jun 2021 01:28:03 +0200 Received: from AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9) by AM8PR04MB7203.eurprd04.prod.outlook.com (2603:10a6:20b:1d5::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.21; Tue, 22 Jun 2021 23:28:02 +0000 Received: from AM8PR04MB7970.eurprd04.prod.outlook.com ([fe80::d8b:c94:eae2:7b22]) by AM8PR04MB7970.eurprd04.prod.outlook.com ([fe80::d8b:c94:eae2:7b22%6]) with mapi id 15.20.4264.018; Tue, 22 Jun 2021 23:28:02 +0000 Received: from localhost (192.150.153.194) by FR0P281CA0038.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:48::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.7 via Frontend Transport; Tue, 22 Jun 2021 23:28:01 +0000 X-MC-Unique: 9Tg4VW7pPkmWb-qAHbkBwg-1 X-MC-Unique: YX3h8c6WNQy391-NMVx0MA-1 X-MC-Unique: qf8MQMEJOiO0ShazVg3jgA-1 From: Jim Fehlig To: libvir-list@redhat.com Subject: [PATCH V2 3/4] Apparmor: Allow reading libnl's classid file Date: Tue, 22 Jun 2021 17:27:46 -0600 Message-ID: <20210622232747.21592-4-jfehlig@suse.com> In-Reply-To: <20210622232747.21592-1-jfehlig@suse.com> References: <20210622232747.21592-1-jfehlig@suse.com> X-Originating-IP: [192.150.153.194] X-ClientProxiedBy: FR0P281CA0038.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:48::21) To AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 5656ca99-0983-42e9-4414-08d935d5610c X-MS-TrafficTypeDiagnostic: AM8PR04MB7203: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7691 X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0 X-Microsoft-Antispam-Message-Info: NlQ6/uq9Q5z3BI5xjNyZMgBuu0ItXmL1paDTFHMT6XWrl3PArTzkhjqT37Wf7L1Z9AwJTUTV35YDesZ7Ydjtv0BVplDB5kX1wMyIvBrGDp7TNuHEzN/cWqAtLk6VEnhAd1nc0FpV+YAv4wKeOCN6Ls2FsawKUA1nt8zxLWGRMataBMdmITVb6dbaC2GFT71EIkviBENiaLixVfAuuWJYNStxriLVadZIsaQG2hzw//M1Czc0Iv+cbzETth1+qLi1kb9LiK7c3fQIbgY1TpEHVqR/nTEpg1LFxggRvdf0SnakbWymKY+itCU1brw3ueoHCnlF8reWZ/nDLYCRHZcYrjkijo6WCOz8lyoFQX6MvcbSfqOiqpjCR7+L8dwJsMGCENwq2TQugnkrBz0ozH1Ffihh5pyij5pnkDT0tgBNdfm5gJEg0k3t3KqTS93ZR/KGwtwRr6y+PV2mtM1W+EGpQyU4T6hW4ZEijOqBx52mNugd8pjTjal6xjChQ0TRo3LUv8+BwzmVqPsRGPn4H5l72pGvbGAjVgQVMgiYWXTPwET4ZZH18aIcy8VLv4exltJhKOvgYfmM9tWZm6hktr/lgzpvOvyqibiWGjw/+T0EXp8= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM8PR04MB7970.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(346002)(39850400004)(366004)(396003)(376002)(6916009)(478600001)(6496006)(8676002)(2906002)(86362001)(316002)(8936002)(186003)(4326008)(26005)(6486002)(16526019)(956004)(36756003)(1076003)(38100700002)(83380400001)(66556008)(66476007)(5660300002)(66946007)(6666004)(2616005); DIR:OUT; SFP:1101 X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?Or5PDb/fvyGrg78FGruyv2eJ34f8TC7SvR9XDY1mH9BKhFIguX1EHIwOZdQO?= =?us-ascii?Q?gpjojM62M7itDY1uAIOb3EIHvTFnlJnGHh+hDZF4vzZVF5re7zCQaKdKlX3e?= =?us-ascii?Q?wfJJOxhkjrxQtelvSFbGLpITtjwXAhiVHxFLR9lk84I32cqZamPoIxYO/X6U?