From nobody Tue May 21 20:59:00 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=quarantine dis=quarantine) header.from=suse.com ARC-Seal: i=1; a=rsa-sha256; t=1687994278; cv=none; d=zohomail.com; s=zohoarc; b=T2BVKk+5nnDn6CW1/cgLOaG2ZMG+KSsFdg4HRjySVxzlABg404IF7nqljNDgXLli7mRahyqtyc13OnXaePHSruw2ZE1n+g+UNKLqfXGmnlvwYbEwcPSCLSH1S7ZVmE3hSc3XoW2iu3rcB5rI86wklHa2Y7EoB7ZB8yDm6XQl5zI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1687994278; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=mYm0BflkTaT6ZwGKT/GqORZi9MS5sGWFPbFTchWiYpo=; b=PY7tMsxBAyiE9v9/elcjNHGPcuTq6dP9FvXXZWyfVC0yUOML+/sVi3L04McYjUgq0Px/kMD3UTmMnWRQqCbAFDo1oX6piz7VIb6idEzONGCSYWMcVdqVPg8f46ZBPjwSgm8m/PvlEE00WDBkoVoiWnJFBAqQ4PNt/oM7IZD4nq0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=quarantine dis=quarantine) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1687994278458440.41446190754584; Wed, 28 Jun 2023 16:17:58 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-371-BOVGvNZhNU2xONvFsIjGCA-1; Wed, 28 Jun 2023 19:17:54 -0400 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 3CDDB1044591; Wed, 28 Jun 2023 23:17:44 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 22E87400F54; Wed, 28 Jun 2023 23:17:44 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id E73F01946594; Wed, 28 Jun 2023 23:17:43 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 497C91946589 for ; Wed, 28 Jun 2023 23:17:42 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 39B384229B6; Wed, 28 Jun 2023 23:17:42 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 31AB4492B02 for ; Wed, 28 Jun 2023 23:17:42 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 0B26F1044590 for ; Wed, 28 Jun 2023 23:17:42 +0000 (UTC) Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2046.outbound.protection.outlook.com [40.107.22.46]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-651-t4ffxI76OSOUR_xkm6LWUA-1; Wed, 28 Jun 2023 19:17:40 -0400 Received: from DB7PR04MB5980.eurprd04.prod.outlook.com (2603:10a6:10:88::11) by PAXPR04MB8111.eurprd04.prod.outlook.com (2603:10a6:102:1c7::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6521.26; Wed, 28 Jun 2023 23:17:37 +0000 Received: from DB7PR04MB5980.eurprd04.prod.outlook.com ([fe80::8209:a05f:7b01:24c0]) by DB7PR04MB5980.eurprd04.prod.outlook.com ([fe80::8209:a05f:7b01:24c0%5]) with mapi id 15.20.6521.026; Wed, 28 Jun 2023 23:17:37 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1687994277; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=mYm0BflkTaT6ZwGKT/GqORZi9MS5sGWFPbFTchWiYpo=; b=JGK0Iplkm4Frve1RJzxhhrPcJYFcPq76o/wEN3pAqCwFb/giJH84nR5/XYSiH3GPkJMmdY mm31GOOrP9BygU2UJe27RSAsnNxqqurMzju3pzFlVfvIw/3HMp9nlQCPfk3bsZ6jzrd8SV c6gl4jrVqIF4xruUjmoMGCd6kUUtMpk= X-MC-Unique: BOVGvNZhNU2xONvFsIjGCA-1 X-Original-To: libvir-list@listman.corp.redhat.com X-MC-Unique: t4ffxI76OSOUR_xkm6LWUA-1 From: Jim Fehlig To: libvir-list@redhat.com Subject: [PATCH V2 1/3] apparmor: Create version specific apparmor profiles