From nobody Mon Feb 9 13:57:24 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=quarantine dis=quarantine) header.from=suse.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1624567776220684.6559380763073; Thu, 24 Jun 2021 13:49:36 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-70-lRtNfNFlOFqck7SCDpAybQ-1; Thu, 24 Jun 2021 16:49:32 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id D09DE18D6A2A; Thu, 24 Jun 2021 20:49:26 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 74F35136F5; Thu, 24 Jun 2021 20:49:26 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 9D7E64A712; Thu, 24 Jun 2021 20:49:25 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 15OKnNvx026310 for ; Thu, 24 Jun 2021 16:49:23 -0400 Received: by smtp.corp.redhat.com (Postfix) id 5B46C10D14F8; Thu, 24 Jun 2021 20:49:23 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5274210500DD for ; Thu, 24 Jun 2021 20:49:16 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D9BF3866DF8 for ; Thu, 24 Jun 2021 20:49:16 +0000 (UTC) Received: from de-smtp-delivery-102.mimecast.com (de-smtp-delivery-102.mimecast.com [194.104.111.102]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-565-toMzYYZ2OQC7WR-Unx-ZpA-1; Thu, 24 Jun 2021 16:49:14 -0400 Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05lp2109.outbound.protection.outlook.com [104.47.18.109]) (Using TLS) by relay.mimecast.com with ESMTP id de-mta-22-2HkdnP8oMv-s3HM76KCStg-1; Thu, 24 Jun 2021 22:49:12 +0200 Received: from AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9) by AM0PR04MB5475.eurprd04.prod.outlook.com (2603:10a6:208:115::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.19; Thu, 24 Jun 2021 20:49:11 +0000 Received: from AM8PR04MB7970.eurprd04.prod.outlook.com ([fe80::d8b:c94:eae2:7b22]) by AM8PR04MB7970.eurprd04.prod.outlook.com ([fe80::d8b:c94:eae2:7b22%6]) with mapi id 15.20.4264.023; Thu, 24 Jun 2021 20:49:11 +0000 Received: from localhost (192.150.153.194) by AM0PR04CA0073.eurprd04.prod.outlook.com (2603:10a6:208:be::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.18 via Frontend Transport; Thu, 24 Jun 2021 20:49:10 +0000 X-MC-Unique: lRtNfNFlOFqck7SCDpAybQ-1 X-MC-Unique: toMzYYZ2OQC7WR-Unx-ZpA-1 X-MC-Unique: 2HkdnP8oMv-s3HM76KCStg-1 From: Jim Fehlig To: libvir-list@redhat.com Subject: [PATCH V3 2/2] Apparmor: Add profile for virtxend Date: Thu, 24 Jun 2021 14:48:59 -0600 Message-ID: <20210624204859.4009-3-jfehlig@suse.com> In-Reply-To: <20210624204859.4009-1-jfehlig@suse.com> References: <20210624204859.4009-1-jfehlig@suse.com> X-Originating-IP: [192.150.153.194] X-ClientProxiedBy: AM0PR04CA0073.eurprd04.prod.outlook.com (2603:10a6:208:be::14) To AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: a47eda93-df95-4f87-32b7-08d93751848f X-MS-TrafficTypeDiagnostic: AM0PR04MB5475: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:5236 X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0 