From nobody Sat May 4 19:02:13 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=quarantine dis=quarantine) header.from=suse.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 162456778643719.07071784962625; Thu, 24 Jun 2021 13:49:46 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-152-xkEOlIOhNHCx-IoHnVp9cQ-1; Thu, 24 Jun 2021 16:49:42 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id C6ADB8042A8; Thu, 24 Jun 2021 20:49:37 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A9D7260916; Thu, 24 Jun 2021 20:49:37 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 68B391809CB3; Thu, 24 Jun 2021 20:49:37 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 15OKnIvT026277 for ; Thu, 24 Jun 2021 16:49:18 -0400 Received: by smtp.corp.redhat.com (Postfix) id 6AD02208DDB7; Thu, 24 Jun 2021 20:49:18 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast02.extmail.prod.ext.rdu2.redhat.com [10.11.55.18]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 621672094D01 for ; Thu, 24 Jun 2021 20:49:14 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id B8A6D9676E4 for ; Thu, 24 Jun 2021 20:49:14 +0000 (UTC) Received: from de-smtp-delivery-102.mimecast.com (de-smtp-delivery-102.mimecast.com [194.104.111.102]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-379-cw_Yz5tzO8efz0eCnSkzSw-1; Thu, 24 Jun 2021 16:49:12 -0400 Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05lp2105.outbound.protection.outlook.com [104.47.18.105]) (Using TLS) by relay.mimecast.com with ESMTP id de-mta-14-5eVvL0C_PTybLMaXL532gQ-1; Thu, 24 Jun 2021 22:49:08 +0200 Received: from AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9) by AM0PR04MB5475.eurprd04.prod.outlook.com (2603:10a6:208:115::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.19; Thu, 24 Jun 2021 20:49:07 +0000 Received: from AM8PR04MB7970.eurprd04.prod.outlook.com ([fe80::d8b:c94:eae2:7b22]) by AM8PR04MB7970.eurprd04.prod.outlook.com ([fe80::d8b:c94:eae2:7b22%6]) with mapi id 15.20.4264.023; Thu, 24 Jun 2021 20:49:07 +0000 Received: from localhost (192.150.153.194) by AM0PR04CA0106.eurprd04.prod.outlook.com (2603:10a6:208:be::47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.19 via Frontend Transport; Thu, 24 Jun 2021 20:49:06 +0000 X-MC-Unique: xkEOlIOhNHCx-IoHnVp9cQ-1 X-MC-Unique: cw_Yz5tzO8efz0eCnSkzSw-1 X-MC-Unique: 5eVvL0C_PTybLMaXL532gQ-1 From: Jim Fehlig To: libvir-list@redhat.com Subject: [PATCH V3 1/2] Apparmor: Add profile for virtqemud Date: Thu, 24 Jun 2021 14:48:58 -0600 Message-ID: <20210624204859.4009-2-jfehlig@suse.com> In-Reply-To: <20210624204859.4009-1-jfehlig@suse.com> References: <20210624204859.4009-1-jfehlig@suse.com> X-Originating-IP: [192.150.153.194] X-ClientProxiedBy: AM0PR04CA0106.eurprd04.prod.outlook.com (2603:10a6:208:be::47) To AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: d49b8233-c2ca-4dd8-28ba-08d93751826a X-MS-TrafficTypeDiagnostic: AM0PR04MB5475: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:5516 X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0 X-Microsoft-Antispam-Message-Info: mU/BnkDNjPVtaDUkJQQ2mKVobnfNYg3EH6IMzYI1almZ3pq9PaavJgG3U8DiWEY6pD9mJVH0vNo1WICV7gjjbvjkSEznpRVd+oh8ko2B50EposuniLhbl9tq4N0O4hI2OnfxXKY1pi99ll99ciBxN/WoQLrZNJTI0mP2c3mda1/X06VLfn9Y9sI4Dh7FsRvZmj1IDf0zQulzU9Skt3StjB8C5yFDDEGHah+j+m+qWNX7Wvz9opYHBngm1SBRoOMvEW+gRihntj3HwzMrpo/QgawpggO9nPlDICnUzTIdG8kK/W8CV3B3yY/5qvcUEpBrLlX3km1/yStFEqRqTDzTYkWMOSoibdCseA5qO3ydQqHgPSdiqkCNznq5Q45oNbb+56kmipA1mdjmwZg/qljYTYRwtpCnR5aaNxV5oK6ys9E8LnwiXr8fNtFj5GuH7Gwui9npmSxJ+xK3KfDgL4pRxvQL+kDTs4xqVCzA1Ku7KCF0CZ6UqN4QG7QAOV90CNsrgQLwXVRI4er0FK1XVrkiCTkSin9zTr3Zz+W5hPOksBR6wHfVaHm3dN1wGdwXkM04SvHfh6g+zGKYPjWcGIFl0+qfRLO2aWDeP9cjhJ1t9DHDgtsF8rrjWR+M5z/2OMV7h1AH0WqQCMH96ijsRYlKLw== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM8PR04MB7970.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(39850400004)(376002)(136003)(366004)(396003)(6666004)(2616005)(66946007)(66556008)(66476007)(83380400001)(186003)(956004)(2906002)(316002)(4326008)(6486002)(86362001)(6496006)(8676002)(5660300002)(16526019)(36756003)(26005)(1076003)(38100700002)(478600001)(6916009)(8936002); DIR:OUT; SFP:1101 X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?78BYtiAD1biQ/kYwQPsFBzLDXfI+Q6/D1ET1Vav5JiqTSdaGEc9TWEAPXxyj?= =?us-ascii?Q?f3o1YQPvfZ0lW5Ix69Inx2+UzYrdrYfdzhGdFMASeV/tFF/xPuJCSWbGdtyz?= =?us-ascii?Q?j3NREHICFXXO3MeCarR/kNaoiyqgv11KdgZKiaVpvoKc2sa+pkx8IwSGS/GF?= =?us-ascii?Q?AS81amNEz7Jrfo6Tm96O30O0u2kBf66XOJv1FpFF3mlFum8hRNINZDSLpySM?= =?us-ascii?Q?4SmMd0knEDFE6q5Nbz1LW7dWMIL4mz9OLHQ0c3MgPq3C2dDL1SOoZG1r9o2+?= =?us-ascii?Q?v8GnISAX/r+fZadqrrRr008JMTRKW7gYJyL96NqLtMjksuSHDrrF9DpX8Z9f?= =?us-ascii?Q?lLITMyFSeF4P70UPAprNdMcwTcOdRvs9dPFjnEJyKykOTat4N0wTyNoo5Xih?= =?us-ascii?Q?tTHtLx82PQfVTV17K+F5w6uCRSHdy6AuU92nkQomZJ1Cu7HorNQGv6U5F6y9?= =?us-ascii?Q?6XCHqGtjiP/OnWaIBIzT5whwIUUiEtxLEM+8dRo331hG5j5r0Y5VLtpMOOO/?= =?us-ascii?Q?XPD8gWAFIDNBHDXspGIL7Axu416AX0pvk1CJhwiSTsghyLcQMXU8MCAhgnQP?= =?us-ascii?Q?5IvIJo70BluurkH2UA7GeAJRcZ7Q06zPn2ZvkR5JUhj8VL6Jx94BMYsnbb2P?= =?us-ascii?Q?9ZbLkGKOlRLRX/h2J8rB4qeFElCH9yt0SnMzVWF1+d+WWSjrQRQT8bvaKfap?= =?us-ascii?Q?+3Ekiz/8I9pbiQH80AGdIb4XaT5PJLAACmX5a7eteerGxgBhW1aZuhKlSv8B?= =?us-ascii?Q?PZyOCtx/EsO/XAlImDH/+RNdfINcWVrohQfvmHe1g/HSI26HxhwYaoE0iQO4?= =?us-ascii?Q?UILZbB9a2MblmVV34gYkDr2ZyYk+LMP9oFsxjNYN9akAi+dVhGx6Hfo/AkBT?= =?us-ascii?Q?mff3fhU5hs21PiYOAa43Kr1W6piJ015JLCmAS0OOBhz896mGrmldMDIj3a2A?= =?us-ascii?Q?Kqtwmv2iKe5DSTn7bwuQnLYRIJwZsfVPoQxFO5D+mPzqNOv5ZKeQh/ln/acS?= =?us-ascii?Q?mcGewTfYL3EmetCbDZ1AleLMafzE2YeBXuM23QAoFN6l7V7UJCNGcTyQTeO3?= =?us-ascii?Q?JpK/hPpNfTu5QJDPcCQIa8J5NPsyJpQMcFeLtcmqBVNR2oOxy8ENZ69lYRu0?= =?us-ascii?Q?tBhOSRb5n0cSsKsAQypQcS9SRfCnql4UJcqkaAhqCVBE7+Z7f+6C2ySbTbIT?= =?us-ascii?Q?iBVFwc3Jj3k1xy4389EO4EHRkXOQGfZar6OnZ7h7h1yMswz7es3kaygLu8mi?= =?us-ascii?Q?+zH+vFgOUmxdWkW8QD2ynw7Bfq4gqZVBcTOpHJMYaK8VxWbLBmbzRVAsNKxq?= =?us-ascii?Q?pw0K68YNo81W1EBGKQSaay+F?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: d49b8233-c2ca-4dd8-28ba-08d93751826a X-MS-Exchange-CrossTenant-AuthSource: AM8PR04MB7970.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Jun 2021 20:49:07.2904 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: s2GeaswfqDtRHYINVRurMYVHor74tNpLjxlJGuQNTWiBov30PjlNiJ1GdjgDUMwFyj4ipdfdrNq1XvBFzRuOnQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR04MB5475 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 15OKnIvT026277 X-loop: libvir-list@redhat.com Cc: apparmor@cboltz.de, christian.ehrhardt@canonical.