Date: Wed, 28 Jun 2023 17:15:27 -0600 Message-ID: <20230628231724.14632-2-jfehlig@suse.com> In-Reply-To: <20230628231724.14632-1-jfehlig@suse.com> References: <20230628231724.14632-1-jfehlig@suse.com> X-ClientProxiedBy: MW3PR06CA0026.namprd06.prod.outlook.com (2603:10b6:303:2a::31) To DB7PR04MB5980.eurprd04.prod.outlook.com (2603:10a6:10:88::11) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB7PR04MB5980:EE_|PAXPR04MB8111:EE_ X-MS-Office365-Filtering-Correlation-Id: 5cd7563d-3588-4543-2169-08db782ddc80 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0 X-Microsoft-Antispam-Message-Info: UCK6E4OP4ED270I2GJJGU7UAwNDvtS+CeIOp3M69J2zk/zd7IJLEbNe/IRko+uffZjo8I/6vAHR/l5jtRipk32H7wV/vGL++atrwMDz0PaCs6AKSUVQJmN4aPraqfxLXwp6crNQXIT38QSReicQF11PFvBYHsa63P445B36E74APJK8IPjouEKLvcxImfuudyUyqbea/SfL+089mWYg5mf7gQ+iBKXMqfdSK6r3zHGyT2JIMcpCdtTFk00eP4r5wEo2aYKPmBQnOxRjgQVfBjUtNFtDQcTNrxUlJcjNzd2u3Ta1pfNcIdnIJeLVphUht2U180kH5lKsM0MZglNdSbOamSLCil5FORGaiKy/T9111rAiMoyI/RsPOX5AvbOPg8iBmXwECNHfWtEoC9mylw5rZxNIbZIQvCkX2csWvGnqkhxI8CXeuETnBXw+GxElj3X1vLecvg2sg4KZFO9GMYOT7Io8MKHXqmaZsPtbJ+wn/OItZcUbUbukJtQlrWaXmNvRldx0daHtW4Y4nLjMms8EPmp26yXbB2EvRkiYwwjtOQqB9Rqcpd3TkR41tshJpPmF0JqHcwZgFNchjPduGMal3WtKmwCppgZfWeAdAIxU= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR04MB5980.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(396003)(39860400002)(366004)(376002)(346002)(136003)(451199021)(1076003)(2906002)(30864003)(6486002)(6666004)(6512007)(186003)(83380400001)(2616005)(38100700002)(6506007)(41300700001)(86362001)(66476007)(316002)(66946007)(66556008)(6916009)(4326008)(36756003)(8936002)(26005)(8676002)(478600001)(5660300002)(357404004); DIR:OUT; SFP:1101 X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?rOLk73pI5dpVdncHvGynDkBa2wIo5wPi6Nu5sojTeJs9fpGC8D4+OycGp3ve?= =?us-ascii?Q?smS6UU2Mi6yGVoj0W6GnO9B5C4A3oFpepm4tcywBvvxL8Ur1rZ9SuKeYteF7?= =?us-ascii?Q?SW08edrUTmRqhmN3MM4UbdYZhL1kTUeJhJU2mSDo9KwCo1cvoQC84wEgrJm1?= =?us-ascii?Q?mZHhCqHTSBhJWXFXM680Y41UKA8nQ3PfvEdadqioHFqUYKNFmla+x1qVeGT0?= =?us-ascii?Q?jhl0ibCYXLbIOOKc/EOhcIASZzs4zEmMWb9Atev0hgo8uaj0OmMWDUUqr4I0?= =?us-ascii?Q?IZlgaCt+VsJvFTLdZMoTjnvyV1QkzDn8ijzUtNA1ENOynlOSthlnzyE1TFhj?= =?us-ascii?Q?isC+YFLtgrvKLtuZlR/SaEH7eOyHTFLxuIOsH1ORZKb2cctgUbjC6hXUrfRU?= =?us-ascii?Q?qzAfWAFTAjHWMeHPrEyQbhjIklv6LcSgG4pMxMhSaHPK0sMZC01o9v7yrqj9?= =?us-ascii?Q?AbBiWhXjIrgIC3tQc5DuqpdL4eFn/9N+AExC2qA6doayxxiSvQGpKhu+G1z3?= =?us-ascii?Q?bXhUWWs49suBbO3pn858S6eTfMDD5h6kmk3FpfVQEZZHTVSAj7K84TIMJNO3?= =?us-ascii?Q?PE4Cnled86SZjDOT+k3C+F5wR3h3SbDiBD34v7kLjjkOUKidbxHeZ4dobYsF?= =?us-ascii?Q?bXgoUjtPtMWsQ2du/uqeu6inWC+2gGtZLwASw/J4FcZkU+ODX4B0sa+ih0TA?= =?us-ascii?Q?olsdzgrhCo09euNlGp2IDSy0etxt3RqZmio7T6LxFdInRTwvazXRfVjGG/P5?= =?us-ascii?Q?n6Kr7f4H0zuZaa6KO28H+K7Vr/fkiT/2URA9wOpHS6+VQNHLTHYkBbHnXZY6?= =?us-ascii?Q?WuxlfdjpZPApAvmT713MHD0aG1yd7h8JZxYfphg2i1jgzVbE//snTbzjGhDQ?= =?us-ascii?Q?jNiXniybyr07Au4qFmLe/AeeOUQBdjlsk+T6g3wexOJ9Wk+ogpgoJ/5DIC/Q?