From nobody Mon Feb  9 09:09:22 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.133.124 as permitted sender) client-ip=170.10.133.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=fail(p=quarantine dis=quarantine)  header.from=suse.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com
	with SMTPS id 1624405023435911.4124042428584;
 Tue, 22 Jun 2021 16:37:03 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-445-C6GjLJ68MjybXpk8Tij_eg-1; Tue, 22 Jun 2021 19:36:15 -0400
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
 [10.5.11.11])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 74E0D56B21;
	Tue, 22 Jun 2021 23:36:09 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 312016E0B6;
	Tue, 22 Jun 2021 23:36:09 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id CCDF41809C99;
	Tue, 22 Jun 2021 23:36:08 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com
	[10.11.54.3])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 15MNa7M0002859 for <libvir-list@listman.util.phx.redhat.com>;
	Tue, 22 Jun 2021 19:36:07 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id ECFB110EE963; Tue, 22 Jun 2021 23:36:06 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
	(mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id E864910F1CDA
	for <libvir-list@redhat.com>; Tue, 22 Jun 2021 23:36:04 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
	[207.211.31.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1A3E389B846
	for <libvir-list@redhat.com>; Tue, 22 Jun 2021 23:36:04 +0000 (UTC)
Received: from de-smtp-delivery-102.mimecast.com
	(de-smtp-delivery-102.mimecast.com [194.104.109.102]) (Using TLS) by
	relay.mimecast.com with ESMTP id us-mta-343-lzDfbTIXNvCQ-Lm-ac2vuw-1;
	Tue, 22 Jun 2021 19:36:01 -0400
Received: from EUR05-AM6-obe.outbound.protection.outlook.com
	(mail-am6eur05lp2104.outbound.protection.outlook.com [104.47.18.104])
	(Using TLS) by relay.mimecast.com with ESMTP id
	de-mta-21-bsW_bFNYO_a4Za-PqhwWeg-1; Wed, 23 Jun 2021 01:27:59 +0200
Received: from AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9)
	by AM8PR04MB7203.eurprd04.prod.outlook.com (2603:10a6:20b:1d5::16)
	with Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.21;
	Tue, 22 Jun 2021 23:27:58 +0000
Received: from AM8PR04MB7970.eurprd04.prod.outlook.com
	([fe80::d8b:c94:eae2:7b22]) by AM8PR04MB7970.eurprd04.prod.outlook.com
	([fe80::d8b:c94:eae2:7b22%6]) with mapi id 15.20.4264.018;
	Tue, 22 Jun 2021 23:27:58 +0000
Received: from localhost (192.150.153.194) by
	FR0P281CA0037.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:48::19)
	with Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.7
	via Frontend Transport; Tue, 22 Jun 2021 23:27:57 +0000
X-MC-Unique: C6GjLJ68MjybXpk8Tij_eg-1
X-MC-Unique: lzDfbTIXNvCQ-Lm-ac2vuw-1
X-MC-Unique: bsW_bFNYO_a4Za-PqhwWeg-1
From: Jim Fehlig <jfehlig@suse.com>
To: libvir-list@redhat.com
Subject: [PATCH V2 2/4] Apparmor: Add profile for virtxend
Date: Tue, 22 Jun 2021 17:27:45 -0600
Message-ID: <20210622232747.21592-3-jfehlig@suse.com>
In-Reply-To: <20210622232747.21592-1-jfehlig@suse.com>
References: <20210622232747.21592-1-jfehlig@suse.com>
X-Originating-IP: [192.150.153.194]
X-ClientProxiedBy: FR0P281CA0037.DEUP281.PROD.OUTLOOK.COM
	(2603:10a6:d10:48::19) To AM8PR04MB7970.eurprd04.prod.outlook.com
	(2603:10a6:20b:24f::9)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: a23f1748-9621-4c43-5db1-08d935d55eb2
X-MS-TrafficTypeDiagnostic: AM8PR04MB7203:
X-Microsoft-Antispam-PRVS: 
 <AM8PR04MB72031CC9C2CB29D40ED657E3C6099@AM8PR04MB7203.eurprd04.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:4714
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0
X-Microsoft-Antispam-Message-Info: 
 ONd1JQ4vzqOMdSogssR+5SdO2FPG+6fO4x26hw6Jx+8Ye3AxboN6I1UriUlb4pv0pQT6Gfi/2OJSiuiKCbOTBm6UivsijNUHMcKT6VOstZ1imT9dfqQflseTVem+3XnIMyEUZTYS4zlUa1AnZOnBJrLdrfLtj2WG84UfeQuzwh0BY4VnoDoE34Gy77hIkgCP25XIeyIsgJGQrZc8qPytd2r2XiQtvO6IRKjYn7KMNP0bggOWJkesPRhtHXqdnWRXCk/5uAQF4dzMAUxYR13iAoIUE8xNJuX+jgzMhobSlcU6JI6KO+282gD04PE1H4WJIMMzic8IgbdW4f/QfvQeBg3NogOi1o2i4M+6VcdqiCieyc2qPpU/tIGnTG0j1nTCFMiPxKze6Fd6PxGf2gNNb6kzTyIxLEOj9aXnlN04yZnfkhvOWnYgh36dRHp38qOV32lIA0BCBfTnKzLZ/bi2NbOe1V7GNSXmBcx4ncncf992f5TNsrRdKEKOgTdagK22guNsS1cPF1FbsG+dAI0+hO/NxSp++g7i7SmFmi4TM95XPQ2OMmVilYEJ9gnJCIA0/SzclEytJIikkJZwsSRC4LLypTiHi4+e0HLOwSn2Kvc=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
	IPV:NLI; SFV:NSPM; H:AM8PR04MB7970.eurprd04.prod.outlook.com;
	PTR:; CAT:NONE;
	SFS:(136003)(346002)(39850400004)(366004)(396003)(376002)(6916009)(478600001)(6496006)(8676002)(2906002)(86362001)(316002)(8936002)(186003)(4326008)(26005)(6486002)(16526019)(956004)(36756003)(1076003)(38100700002)(83380400001)(66556008)(66476007)(5660300002)(66946007)(6666004)(2616005);
	DIR:OUT; SFP:1101
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 =?us-ascii?Q?qUaa9cnPqdc63KBlhkVAuu8ZGT9SA6//6SrZjkExq6uho9NI8XTaqcaPeZoO?=
	=?us-ascii?Q?TwnYtiyoZEVcVfM9kK9jbPcsN3WZCdylR0Zzi5wvIiUpfo63P+G4+jdDRGsk?=
	=?us-ascii?Q?hFOKMv5phzjbDiqsLHQD/iDcU7LCPSwtp3gadpmpsCCwk7vN5guDgAvrbP4L?=
	=?us-ascii?Q?Enuquby2nxXauZCXhfGaCL9S1P0+Scu5gu/175iw2M7zPnYcIM/Ztyx1QWYS?=
	=?us-ascii?Q?X6NLoYA929UcHIQib54VLHVM1/JwKG5VwvLL4a8Fjragc2hhfkTUnmqAV9BP?=
	=?us-ascii?Q?6xiKbjuwiu+ab/9fU/VIxWKeLuNFSSOj/NWOqE0RqHa6QHdHUAHnlNnzkKlC?=
	=?us-ascii?Q?r8ek0rrPYo9ACV/G9kO/Toh039avcz25+LfAQ5TZ2QkEq4fzA45cUWjJYZDB?=
	=?us-ascii?Q?B1xlVRM4r3Ej2kJY/cwn/stgOEis3CM2qY5ECIIoPi7SPWdXF7PpSUizsCl3?=
	=?us-ascii?Q?zEwJqPGxJ2Mx1iejP1v/ktt0ysbSwy2nPOMSv1EgMifHSjtP82LRxoIJfjVX?=
	=?us-ascii?Q?DS7Zls+Qm2rr4vUtg2xpCf52wWSBFmd0jsX2+GhOxO5v72hSz5NRNAI9yHi8?=
	=?us-ascii?Q?+NvvqQYfrFQ3hL/P1czaUlhH3AkoJHuPXxjQdy+aIr7nPC5dumnPCnqjWk0z?=
	=?us-ascii?Q?yptsNOZ2IZsCMFk4Sr4YhEkJhX5UQ8dlpgfAb1e+z2CV2X0T6RjY4l1rB1tD?=
	=?us-ascii?Q?guesZtnO/XMndGEUerHarfTSfHaevSXjEiJOIimw4BfF28JrhiRIBk8yaZPw?=
	=?us-ascii?Q?iZr/OlXb3hLNQHyY7N8HqpOMP3qLQDzbLgFfh7EUDSwvGTpt2rn7vnl9ysbC?=
	=?us-ascii?Q?e2Uu8Ld9udzCfoq+agGpavtyy65qYhIC3Zi641vjWN0ZmGjfT9p/0O0ro0d/?=
	=?us-ascii?Q?pQrsFE+9vvToXx0FmT0pkDGuO5L5pj4+tjegBcBDvzF6ls9i18ZyL4Tqkf8u?=
	=?us-ascii?Q?ZUXP9LUd4N6rcwcNnTboZsbipIV/+v6uvPD/h/tAv2lntyVqYk0eNrYiQeCM?=
	=?us-ascii?Q?QOu/Bq5fG1uNC5tpVqQ7YVakUp6ksmhHkzrrhI/exsdGV6YCqLjpPK+fu3VK?=
	=?us-ascii?Q?EjtQfGtdRnhhyd4hTy/nwKnFtibBjzO+OOt/krMbLBtJoslvqQhK/KH43yhV?=
	=?us-ascii?Q?WP5dT4FFOIkqVG5nCOpe4/9T8QW8/jt2+PcMT5AExevIeYNuin0QvroQNR9S?=
	=?us-ascii?Q?Q8wScx2eaC+Yu/Z46DnireAOlADBL6pIaEJxL/kTWT9axJDOquEKh2kgk8Bh?=
	=?us-ascii?Q?ErBEczh+1i9cpiv40n11NRBi8MgAT6Qw4LF5TwDPOG+/KABGEmh9MZby9fdU?=
	=?us-ascii?Q?6orgxKt7qW3/BT3aeGu6fIWn?=
X-OriginatorOrg: suse.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 a23f1748-9621-4c43-5db1-08d935d55eb2
X-MS-Exchange-CrossTenant-AuthSource: AM8PR04MB7970.eurprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jun 2021 23:27:58.5606 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 9THsmJnsX+FTmQHD+BoEslmgMg21wPOvNcWmntjPBeelE3EtZF3jrpribdYTMnUamd8fq+yR+09r6z6fCeq/ww==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8PR04MB7203