= =?us-ascii?Q?1hVqCuWMpozfBcMMKqBi4ezYwwW5wRivhgjoYg5DtpbET5xW+5cfRxvPX9tS?= =?us-ascii?Q?cz2fa1y0I39XSoBjKxDyGz0SeVICad+QFxa5uAgQ72AflzZ0CPFGzAS2HMta?= =?us-ascii?Q?xc0Nr8pzbdAgSLTsnxXBAnouxwlGdg4gn3UH5c4Sg21QybidnQUJuA/0TakR?= =?us-ascii?Q?NFTqlDYMO8L0m0H53hskvpIDHwrz1xmEmb2ffqhptatKMGvvHukU8XsTbUFI?= =?us-ascii?Q?vcRcnPcF0FWzt+Kxqltd+Rug/0rVAuaYsAaW5HQzul/qL4voSDqhQZfm5uha?= =?us-ascii?Q?hCMkgNeb8TvPiYEcn0jRz9l7+bf/xaAYc7NtSG5FDGzltKwt4JhnXt7ErYyZ?= =?us-ascii?Q?TTZ1IMNQl5AFPt1lrrZ/y8m85u2KJJndLzsVkzcYPsch6VTa3+QZHIyR8mHe?= =?us-ascii?Q?DFFqnZJLJ8Z2OtU3PmjeC4B/mdzymMH32IgJ8P0GJ91omzkMkFybkvDKMYdw?= =?us-ascii?Q?YWIvrZJD7K3iD/zuQz1S83Zn1SK5AMHrKrxtVMRqvqMVYOWmcUhsudF/TWQx?= =?us-ascii?Q?tJ83EHu9i+O0Ltdrmv+Xd7ilQ5mo7tljI4oJGLc4SO7rbXK49EnJ4RxAv+sJ?= =?us-ascii?Q?WxZhBdiZOVXyZ2lNLsi49e5K5WFHfgTABNFMjDgRl0ltoxceB4DxbGwvTqbz?= =?us-ascii?Q?vQzn47DedQe/PhWuxWjHiIB9X6wHzDmGxS6JNO1AQdxIb8Fvaalkz83LPaH9?= =?us-ascii?Q?b5xdNSZuqp5haIVqQN8aJlFdrO/OUcQSSFxG7T2ZIkXx1cyRMaYKkyVH8JNQ?= =?us-ascii?Q?cIxwvKEwOC53/gUAO+0HfhXLWiHdvpWy6/oDxQt12Bw2E2Ffmz4ON0MhDfVb?= =?us-ascii?Q?ydH6tBNljZFBebXfWlzA02EealQz+DBZkUZH+K/UUSySK194W5zTV7YQwBCA?= =?us-ascii?Q?SCj0N3jnM9qvO/sikEldSu27+ukPipBJqwwgALO0q4vCp2o2rVQutHehcm+8?= =?us-ascii?Q?xI6DOoPtrkkJ9N6aGprI8ashr23b5dZa8iIsCH1lLylkBtx5dDGLeCSPOr4T?= =?us-ascii?Q?qARnYUvpyEEKx4kivY82yuYjsLE0fGTj6YPucdmUuWetzXTxMgFac1jQoRwH?= =?us-ascii?Q?bDPk3L0HL/CI5a797gXR64lCVOWuwAg95ntnvvNxK40xBqmnhTWhDJdib1qf?= =?us-ascii?Q?KMytceEyyBvhudy+Y40KBx6U?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5656ca99-0983-42e9-4414-08d935d5610c X-MS-Exchange-CrossTenant-AuthSource: AM8PR04MB7970.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jun 2021 23:28:02.4117 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: eqvWq/1hfJJCjNREP9G63V0Qw8ytrWHEkJCmqyOXsL1O2RhD/g17DmmF/yJlX5yWzV2QqpO/+kXkLXqIKSVCSQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8PR04MB7203 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 15MNa7DB002867 X-loop: libvir-list@redhat.com Cc: apparmor@cboltz.de, christian.ehrhardt@canonical.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" I noticed the following denial messages from apparmor in audit.log when starting confined VMs via the QEMU driver type=3DAVC msg=3Daudit(1623864006.370:837): apparmor=3D"DENIED" operation= =3D"open" \ profile=3D"virt-aa-helper" name=3D"/etc/libnl/classid" pid=3D11265 \ comm=3D"virt-aa-helper" requested_mask=3D"r" denied_mask=3D"r" fsuid=3D0 ou= id=3D0 type=3DAVC msg=3Daudit(1623864006.582:849): apparmor=3D"DENIED" operation= =3D"open" \ profile=3D"libvirt-0ca2720d-6cff-48bb-86c2-61ab9a79b6e9" \ name=3D"/etc/libnl/classid" pid=3D11270 comm=3D"qemu-system-x86" \ requested_mask=3D"r" denied_mask=3D"r" fsuid=3D107 ouid=3D0 It is possible for site admins to assign names to classids in this file, which are then used by all libnl tools, possibly