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A new apparmor profile derived from the libvirtd profile, with non-QEMU related rules removed. Adopt the libvirt-qemu abstraction to work with the new profile. Signed-off-by: Jim Fehlig Reviewed-by: Christian Ehrhardt Reviewed-by: Neal Gompa --- I pursued a suggestion to use qemu's `make check-acceptance` as an additional driver of qemu for verifying if all the host capabilities in virtqemud profile are actually needed. That allowed me to shrink the list of unverified capabilities to net_raw, sys_chroot, sys_ptrace, setpcap, and sys_pacct. All but the last were added by the original libvirtd profile commit 624a7927f07. sys_pacct was added in 2015 by commit b61fb8e8af1. The capability was needed for xen, but from the description sounds like it could be applicable to qemu as well "Allow CAP_SYS_PACCT, which is required when resetting some multi-port Broadcom cards by writting to the PCI config space" As for the others, I'm hesitant to remove them even though I've been unable to verify the capabilities are required. The paranoid side of me says to keep them to avoid some unforeseen breakage. src/security/apparmor/libvirt-qemu | 3 + src/security/apparmor/meson.build | 1 + src/security/apparmor/usr.sbin.virtqemud.in | 134 ++++++++++++++++++++ 3 files changed, 138 insertions(+) diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/lib= virt-qemu index 6275b6e95b..4156428163 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -16,9 +16,11 @@ =20 ptrace (readby, tracedby) peer=3Dlibvirtd, ptrace (readby, tracedby) peer=3D/usr/sbin/libvirtd, + ptrace (readby, tracedby) peer=3Dvirtqemud, =20 signal (receive) peer=3Dlibvirtd, signal (receive) peer=3D/usr/sbin/libvirtd, + signal (receive) peer=3Dvirtqemud, =20 /dev/kvm rw, /dev/net/tun rw, @@ -223,6 +225,7 @@ # allow connect with openGraphicsFD to work unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirtd), unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3D/usr/sbin= /libvirtd), + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dvirtqemud= ), =20 # for gathering information about available host resources /sys/devices/system/cpu/ r, diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meso= n.build index af43780211..56f308bf3a 100644 --- a/src/security/apparmor/meson.build +++ b/src/security/apparmor/meson.build @@ -1,6 +1,7 @@ apparmor_gen_profiles =3D [ 'usr.lib.libvirt.virt-aa-helper', 'usr.sbin.libvirtd', + 'usr.sbin.virtqemud', ] =20 apparmor_gen_profiles_conf =3D configuration_data() diff --git a/src/security/apparmor/usr.sbin.virtqemud.in b/src/security/app= armor/usr.sbin.virtqemud.in new file mode 100644 index 0000000000..2d16ea821d --- /dev/null +++ b/src/security/apparmor/usr.sbin.virtqemud.in @@ -0,0 +1,134 @@ +#include +@{LIBVIRT}=3D"libvirt" + +profile virtqemud @sbindir@/virtqemud flags=3D(attach_disconnected) { + #include + #include + + capability kill, + capability net_admin, + capability