= =?us-ascii?Q?48unyIiEPLAqYz49P/O3kxGvSm2a+LT9DQKAkq9Z4XSIbptvYMrhDENpIqU5?= =?us-ascii?Q?412bI1RqejXAwVtI6SgRC31sf2w4LY2TnF+LcqwbtBMHLW4YJysbra843qHv?= =?us-ascii?Q?Y7U6RsB3zoHzQiLt+Ey0aTllwSJC3lxndddQwCmjzYYOo0JjHrOmc1DF08j+?= =?us-ascii?Q?oge5FLYkMNtNvszw92XfuY+2RZLJXRgv+CfNBlH6t7c7EeAExaOKZ0rP5MvM?= =?us-ascii?Q?slShiRhXkfbFZ8sWWWVE56HiI7dpYwm6lCMMxijovEAHS6Pbc1Ja/51+DazC?= =?us-ascii?Q?aAc3qQqj6ttHmkm82f6VozANFAUhiAU7gSk0FYLTdula4QVyqsZHU+faE+qu?= =?us-ascii?Q?e1gXodLGWcHN8FUSoYVesDIFIktXamOSxJSD6VytRzK85iVybxb2Z+c/zv4k?= =?us-ascii?Q?VT2fEISczUq5X/YvvxjNhVZfTYfVmkd/kXZkVsm9hl/gK8vb775dUbiALmUB?= =?us-ascii?Q?w+vwT6GsRzzVt8qjkEM7/v2elUN7kXn/m5WOsKS6QBesLomzAztMrD+cQW80?= =?us-ascii?Q?PUfYOijVW34XLpIpMLD3r67RUnQH90oMycGrtTKzyErI2ZWijK0RpkWiIlSs?= =?us-ascii?Q?puBx5q0aswzxMN7pbxdKAPJ/yXnkZC5MnThuTF2F?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5cd7563d-3588-4543-2169-08db782ddc80 X-MS-Exchange-CrossTenant-AuthSource: DB7PR04MB5980.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Jun 2023 23:17:37.4123 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: YxhuCUYnfgPYtqG/aF2p4La9HxYKwKW5YWeFfwoOUSHyk2pwdwrlGsCRGjhsMYJjuZqOOeYBh24Onv2MKaaPSg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR04MB8111 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: apparmor@cboltz.de Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: suse.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1687994280154100001 Content-Type: text/plain; charset="utf-8" The tools in apparmor 2.x releases have problems with profile constructs commonly used with modern apparmor >=3D 3.0.0. Make a copy of the profiles for use with apparmor 2.x. Subsequent commits will modify the copies to be apparmor 2.x compliant. Signed-off-by: Jim Fehlig --- meson.build | 6 +- src/security/apparmor-2/TEMPLATE.lxc | 15 + src/security/apparmor-2/TEMPLATE.qemu | 9 + src/security/apparmor-2/libvirt-lxc | 118 ++++++++ src/security/apparmor-2/libvirt-qemu | 271 ++++++++++++++++++ src/security/apparmor-2/meson.build | 41 +++ .../usr.lib.libvirt.virt-aa-helper.in | 75 +++++ .../usr.lib.libvirt.virt-aa-helper.local | 1 + src/security/apparmor-2/usr.sbin.libvirtd.in | 142 +++++++++ src/security/apparmor-2/usr.sbin.virtqemud.in | 135 +++++++++ src/security/apparmor-2/usr.sbin.virtxend.in | 55 ++++ src/security/meson.build | 3 + 12 files changed, 870 insertions(+), 1 deletion(-) diff --git a/meson.build b/meson.build index aa391e7178..4a1e32eeaf 100644 --- a/meson.build +++ b/meson.build @@ -894,7 +894,11 @@ if not get_option('apparmor_profiles').disabled() endif =20 if apparmor_profiles_enable - conf.set('WITH_APPARMOR_PROFILES', 1) + if apparmor_dep.version().version_compare('>=3D3.0.0') + conf.set('WITH_APPARMOR_PROFILES', 1) + else + conf.set('WITH_APPARMOR_PROFILES_2', 1) + endif endif endif =20 diff --git a/src/security/apparmor-2/TEMPLATE.lxc b/src/security/apparmor-2= /TEMPLATE.lxc new file mode 100644 index 0000000000..f1005dc575 --- /dev/null +++ b/src/security/apparmor-2/TEMPLATE.lxc @@ -0,0 +1,15 @@ +# +# This profile is for the domain whose UUID matches this file. +# + +#include + +profile LIBVIRT_TEMPLATE flags=3D(attach_disconnected) { + #include + + # Globally allows everything to run under this profile + # These can be narrowed depending on the container's use. + file, + capability, + network, +} diff --git a/src/security/apparmor-2/TEMPLATE.qemu b/src/security/apparmor-= 2/TEMPLATE.qemu new file mode 100644 index 0000000000..a327315d92 --- /dev/null +++ b/src/security/apparmor-2/TEMPLATE.qemu @@ -0,0 +1,9 @@ +# +# This profile is for the domain whose UUID matches this file. +# + +#include + +profile LIBVIRT_TEMPLATE flags=3D(attach_disconnected) { + #include +} diff --git a/src/security/apparmor-2/libvirt-lxc b/src/security/apparmor-2/= libvirt-lxc new file mode 100644 index 0000000000..0c8b812743 --- /dev/null +++ b/src/security/apparmor-2/libvirt-lxc @@ -0,0 +1,118 @@ + #include + + # Allow receiving signals from libvirtd + signal (receive) peer=3Dlibvirtd, + signal (receive) peer=3D/usr/sbin/libvirtd, + + umount, + + # ignore DENIED message on / remount + deny mount options=3D(ro, remount) -> /, + + # allow tmpfs mounts everywhere + mount fstype=3Dtmpfs, + + # allow mqueue mounts everywhere + mount fstype=3Dmqueue, + + # allow fuse mounts everywhere + mount fstype=3Dfuse.*, + + # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted + mount fstype=3Dbinfmt_misc -> /proc/sys/fs/binfmt_misc/, + deny @{PROC}/sys/fs/** wklx, + + # allow efivars to be mounted, writing to it will be blocked though + mount fstype=3Defivarfs -> /sys/firmware/efi/efivars/, + + # block some other dangerous paths + deny @{PROC}/sysrq-trigger rwklx, + deny @{PROC}/mem rwklx, + deny @{PROC}/kmem rwklx, + + # deny writes in /sys except for /sys/fs/cgroup, also allow + # fusectl, securityfs and debugfs to be mounted there (read-only) + mount fstype=3Dfusectl -> /sys/fs/fuse/connections/, + mount fstype=3Dsecurityfs -> /sys/kernel/security/, + mount fstype=3Ddebugfs -> /sys/kernel/debug/, + mount fstype=3Dproc -> /proc/, + mount fstype=3Dsysfs -> /sys/, + deny /sys/firmware/efi/efivars/** rwklx, + deny /sys/kernel/security/** rwklx, + + # generated by: lxc-generate-aa-rules.py container-rules.base + deny /proc/sys/[^kn]*{,/**} wklx, + deny /proc/sys/k[^e]*{,/**} wklx, + deny /proc/sys/ke[^r]*{,/**} wklx, + deny /proc/sys/ker[^n]*{,/**} wklx, + deny /proc/sys/kern[^e]*{,/**} wklx, + deny /proc/sys/kerne[^l]*{,/**} wklx, + deny /proc/sys/kernel/[^smhd]*{,/**} wklx, + deny /proc/sys/kernel/d[^o]*{,/**} wklx, + deny /proc/sys/kernel/do[^m]*{,/**} wklx, + deny /proc/sys/kernel/dom[^a]*{,/**} wklx, + deny /proc/sys/kernel/doma[^i]*{,/**} wklx, + deny /proc/sys/kernel/domai[^n]*{,/**} wklx, + deny /proc/sys/kernel/domain[^n]*{,/**} wklx, + deny /proc/sys/kernel/domainn[^a]*{,/**} wklx, + deny /proc/sys/kernel/domainna[^m]*{,/**} wklx, + deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx, + deny /proc/sys/kernel/domainname?