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
	Definition; Similar Internal Domain=false;
	Similar Monitored External Domain=false;
	Custom External Domain=false; Mimecast External Domain=false;
	Newly Observed Domain=false; Internal User Name=false;
	Custom Display Name List=false; Reply-to Address Mismatch=false;
	Targeted Threat Dictionary=false;
	Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3
X-MIME-Autoconverted: from quoted-printable to 8bit by
	lists01.pubmisc.prod.ext.phx2.redhat.com id 15MNa7M0002859
X-loop: libvir-list@redhat.com
Cc: apparmor@cboltz.de, christian.ehrhardt@canonical.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://listman.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

A new apparmor profile initially derived from the libvirtd profile.
All rules were prefixed with the 'audit' qualifier to verify they
are actually used by virtxend. It turns out that several, beyond
the obvious ones, can be dropped in the resulting virtxend profile.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
---
 src/security/apparmor/meson.build          |  1 +
 src/security/apparmor/usr.sbin.virtxend.in | 53 ++++++++++++++++++++++
 2 files changed, 54 insertions(+)

diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meso=
n.build
index 56f308bf3a..990f00b4f3 100644
--- a/src/security/apparmor/meson.build
+++ b/src/security/apparmor/meson.build
@@ -2,6 +2,7 @@ apparmor_gen_profiles =3D [
   'usr.lib.libvirt.virt-aa-helper',
   'usr.sbin.libvirtd',
   'usr.sbin.virtqemud',
+  'usr.sbin.virtxend',
 ]
=20
 apparmor_gen_profiles_conf =3D configuration_data()
diff --git a/src/security/apparmor/usr.sbin.virtxend.in b/src/security/appa=
rmor/usr.sbin.virtxend.in
new file mode 100644
index 0000000000..37c31bb104
--- /dev/null
+++ b/src/security/apparmor/usr.sbin.virtxend.in
@@ -0,0 +1,53 @@
+#include <tunables/global>
+
+profile virtxend @sbindir@/virtxend flags=3D(attach_disconnected) {
+  #include <abstractions/base>
+  #include <abstractions/dbus>
+
+  capability kill,
+  capability setgid,
+  capability setuid,
+
+  network inet stream,
+  network inet dgram,
+  network inet6 stream,
+  network inet6 dgram,
+  network netlink raw,
+  network packet dgram,
+  network packet raw,
+
+  # for --p2p migrations
+  unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine=
d addr=3Dnone),
+
+  ptrace (read,trace) peer=3Dunconfined,
+
+  signal (send) set=3D("kill", "term", "hup") peer=3Dunconfined,
+
+  # Very lenient profile for virtxend
+  / r,
+  /** rwmkl,
+
+  /bin/* PUx,
+  /sbin/* PUx,
+  /usr/bin/* PUx,
+  @sbindir@/virtlogd pix,
+  @sbindir@/* PUx,
+  /{usr/,}lib/udev/scsi_id PUx,
+  /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
+  /usr/{lib,lib64}/xen/bin/* Ux,
+  /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx,
+  /usr/{lib,libexec}/xen-*/bin/pygrub PUx,
+
+  # force the use of virt-aa-helper
+  audit deny /{usr/,}sbin/apparmor_parser rwxl,
+  audit deny /etc/apparmor.d/libvirt/** wxl,
+  audit deny /sys/kernel/security/apparmor/features rwxl,
+  audit deny /sys/kernel/security/apparmor/matching rwxl,
+  audit deny /sys/kernel/security/apparmor/.* rwxl,
+  /sys/kernel/security/apparmor/profiles r,
+  @libexecdir@/* PUxr,
+  @libexecdir@/libvirt_parthelper ix,
+  @libexecdir@/libvirt_iohelper ix,
+  /etc/libvirt/hooks/** rmix,
+  /etc/xen/scripts/** rmix,
+}
--=20
2.31.1