those used by libvirt. To be on the safe side, allow read access to the file in the virt-aa-helper profile and the libvirt-qemu abstraction. Signed-off-by: Jim Fehlig Reviewed-by: Christian Ehrhardt --- src/security/apparmor/libvirt-qemu | 2 ++ src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/lib= virt-qemu index 3e31ed4981..4156428163 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -37,6 +37,8 @@ @{PROC}/sys/vm/overcommit_memory r, # detect hardware capabilities via qemu_getauxval owner @{PROC}/*/auxv r, + # allow reading libnl's classid file + /etc/libnl{,-3}/classid r, =20 # For hostdev access. The actual devices will be added dynamically /sys/bus/usb/devices/ r, diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/= security/apparmor/usr.lib.libvirt.virt-aa-helper.in index dd18c8ab89..8ebb47596a 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -19,7 +19,8 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper { # Used when internally running another command (namely apparmor_parser) @{PROC}/@{pid}/fd/ r, =20 - @sysconfdir@/libnl-3/classid r, + # allow reading libnl's classid file + @sysconfdir@/libnl{,-3}/classid r, =20 # for gl enabled graphics /dev/dri/{,*} r, --=20 2.31.1 From nobody Wed May 8 20:05:58 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=quarantine dis=quarantine) header.from=suse.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1624404709770760.4503453638746; Tue, 22 Jun 2021 16:31:49 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-288-3imEbfdkMHCF1JQ5eS0Xww-1; Tue, 22 Jun 2021 19:31:47 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 3BB4783DD0B; Tue, 22 Jun 2021 23:31:42 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2C1055D6AD; Tue, 22 Jun 2021 23:31:40 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 8E9B04A712; Tue, 22 Jun 2021 23:31:36 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 15MNVYSH002325 for ; Tue, 22 Jun 2021 19:31:34 -0400 Received: by smtp.corp.redhat.com (Postfix) id 2137E2044008; Tue, 22 Jun 2021 23:31:34 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 12516205FAA7 for ; Tue, 22 Jun 2021 23:31:29 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 7E9EA10146F1 for ; Tue, 22 Jun 2021 23:31:29 +0000 (UTC) Received: from de-smtp-delivery-102.mimecast.com (de-smtp-delivery-102.mimecast.com [194.104.111.102]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-451-CLL9ASCGMcCqTvi13GtOHw-1; Tue, 22 Jun 2021 19:31:20 -0400 Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05lp2107.outbound.protection.outlook.com [104.47.18.107]) (Using TLS) by relay.mimecast.com with ESMTP id de-mta-34-zQRIHX0wNYCDftimCJ-iYQ-1; Wed, 23 Jun 2021 01:28:07 +0200 Received: from AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9) by AM8PR04MB7203.eurprd04.prod.outlook.com (2603:10a6:20b:1d5::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.21; Tue, 22 Jun 2021 23:28:06 +0000 Received: from AM8PR04MB7970.eurprd04.prod.outlook.com ([fe80::d8b:c94:eae2:7b22]) by AM8PR04MB7970.eurprd04.prod.outlook.com ([fe80::d8b:c94:eae2:7b22%6]) with mapi id 15.20.4264.018; Tue, 22 Jun 2021 23:28:06 +0000 Received: from localhost (192.150.153.194) by FR0P281CA0053.