net_raw, + capability setgid, + capability sys_admin, + capability sys_module, + capability sys_ptrace, + capability sys_pacct, + capability sys_nice, + capability sys_chroot, + capability setuid, + capability dac_override, + capability dac_read_search, + capability fowner, + capability chown, + capability setpcap, + capability mknod, + capability fsetid, + capability audit_write, + capability ipc_lock, + capability sys_rawio, + capability bpf, + capability perfmon, + + # Needed for vfio + capability sys_resource, + + mount options=3D(rw,rslave) -> /, + mount options=3D(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/, + umount /{var/,}run/libvirt/qemu/*.dev/, + + # libvirt provides any mounts under /dev to qemu namespaces + mount options=3D(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/, + mount options=3D(rw, move) /dev/** -> /{,var/}run/libvirt/qemu/*{,/}, + mount options=3D(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/, + mount options=3D(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**, + + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + network netlink raw, + network packet dgram, + network packet raw, + + # for --p2p migrations + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d addr=3Dnone), + + ptrace (read,trace) peer=3Dunconfined, + ptrace (read,trace) peer=3D@{profile_name}, + ptrace (read,trace) peer=3Ddnsmasq, + ptrace (read,trace) peer=3D/usr/sbin/dnsmasq, + ptrace (read,trace) peer=3Dlibvirt-*, + + signal (send) peer=3Ddnsmasq, + signal (send) peer=3D/usr/sbin/dnsmasq, + signal (read, send) peer=3Dlibvirt-*, + signal (send) set=3D("kill", "term") peer=3Dunconfined, + + # For communication/control to qemu-bridge-helper + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirtd/= /qemu_bridge_helper), + signal (send) set=3D("term") peer=3Dlibvirtd//qemu_bridge_helper, + + # allow connect with openGraphicsFD, direction reversed in newer versions + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirt-[= 0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*), + # unconfined also required if guests run without security module + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d), + + # required if guests run unconfined seclabel type=3D'none' but libvirtd = is confined + signal (read, send) peer=3Dunconfined, + + # Very lenient profile for libvirtd since we want to first focus on conf= ining + # the guests. Guests will have a very restricted profile. + / r, + /** rwmkl, + + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, + @sbindir@/virtlogd pix, + @sbindir@/* PUx, + /{usr/,}lib/udev/scsi_id PUx, + /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx, + /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx, + + # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to + # read and run an ebtables script. + /var/lib/libvirt/virtd* ixr, + + # force the use of virt-aa-helper + audit deny /{usr/,}sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + @libexecdir@/* PUxr, + @libexecdir@/libvirt_parthelper ix, + @libexecdir@/libvirt_iohelper ix, + /etc/libvirt/hooks/** rmix, + + # allow changing to our UUID-based named profiles + change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-= 9a-f]*, + + /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_h= elper, + # child profile for bridge helper process + profile qemu_bridge_helper { + #include + + capability setuid, + capability setgid, + capability setpcap, + capability net_admin, + + network inet stream, + + # For communication/control from virtqemud + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dvirtqemu= d), + signal (receive) set=3D("term") peer=3Dvirtqemud, + + /dev/net/tun rw, + /etc/qemu/** r, + owner @{PROC}/*/status r, + + /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, + } +} --=20 2.31.1 From nobody Sat May 4 19:02:13 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=quarantine dis=quarantine) header.from=suse.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1624567776220684.6559380763073; Thu, 24 Jun 2021 13:49:36 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-70-lRtNfNFlOFqck7SCDpAybQ-1; Thu, 24 Jun 2021 16:49:32 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id D09DE18D6A2A; Thu, 24 Jun 2021 20:49:26 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 74F35136F5; Thu, 24 Jun 2021 20:49:26 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 9D7E64A712; Thu, 24 Jun 2021 20:49:25 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 15OKnNvx026310 for ; Thu, 24 Jun 2021 16:49:23 -0400 Received: by smtp.corp.redhat.com (Postfix) id 5B46C10D14F8; Thu, 24 Jun 2021 20:49:23 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5274210500DD for ; Thu, 24 Jun 2021 20:49:16 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D9BF3866DF8 for ; Thu, 24 Jun 2021 20:49:16 +0000 (UTC) Received: from de-smtp-delivery-102.mimecast.com (de-smtp-delivery-102.mimecast.com [194.104.111.102]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-565-toMzYYZ2OQC7WR-Unx-ZpA-1; Thu, 24 Jun 2021 16:49:14 -0400 Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05lp2109.outbound.protection.outlook.com [104.47.18.109]) (Using TLS) by relay.mimecast.com with ESMTP id de-mta-22-2HkdnP8oMv-s3HM76KCStg-1; Thu, 24 Jun 2021 22:49:12 +0200 Received: from AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9) by AM0PR04MB5475.eurprd04.prod.outlook.com (2603:10a6:208:115::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.19; Thu, 24 Jun 2021 20:49:11 +0000 Received: from AM8PR04MB7970.eurprd04.prod.outlook.com ([fe80::d8b:c94:eae2:7b22]) by AM8PR04MB7970.eurprd04.prod.outlook.com ([fe80::d8b:c94:eae2:7b22%6]) with mapi id 15.20.4264.023; Thu, 24 Jun 2021 20:49:11 +0000 Received: from localhost (192.150.153.194) by AM0PR04CA0073.eurprd04.prod.outlook.com (2603:10a6:208:be::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.18 via Frontend Transport; Thu, 24 Jun 2021 20:49:10 +0000 X-MC-Unique: lRtNfNFlOFqck7SCDpAybQ-1 X-MC-Unique: toMzYYZ2OQC7WR-Unx-ZpA-1 X-MC-Unique: 2HkdnP8oMv-s3HM76KCStg-1 From: Jim Fehlig To: libvir-list@redhat.com Subject: [PATCH V3 2/2] Apparmor: Add profile for virtxend Date: Thu, 24 Jun 2021 14:48:59 -0600 Message-ID: <20210624204859.4009-3-jfehlig@suse.com> In-Reply-To: <20210624204859.4009-1-jfehlig@suse.com> References: <20210624204859.4009-1-jfehlig@suse.com> X-Originating-IP: [192.150.153.194] X-ClientProxiedBy: AM0PR04CA0073.eurprd04.prod.outlook.com (2603:10a6:208:be::14) To AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: a47eda93-df95-4f87-32b7-08d93751848f X-MS-TrafficTypeDiagnostic: AM0PR04MB5475: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:5236 X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0 X-Microsoft-Antispam-Message-Info: 04iY7R9akFR+l+JLBioW/L0/W31S/YeJS5OcXkbcbDyO0qG43fGhysicHihBQXOrhkSikd7MdHg97vchIATwt8xgCL9Vx/uHCH1wS2THqeYvFr6JaFfkearOc5t5gyPFd/qqW3Fc0/8roS8m8LcheAsQtkDySUVOzdoLS5alO4NSoNle903HmG7NQtL2vyWQELUorJbO5n6ShvHKg2ETbsUZrBlUzJjyrwHGGVXuyeCtIIhYXg4Nmmms6YTkfXvzORvzFsnqdgoy5ASkUCame6uy3B1flW2LnnBL4l7Wr7Fs/Rke0tET0tFbH0J3lLSPXpRbz27eRuA+5zC5KW09cig7cnPl+GoQWKp77BLSFQmYPkwpObeas9kevv3pJnv8hjw86e5tTw3lycEB9XnPEfbb6uej0JAzO/eqNlKBWbjy+nDNWRhsNhREEfdBDELttLK2yPZRTAYsT2GwTWmTpJO7dXYo43KMd/8KmeuTv0eyV2vF7GmjHtb/jwmYQGIbRBxK2N6AR+sMgqK3P6XRG9LrAio/3TDD5i8Glid6tXeFPurwIpnamd6wvdZuOOU2T0Qicbm87uZ97+s6vBDDWZlw3IxYr+VuT27SBW9trezTYRfF15VyfNA5Nk9fhsKeWrauB+B4mol49qY9ElHO6A== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM8PR04MB7970.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(39850400004)(376002)(136003)(366004)(396003)(6666004)(2616005)(66946007)(66556008)(66476007)(83380400001)(186003)(956004)(2906002)(316002)(4326008)(6486002)(86362001)(6496006)(8676002)(5660300002)(16526019)(36756003)(26005)(1076003)(38100700002)(478600001)(6916009)(8936002); DIR:OUT; SFP:1101 X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?IgzKRDFH32jMVnpF+Dk2i4ubzk5jtHSGXRleAmYXrjlZPvSBUFza2zTxtre6?= =?us-ascii?Q?6UcttkjRxHtYP0fFVr8+061IGarQJUrBEHGNrwgYjMiiMNUHa7lWnZrGTY5n?= =?us-ascii?Q?DD5jc7MlEKtrLSMqKpjnFqxnqjlWIFQ9bra4QgcRv0hwDLBskXoZ5mR1/PFb?= =?us-ascii?Q?juzIIkxy2+KzKoU5Hl395zrnkvyDAZxHF6st2sZdbowj9BrMl03yowS6fD8Q?= =?us-ascii?Q?S+AaWGmtSpRhXv5nqQCfNT/xB2y5gozvNWAYhnxx0dplnVq/idj2FU5M4j7C?= =?us-ascii?Q?xYGnH3gweBZQqa8cG2He2TNoNZzd9Zzyh0j9gt0wDptTZhQPY26WGbdj8Uzt?= =?us-ascii?Q?I3TVBHBfq5RTtZWCqLgdY4RnnrJ5tc6nRnu4sSKM/3hiH/XboyUB4FNRqx55?= =?us-ascii?Q?Fo5GQTp21c2Wr0E43jaFtiTN0ft4ZeXCv+HTHIDtojNPYPsVOO6SkvA691Tg?= =?us-ascii?Q?LGfoQEYHywmews9VBHnFwbp6iPdU+VLofL2wc45nVEX+Ein7YomVxJ0tbod7?= =?us-ascii?Q?Nj6QOj/cbENFD08JKskCahv7fwewilVfjI90GJcY0Icn9h9xRsZ9ZMwSWOpS?= =?us-ascii?Q?WZg+26Orbn+uoZrOorWCuEval8VVMjHdwjz/wWwbK+ynG8X/cIadWrE43SYz?= =?us-ascii?Q?oMF37XiBPHTwImBLrUr8c7tjw8TACWl8l4gZBLPg/nMRwiUQueXjKUEMU1Gr?= =?us-ascii?Q?FX5/lHEEEBh2S1jGudAIVlTP9M78WaWw/2mep+MyxVtVtEhJm7HUGozHUiC8?= =?us-ascii?Q?msklViQonk7hlIfaiE3zGolMvOUb79xu07ElCbT5MUIcQyaT6k6l1viUKdJW?= =?us-ascii?Q?d9RyV9cFs9K/Cb/hDfe3pjcA9P1XI7oX4A5KsChfpNvxRimIudS1N8Ztcy3K?= =?us-ascii?Q?Rz2ABOprMffcZ9fTCvIx4IPfFjkgR4aBnqUaK1bGgKvuMFscKjpcXPdTE5Es?= =?us-ascii?Q?XY+nJ7bDFnqdumMEZKH9tvMku/iJS6cs1QARQrlyT4QMigEAb87p+eBZmT4F?= =?us-ascii?Q?ef6lu7Vv3ArDYnmQda4x9rEo6P6A5ksFKkpBITrGmxHrd5MZjrtSVAhLDLCI?= =?us-ascii?Q?uh7/+iNLAFLSPWvDlAwNat9ZWx9Lmnpjz7MFWd54ubb45xkXmomjIrGIZFEz?= =?us-ascii?Q?iTIo4QPumb6B5vmx0FVR2x7SOFwfQVk1FxFPCZt2p3B2zDnLhaQ5plHrq09G?= =?us-ascii?Q?BwQMz185LR8644TTgSiF1IUIHJuioG1iA2+YRwZzQ+gTnk7MUv5CIDVq9X5b?