X-Microsoft-Antispam-Message-Info: 04iY7R9akFR+l+JLBioW/L0/W31S/YeJS5OcXkbcbDyO0qG43fGhysicHihBQXOrhkSikd7MdHg97vchIATwt8xgCL9Vx/uHCH1wS2THqeYvFr6JaFfkearOc5t5gyPFd/qqW3Fc0/8roS8m8LcheAsQtkDySUVOzdoLS5alO4NSoNle903HmG7NQtL2vyWQELUorJbO5n6ShvHKg2ETbsUZrBlUzJjyrwHGGVXuyeCtIIhYXg4Nmmms6YTkfXvzORvzFsnqdgoy5ASkUCame6uy3B1flW2LnnBL4l7Wr7Fs/Rke0tET0tFbH0J3lLSPXpRbz27eRuA+5zC5KW09cig7cnPl+GoQWKp77BLSFQmYPkwpObeas9kevv3pJnv8hjw86e5tTw3lycEB9XnPEfbb6uej0JAzO/eqNlKBWbjy+nDNWRhsNhREEfdBDELttLK2yPZRTAYsT2GwTWmTpJO7dXYo43KMd/8KmeuTv0eyV2vF7GmjHtb/jwmYQGIbRBxK2N6AR+sMgqK3P6XRG9LrAio/3TDD5i8Glid6tXeFPurwIpnamd6wvdZuOOU2T0Qicbm87uZ97+s6vBDDWZlw3IxYr+VuT27SBW9trezTYRfF15VyfNA5Nk9fhsKeWrauB+B4mol49qY9ElHO6A== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM8PR04MB7970.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(39850400004)(376002)(136003)(366004)(396003)(6666004)(2616005)(66946007)(66556008)(66476007)(83380400001)(186003)(956004)(2906002)(316002)(4326008)(6486002)(86362001)(6496006)(8676002)(5660300002)(16526019)(36756003)(26005)(1076003)(38100700002)(478600001)(6916009)(8936002); DIR:OUT; SFP:1101 X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?IgzKRDFH32jMVnpF+Dk2i4ubzk5jtHSGXRleAmYXrjlZPvSBUFza2zTxtre6?= =?us-ascii?Q?6UcttkjRxHtYP0fFVr8+061IGarQJUrBEHGNrwgYjMiiMNUHa7lWnZrGTY5n?= =?us-ascii?Q?DD5jc7MlEKtrLSMqKpjnFqxnqjlWIFQ9bra4QgcRv0hwDLBskXoZ5mR1/PFb?= =?us-ascii?Q?juzIIkxy2+KzKoU5Hl395zrnkvyDAZxHF6st2sZdbowj9BrMl03yowS6fD8Q?= =?us-ascii?Q?S+AaWGmtSpRhXv5nqQCfNT/xB2y5gozvNWAYhnxx0dplnVq/idj2FU5M4j7C?= =?us-ascii?Q?xYGnH3gweBZQqa8cG2He2TNoNZzd9Zzyh0j9gt0wDptTZhQPY26WGbdj8Uzt?= =?us-ascii?Q?I3TVBHBfq5RTtZWCqLgdY4RnnrJ5tc6nRnu4sSKM/3hiH/XboyUB4FNRqx55?= =?us-ascii?Q?Fo5GQTp21c2Wr0E43jaFtiTN0ft4ZeXCv+HTHIDtojNPYPsVOO6SkvA691Tg?= =?us-ascii?Q?LGfoQEYHywmews9VBHnFwbp6iPdU+VLofL2wc45nVEX+Ein7YomVxJ0tbod7?= =?us-ascii?Q?Nj6QOj/cbENFD08JKskCahv7fwewilVfjI90GJcY0Icn9h9xRsZ9ZMwSWOpS?= =?us-ascii?Q?WZg+26Orbn+uoZrOorWCuEval8VVMjHdwjz/wWwbK+ynG8X/cIadWrE43SYz?= =?us-ascii?Q?oMF37XiBPHTwImBLrUr8c7tjw8TACWl8l4gZBLPg/nMRwiUQueXjKUEMU1Gr?= =?us-ascii?Q?FX5/lHEEEBh2S1jGudAIVlTP9M78WaWw/2mep+MyxVtVtEhJm7HUGozHUiC8?= =?us-ascii?Q?msklViQonk7hlIfaiE3zGolMvOUb79xu07ElCbT5MUIcQyaT6k6l1viUKdJW?= =?us-ascii?Q?d9RyV9cFs9K/Cb/hDfe3pjcA9P1XI7oX4A5KsChfpNvxRimIudS1N8Ztcy3K?= =?us-ascii?Q?Rz2ABOprMffcZ9fTCvIx4IPfFjkgR4aBnqUaK1bGgKvuMFscKjpcXPdTE5Es?= =?us-ascii?Q?XY+nJ7bDFnqdumMEZKH9tvMku/iJS6cs1QARQrlyT4QMigEAb87p+eBZmT4F?= =?us-ascii?Q?ef6lu7Vv3ArDYnmQda4x9rEo6P6A5ksFKkpBITrGmxHrd5MZjrtSVAhLDLCI?= =?us-ascii?Q?uh7/+iNLAFLSPWvDlAwNat9ZWx9Lmnpjz7MFWd54ubb45xkXmomjIrGIZFEz?= =?us-ascii?Q?iTIo4QPumb6B5vmx0FVR2x7SOFwfQVk1FxFPCZt2p3B2zDnLhaQ5plHrq09G?= =?us-ascii?Q?BwQMz185LR8644TTgSiF1IUIHJuioG1iA2+YRwZzQ+gTnk7MUv5CIDVq9X5b?= =?us-ascii?Q?+/6jo4mX/3PW2QzULmW9xqG5eaL1PWQPQcV1bKr0OBL6O+P1hQg+70ES6jlb?= =?us-ascii?Q?q3oPQ1+AWzTfebUIMlez+q1y?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: a47eda93-df95-4f87-32b7-08d93751848f X-MS-Exchange-CrossTenant-AuthSource: AM8PR04MB7970.