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:48::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.10 via Frontend Transport; Tue, 22 Jun 2021 23:28:05 +0000 X-MC-Unique: 3imEbfdkMHCF1JQ5eS0Xww-1 X-MC-Unique: CLL9ASCGMcCqTvi13GtOHw-1 X-MC-Unique: zQRIHX0wNYCDftimCJ-iYQ-1 From: Jim Fehlig To: libvir-list@redhat.com Subject: [PATCH V2 4/4] Apparmor: Allow reading /etc/ssl/openssl.cnf Date: Tue, 22 Jun 2021 17:27:47 -0600 Message-ID: <20210622232747.21592-5-jfehlig@suse.com> In-Reply-To: <20210622232747.21592-1-jfehlig@suse.com> References: <20210622232747.21592-1-jfehlig@suse.com> X-Originating-IP: [192.150.153.194] X-ClientProxiedBy: FR0P281CA0053.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:48::17) To AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 6e564c94-37bb-4212-e7a6-08d935d5638c X-MS-TrafficTypeDiagnostic: AM8PR04MB7203: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:3826 X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0 X-Microsoft-Antispam-Message-Info: hwaxhGre07p2S4RdyK/yUaS1IgECbUJEAdHrC/hiKE/3qAdRPsfZUe40sg1+8GA83iS8sxXs3uTmJtYiEAGEXeDKckwrrkhjg50lNB0NUkQr5DJoLwp8k7/qDNcZ4GBrMcfmpewW9MzvAmV1CmjOE4s522yFsM/k9RsoGyylKURXhzyC/Z8cWlTvTJPPG3+pSv9lblaqZVtmhd37jW7VXqji79BiupDxV/3oB0CkQWQH6E/ZoQNafZ7VPiCiySdWJKuGKYKa/KySk1ELDlTxgcXHzeqzgTAm/V7kh/h7jb0BH5+qVAnkbkAeil8HREceWzPw0Yu/iWgxornIQz9enzb1ipExIcxYhyHKnGKukFP5tctJd6vZOv2TAurSwDKLYEBALGo2yl3TH2Lki7LAXqoZk21WUN8VueRFDqz2Z65SgpaRw48KqJHTAJpgkaQTy+jkXWs/FDJER0V/+iAMGQ0U/wnqPeaMVMA2Y1sZ0qN01W4ylT1I7px9W6lKm9vdzG9soZAif42cOH/yyJnsyHBJXd3gs+PievowWrNdwNlsmkLu88lyAludrobTtcsZ8qxvQB7Z6Q0DxRKxxKDigjP8mn+n4jEGvYG8t3PKtuw= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM8PR04MB7970.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(346002)(39850400004)(366004)(396003)(376002)(6916009)(478600001)(6496006)(8676002)(21480400003)(2906002)(86362001)(316002)(8936002)(186003)(4326008)(26005)(6486002)(16526019)(956004)(36756003)(1076003)(38100700002)(83380400001)(66556008)(66476007)(5660300002)(66946007)(6666004)(2616005); DIR:OUT; SFP:1101 X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?AgctrgQDiNXlWiT2R1hoU8aUBFBIyeA7N7bdj3VBpok9+N+F1kST7E+C+Quu?= =?us-ascii?Q?ETC3MtYIIT7QN9jhr6p2hBVvmDzcEEANrhYhmEAZmBtd+ktpJhYCTlM9bFWT?= =?us-ascii?Q?xxxwWMtmFVijBEpqtd+oJ7+lEPHa0eVfZQoxekUT/QLNlvY4wPvFsxc+o0bE?= =?us-ascii?Q?Ahu8DpNddaUkkjy4YdUbwECVt3zQwRpXzdpYGf3AyPURGb/gwi3fLxlII4TN?= =?us-ascii?Q?yx4xy0qkLcxz+7ZEhCl6egr/qs9lhLeq3fR0fL12mRh9NQtNumhBJMHMtKVi?