*{,/**} wklx, + deny /proc/sys/kernel/h[^o]*{,/**} wklx, + deny /proc/sys/kernel/ho[^s]*{,/**} wklx, + deny /proc/sys/kernel/hos[^t]*{,/**} wklx, + deny /proc/sys/kernel/host[^n]*{,/**} wklx, + deny /proc/sys/kernel/hostn[^a]*{,/**} wklx, + deny /proc/sys/kernel/hostna[^m]*{,/**} wklx, + deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx, + deny /proc/sys/kernel/hostname?*{,/**} wklx, + deny /proc/sys/kernel/m[^s]*{,/**} wklx, + deny /proc/sys/kernel/ms[^g]*{,/**} wklx, + deny /proc/sys/kernel/msg*/** wklx, + deny /proc/sys/kernel/s[^he]*{,/**} wklx, + deny /proc/sys/kernel/se[^m]*{,/**} wklx, + deny /proc/sys/kernel/sem*/** wklx, + deny /proc/sys/kernel/sh[^m]*{,/**} wklx, + deny /proc/sys/kernel/shm*/** wklx, + deny /proc/sys/kernel?*{,/**} wklx, + deny /proc/sys/n[^e]*{,/**} wklx, + deny /proc/sys/ne[^t]*{,/**} wklx, + deny /proc/sys/net?*{,/**} wklx, + deny /sys/[^fdc]*{,/**} wklx, + deny /sys/c[^l]*{,/**} wklx, + deny /sys/cl[^a]*{,/**} wklx, + deny /sys/cla[^s]*{,/**} wklx, + deny /sys/clas[^s]*{,/**} wklx, + deny /sys/class/[^n]*{,/**} wklx, + deny /sys/class/n[^e]*{,/**} wklx, + deny /sys/class/ne[^t]*{,/**} wklx, + deny /sys/class/net?*{,/**} wklx, + deny /sys/class?*{,/**} wklx, + deny /sys/d[^e]*{,/**} wklx, + deny /sys/de[^v]*{,/**} wklx, + deny /sys/dev[^i]*{,/**} wklx, + deny /sys/devi[^c]*{,/**} wklx, + deny /sys/devic[^e]*{,/**} wklx, + deny /sys/device[^s]*{,/**} wklx, + deny /sys/devices/[^v]*{,/**} wklx, + deny /sys/devices/v[^i]*{,/**} wklx, + deny /sys/devices/vi[^r]*{,/**} wklx, + deny /sys/devices/vir[^t]*{,/**} wklx, + deny /sys/devices/virt[^u]*{,/**} wklx, + deny /sys/devices/virtu[^a]*{,/**} wklx, + deny /sys/devices/virtua[^l]*{,/**} wklx, + deny /sys/devices/virtual/[^n]*{,/**} wklx, + deny /sys/devices/virtual/n[^e]*{,/**} wklx, + deny /sys/devices/virtual/ne[^t]*{,/**} wklx, + deny /sys/devices/virtual/net?*{,/**} wklx, + deny /sys/devices/virtual?*{,/**} wklx, + deny /sys/devices?*{,/**} wklx, + deny /sys/f[^s]*{,/**} wklx, + deny /sys/fs/[^c]*{,/**} wklx, + deny /sys/fs/c[^g]*{,/**} wklx, + deny /sys/fs/cg[^r]*{,/**} wklx, + deny /sys/fs/cgr[^o]*{,/**} wklx, + deny /sys/fs/cgro[^u]*{,/**} wklx, + deny /sys/fs/cgrou[^p]*{,/**} wklx, + deny /sys/fs/cgroup?*{,/**} wklx, + deny /sys/fs?*{,/**} wklx, diff --git a/src/security/apparmor-2/libvirt-qemu b/src/security/apparmor-2= /libvirt-qemu new file mode 100644 index 0000000000..44056b5f14 --- /dev/null +++ b/src/security/apparmor-2/libvirt-qemu @@ -0,0 +1,271 @@ + #include + #include + #include + + # required for reading disk images + capability dac_override, + capability dac_read_search, + capability chown, + + # needed to drop privileges + capability setgid, + capability setuid, + + network inet stream, + network inet6 stream, + + ptrace (readby, tracedby) peer=3Dlibvirtd, + ptrace (readby, tracedby) peer=3D/usr/sbin/libvirtd, + ptrace (readby, tracedby) peer=3Dvirtqemud, + + signal (receive) peer=3Dlibvirtd, + signal (receive) peer=3D/usr/sbin/libvirtd, + signal (receive) peer=3Dvirtqemud, + + /dev/kvm rw, + /dev/net/tun rw, + /dev/ptmx rw, + @{PROC}/*/status r, + # When qemu is signaled to terminate, it will read cmdline of signaling + # process for reporting purposes. Allowing read access to a process + # cmdline may leak sensitive information embedded in the cmdline. + @{PROC}/@{pid}/cmdline r, + # Per man(5) proc, the kernel enforces that a thread may + # only modify its comm value or those in its thread group. + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/sys/kernel/cap_last_cap r, + @{PROC}/sys/vm/overcommit_memory r, + # detect hardware capabilities via qemu_getauxval + owner @{PROC}/*/auxv r, + # allow reading libnl's classid file + /etc/libnl{,-3}/classid r, + + # For hostdev access. The actual devices will be added dynamically + /sys/bus/usb/devices/ r, + /sys/bus/usb/devices/* r, + /sys/devices/**/usb[0-9]*/** r, + # libusb needs udev data about usb devices (~equal to content of lsusb -= v) + /run/udev/data/+usb* r, + /run/udev/data/c16[6,7]* r, + /run/udev/data/c18[0,8,9]* r, + + # WARNING: this gives the guest direct access to host hardware and speci= fic + # portions of shared memory. This is required for sound using ALSA with = kvm, + # but may constitute a security risk. If your environment does not requi= re + # the use of sound in your VMs, feel free to comment out or prepend 'den= y' to + # the rules for files in /dev. + /dev/snd/* rw, + /{dev,run}/shm r, + /{dev,run}/shmpulse-shm* r, + /{dev,run}/shmpulse-shm* rwk, + capability ipc_lock, + # spice + owner /{dev,run}/shm/spice.* rw, + # 'kill' is not required for sound and is a security risk. Do not enable + # unless you absolutely need it. + deny capability kill, + + # Uncomment the following if you need access to /dev/fb* + #/dev/fb* rw, + + /etc/pulse/client.conf r, + @{HOME}/.pulse-cookie rwk, + owner /root/.pulse-cookie rwk, + owner /root/.pulse/ rw, + owner /root/.pulse/* rw, + /usr/share/alsa/** r, + owner /tmp/pulse-*/ rw, + owner /tmp/pulse-*/* rw, + /var/lib/dbus/machine-id r, + + # access to firmware's etc + /usr/share/AAVMF/** rk, + /usr/share/bochs/** r, + /usr/share/edk2-ovmf/** rk, + /usr/share/kvm/** r, + /usr/share/misc/sgabios.bin r, + /usr/share/openbios/** r, + /usr/share/openhackware/** r, + /usr/share/OVMF/** rk, + /usr/share/ovmf/** rk, + /usr/share/proll/** r, + /usr/share/qemu-efi/** r, + /usr/share/qemu-kvm/** r, + /usr/share/qemu/** rk, + /usr/share/seabios/** r, + /usr/share/sgabios/** r, + /usr/share/slof/** r, + /usr/share/vgabios/** r, + + # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140) + /etc/pki/CA/ r, + /etc/pki/CA/* r, + /etc/pki/libvirt{,-spice,-vnc}/ r, + /etc/pki/libvirt{,-spice,-vnc}/** r, + /etc/pki/qemu/ r, + /etc/pki/qemu/** r, + + # the various binaries + /usr/bin/kvm rmix, + /usr/bin/kvm-spice rmix, + /usr/bin/qemu rmix, + /usr/bin/qemu-aarch64 rmix, + /usr/bin/qemu-alpha rmix, + /usr/bin/qemu-arm