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Jun 2021 20:49:11.1365 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: rFifPOzlFU2rnlo2lOhic/sA5b+vDAgF6J10/lJojLap9Mdg9Ezinckc6UTaM4smYpujJ1FQgfjq+pG7HI5f6g== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR04MB5475 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 15OKnNvx026310 X-loop: libvir-list@redhat.com Cc: apparmor@cboltz.de, christian.ehrhardt@canonical.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A new apparmor profile initially derived from the libvirtd profile. All rules were prefixed with the 'audit' qualifier to verify they are actually used by virtxend. It turns out that several, beyond the obvious ones, can be dropped in the resulting virtxend profile. Signed-off-by: Jim Fehlig --- V3: Added back a few more capabilities to the virtxend profile after checking git history. src/security/apparmor/meson.build | 1 + src/security/apparmor/usr.sbin.virtxend.in | 55 ++++++++++++++++++++++ 2 files changed, 56 insertions(+) diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meso= n.build index 56f308bf3a..990f00b4f3 100644 --- a/src/security/apparmor/meson.build +++ b/src/security/apparmor/meson.build @@ -2,6 +2,7 @@ apparmor_gen_profiles =3D [ 'usr.lib.libvirt.virt-aa-helper', 'usr.sbin.libvirtd', 'usr.sbin.virtqemud', + 'usr.sbin.virtxend', ] =20 apparmor_gen_profiles_conf =3D configuration_data() diff --git a/src/security/apparmor/usr.sbin.virtxend.in b/src/security/appa= rmor/usr.sbin.virtxend.in new file mode 100644 index 0000000000..0f6b825f47 --- /dev/null +++ b/src/security/apparmor/usr.sbin.virtxend.in @@ -0,0 +1,55 @@ +#include + +profile virtxend @sbindir@/virtxend flags=3D(attach_disconnected) { + #include + #include + + capability kill, + capability setgid, + capability setuid, + capability sys_pacct, + capability ipc_lock, + + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + network netlink raw, + network packet dgram, + network packet raw, + + # for --p2p migrations + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d addr=3Dnone), + + ptrace (read,trace) peer=3Dunconfined, + + signal (send) set=3D("kill", "term", "hup") peer=3Dunconfined, + + # Very lenient profile for virtxend + / r, + /** rwmkl, + + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, + @sbindir@/virtlogd pix, + @sbindir@/* PUx, + /{usr/,}lib/udev/scsi_id PUx, + /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, + /usr/{lib,lib64}/xen/bin/* Ux, + /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx, + /usr/{lib,libexec}/xen-*/bin/pygrub PUx, + + # force the use of virt-aa-helper + audit deny /{usr/,}sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + @libexecdir@/* PUxr, + @libexecdir@/libvirt_parthelper ix, + @libexecdir@/libvirt_iohelper ix, + /etc/libvirt/hooks/** rmix, + /etc/xen/scripts/** rmix, +} --=20 2.31.1