= =?us-ascii?Q?+/6jo4mX/3PW2QzULmW9xqG5eaL1PWQPQcV1bKr0OBL6O+P1hQg+70ES6jlb?= =?us-ascii?Q?q3oPQ1+AWzTfebUIMlez+q1y?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: a47eda93-df95-4f87-32b7-08d93751848f X-MS-Exchange-CrossTenant-AuthSource: AM8PR04MB7970.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Jun 2021 20:49:11.1365 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: rFifPOzlFU2rnlo2lOhic/sA5b+vDAgF6J10/lJojLap9Mdg9Ezinckc6UTaM4smYpujJ1FQgfjq+pG7HI5f6g== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR04MB5475 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 15OKnNvx026310 X-loop: libvir-list@redhat.com Cc: apparmor@cboltz.de, christian.ehrhardt@canonical.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A new apparmor profile initially derived from the libvirtd profile. All rules were prefixed with the 'audit' qualifier to verify they are actually used by virtxend. It turns out that several, beyond the obvious ones, can be dropped in the resulting virtxend profile. Signed-off-by: Jim Fehlig Reviewed-by: Neal Gompa --- V3: Added back a few more capabilities to the virtxend profile after checking git history. src/security/apparmor/meson.build | 1 + src/security/apparmor/usr.sbin.virtxend.in | 55 ++++++++++++++++++++++ 2 files changed, 56 insertions(+) diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meso= n.build index 56f308bf3a..990f00b4f3 100644 --- a/src/security/apparmor/meson.build +++ b/src/security/apparmor/meson.build @@ -2,6 +2,7 @@ apparmor_gen_profiles =3D [ 'usr.lib.libvirt.virt-aa-helper', 'usr.sbin.libvirtd', 'usr.sbin.virtqemud', + 'usr.sbin.virtxend', ] =20 apparmor_gen_profiles_conf =3D configuration_data() diff --git a/src/security/apparmor/usr.sbin.virtxend.in b/src/security/appa= rmor/usr.sbin.virtxend.in new file mode 100644 index 0000000000..0f6b825f47 --- /dev/null +++ b/src/security/apparmor/usr.sbin.virtxend.in @@ -0,0 +1,55 @@ +#include + +profile virtxend @sbindir@/virtxend flags=3D(attach_disconnected) { + #include + #include + + capability kill, + capability setgid, + capability setuid, + capability sys_pacct, + capability ipc_lock, + + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + network netlink raw, + network packet dgram, + network packet raw, + + # for --p2p migrations + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d addr=3Dnone), + + ptrace (read,trace) peer=3Dunconfined, + + signal (send) set=3D("kill", "term", "hup") peer=3Dunconfined, + + # Very lenient profile for virtxend + / r, + /** rwmkl, + + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, + @sbindir@/virtlogd pix, + @sbindir@/* PUx, + /{usr/,}lib/udev/scsi_id PUx, + /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, + /usr/{lib,lib64}/xen/bin/* Ux, + /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx, + /usr/{lib,libexec}/xen-*/bin/pygrub PUx, + + # force the use of virt-aa-helper + audit deny /{usr/,}sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + @libexecdir@/* PUxr, + @libexecdir@/libvirt_parthelper ix, + @libexecdir@/libvirt_iohelper ix, + /etc/libvirt/hooks/** rmix, + /etc/xen/scripts/** rmix, +} --=20 2.31.1