= =?us-ascii?Q?pyjHOMiPWO4R6MySaisHTqHWeOkioC7IVEljIHHUHYDcQY2q/g1MjKFInedR?= =?us-ascii?Q?uyT37eNJk+nyaI/JcYMgjhoqy+NbvmNHyQlxzj92CKa30t+AN5OebthMDMrT?= =?us-ascii?Q?FGY+twaqLx74ZqT7Obzpw4xQn9Ow9Jtoz1DxCxHx4TCou4vSTEO1wCKYrQex?= =?us-ascii?Q?qXxo/ESaBJAdnOtCbGTJaXfSBZBVokbBsSSC+8ThqduvT/rXHPVzgGBtYpsp?= =?us-ascii?Q?iolQr2mj9EHB2P8KeFFW5g8XPFLmfvWS4s/QbZ6VweKUdZ0eb+0/S2T8+PNy?= =?us-ascii?Q?ZuTDJTMvooDJfX7E0yngEp4POg65qT1A7xgpeJj/v65pyiEywEW6yrmEk7py?= =?us-ascii?Q?5jihiTmb1LE+JhRWgxUALy++aDECVmUPxEC+/lILH7Ma2qkYj8DhuBBMo/Aj?= =?us-ascii?Q?NxB6dKNT+3j3Fpx36ZNnK9Lv4c07wEsxMqTxwla/yaqSRi/TaUGDB/tJfkpW?= =?us-ascii?Q?FgB0radXapCvCsvsAdJu03ytK7gtnF+AibTku/8t3d8epT6OkPFmjIXCS4U4?= =?us-ascii?Q?As5/lBVfL9hxF/y0DLaqBZ6iLN2DA/AM+sJnNKcuS3oYorffz1PYRl1l1liw?= =?us-ascii?Q?LyX1e4vpJp9s+xQbqklX2qCB+B1hBYU69LWEQi+4+GA49NHIGCbJ+YTjhwup?= =?us-ascii?Q?3iu3pqW3mvf4Ab50bj0MRYkOmO8vRKByk2zayl89q3qG5lGe/e0DrQwlUkQg?= =?us-ascii?Q?MftURoc1BoWXBS4RpEW2eZTzFi8O0zESZmqsFbF0yaMCSEKYmyHc+fAs4Ekv?= =?us-ascii?Q?fJMgqZPPQ60oE1P1sIxhS3pKuSnBdAVqONv5PXGgO/mwyv/sWZsy6cYBPeF5?= =?us-ascii?Q?jWrLEmlsSoUQ0/kRKyrFsWA84uvPB0go9yXEotRPaO4XF7kmQnN3ViLY2imR?= =?us-ascii?Q?T7vjeuiunN6yJM+nDZZoaYVjONGisSwyqJdPGieV8H1Bbsk1c69x3dmzEq2/?= =?us-ascii?Q?zM4l9nq9mhXRotPKKJUQqyYbWbjEhlvOHlBJxdYRhs8G4a6ve1MzcMyF3Bmp?= =?us-ascii?Q?+hzPAD69fuJRoTjKN35owXE/?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6e564c94-37bb-4212-e7a6-08d935d5638c X-MS-Exchange-CrossTenant-AuthSource: AM8PR04MB7970.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jun 2021 23:28:06.5693 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 6cBe6+6ElFg6XJTIzrQLHwAP2lmm4hntwVFdFceCCHpq3DyyYCKkU0edv8oD0kxR/85ZIAvpysrkt+ZflhBg8Q== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8PR04MB7203 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 15MNVYSH002325 X-loop: libvir-list@redhat.com Cc: apparmor@cboltz.de, christian.ehrhardt@canonical.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" I noticed the following denial when running confined VMs with the QEMU driver type=3DAVC msg=3Daudit(1623865089.263:865): apparmor=3D"DENIED" operation= =3D"open" \ profile=3D"virt-aa-helper" name=3D"/etc/ssl/openssl.cnf" pid=3D12503 \ comm=3D"virt-aa-helper" requested_mask=3D"r" denied_mask=3D"r" fsuid=3D0 ou= id=3D0 Allow reading the file by including the openssl abstraction in the virt-aa-helper profile. Signed-off-by: Jim Fehlig Reviewed-by: Christian Ehrhardt --- src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 + 1 file changed, 1 insertion(+) diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/= security/apparmor/usr.lib.libvirt.virt-aa-helper.in index 8ebb47596a..ff1d46bebe 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -2,6 +2,7 @@ =20 profile virt-aa-helper @libexecdir@/virt-aa-helper { #include + #include =20 # needed for searching directories capability dac_override, --=20 2.31.1