rmix, + /usr/bin/qemu-armeb rmix, + /usr/bin/qemu-cris rmix, + /usr/bin/qemu-i386 rmix, + /usr/bin/qemu-kvm rmix, + /usr/bin/qemu-m68k rmix, + /usr/bin/qemu-microblaze rmix, + /usr/bin/qemu-microblazeel rmix, + /usr/bin/qemu-mips rmix, + /usr/bin/qemu-mips64 rmix, + /usr/bin/qemu-mips64el rmix, + /usr/bin/qemu-mipsel rmix, + /usr/bin/qemu-mipsn32 rmix, + /usr/bin/qemu-mipsn32el rmix, + /usr/bin/qemu-or32 rmix, + /usr/bin/qemu-ppc rmix, + /usr/bin/qemu-ppc64 rmix, + /usr/bin/qemu-ppc64abi32 rmix, + /usr/bin/qemu-ppc64le rmix, + /usr/bin/qemu-s390x rmix, + /usr/bin/qemu-sh4 rmix, + /usr/bin/qemu-sh4eb rmix, + /usr/bin/qemu-sparc rmix, + /usr/bin/qemu-sparc32plus rmix, + /usr/bin/qemu-sparc64 rmix, + /usr/bin/qemu-system-aarch64 rmix, + /usr/bin/qemu-system-alpha rmix, + /usr/bin/qemu-system-arm rmix, + /usr/bin/qemu-system-cris rmix, + /usr/bin/qemu-system-hppa rmix, + /usr/bin/qemu-system-i386 rmix, + /usr/bin/qemu-system-lm32 rmix, + /usr/bin/qemu-system-m68k rmix, + /usr/bin/qemu-system-microblaze rmix, + /usr/bin/qemu-system-microblazeel rmix, + /usr/bin/qemu-system-mips rmix, + /usr/bin/qemu-system-mips64 rmix, + /usr/bin/qemu-system-mips64el rmix, + /usr/bin/qemu-system-mipsel rmix, + /usr/bin/qemu-system-moxie rmix, + /usr/bin/qemu-system-nios2 rmix, + /usr/bin/qemu-system-or1k rmix, + /usr/bin/qemu-system-or32 rmix, + /usr/bin/qemu-system-ppc rmix, + /usr/bin/qemu-system-ppc64 rmix, + /usr/bin/qemu-system-ppcemb rmix, + /usr/bin/qemu-system-riscv32 rmix, + /usr/bin/qemu-system-riscv64 rmix, + /usr/bin/qemu-system-s390x rmix, + /usr/bin/qemu-system-sh4 rmix, + /usr/bin/qemu-system-sh4eb rmix, + /usr/bin/qemu-system-sparc rmix, + /usr/bin/qemu-system-sparc64 rmix, + /usr/bin/qemu-system-tricore rmix, + /usr/bin/qemu-system-unicore32 rmix, + /usr/bin/qemu-system-x86_64 rmix, + /usr/bin/qemu-system-xtensa rmix, + /usr/bin/qemu-system-xtensaeb rmix, + /usr/bin/qemu-unicore32 rmix, + /usr/bin/qemu-x86_64 rmix, + # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761) + /usr/{lib,lib64}/qemu/*.so mr, + /usr/lib/@{multiarch}/qemu/*.so mr, + + # let qemu load old shared objects after upgrades (LP: #1847361) + /{var/,}run/qemu/*/*.so mr, + # but explicitly deny writing to these files + audit deny /{var/,}run/qemu/*/*.so w, + + # swtpm + /{usr/,}bin/swtpm rmpix, + /usr/{lib,lib64}/libswtpm_libtpms.so mr, + /usr/lib/@{multiarch}/libswtpm_libtpms.so mr, + + # support for passt network back-end + /usr/bin/passt Cx -> passt, + + profile passt { + /usr/bin/passt r, + + signal (receive) set=3D("term") peer=3D/usr/sbin/libvirtd, + signal (receive) set=3D("term") peer=3Dlibvirtd, + signal (receive) set=3D("term") peer=3Dvirtqemud, + + owner /{,var/}run/libvirt/qemu/passt/* rw, + + include if exists + } + + # for save and resume + /{usr/,}bin/dash rmix, + /{usr/,}bin/dd rmix, + /{usr/,}bin/cat rmix, + + # for restore + /{usr/,}bin/bash rmix, + + # for usb access + /dev/bus/usb/ r, + /etc/udev/udev.conf r, + /sys/bus/ r, + /sys/class/ r, + + # for rbd + /etc/ceph/*.conf r, + + # Various functions will need to enumerate /tmp (e.g. ceph), allow the b= ase + # dir and a few known functions like samba support. + # We want to avoid to give blanket rw permission to everything under /tm= p, + # users are expected to add site specific addons for more uncommon cases. + # Qemu processes usually all run as the same users, so the "owner" + # restriction prevents access to other services files, but not across + # different instances. + # This is a tradeoff between usability and security - if paths would be = more + # predictable that would be preferred - at least for write rules we would + # want more unique paths per rule. + /{,var/}tmp/ r, + owner /{,var/}tmp/**/ r, + + # for file-posix getting limits since 9103f1ce + /sys/devices/**/block/*/queue/max_segments r, + + # for ppc device-tree access + @{PROC}/device-tree/ r, + @{PROC}/device-tree/** r, + /sys/firmware/devicetree/** r, + + # allow connect with openGraphicsFD to work + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirtd), + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3D/usr/sbin= /libvirtd), + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dvirtqemud= ), + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dswtpm), + + # for gathering information about available host resources + /sys/devices/system/cpu/ r, + /sys/devices/system/node/ r, + /sys/devices/system/node/node[0-9]*/meminfo r, + /sys/module/vhost/parameters/max_mem_regions r, + + # silence refusals to open lttng files (see LP: #1432644) + deny /dev/shm/lttng-ust-wait-* r, + deny /run/shm/lttng-ust-wait-* r, + + # for vfio hotplug on systems without static vfio (LP: #1775777) + /dev/vfio/vfio rw, + + # required for sasl GSSAPI plugin + /etc/gss/mech.d/ r, + /etc/gss/mech.d/* r, + + # required by libpmem init to fts_open()/fts_read() the symlinks in + # /sys/bus/nd/devices + / r, # harmless on any lsb compliant system + /sys/bus/nd/devices/{,**/} r, + + # required for QEMU accessing UEFI nvram variables + owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk, + owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk, diff --git a/src/security/apparmor-2/meson.build b/src/security/apparmor-2/= meson.build new file mode 100644 index 0000000000..58b4024b85 --- /dev/null +++ b/src/security/apparmor-2/meson.build @@ -0,0 +1,41 @@ +apparmor_gen_profiles =3D [ + 'usr.lib.libvirt.virt-aa-helper', + 'usr.sbin.libvirtd', + 'usr.sbin.virtqemud', + 'usr.sbin.virtxend', +] + +apparmor_gen_profiles_conf =3D configuration_data({ + 'sysconfdir': sysconfdir, + 'sbindir': sbindir, + 'runstatedir': runstatedir, + 'libexecdir': libexecdir, +}) + +apparmor_dir =3D sysconfdir / 'apparmor.d' + +foreach name : apparmor_gen_profiles + configure_file( + input: '@0@.in'.format(name), + output: name, + configuration: apparmor_gen_profiles_conf, + install: true, + install_dir: apparmor_dir, + ) +endforeach + +install_data( + [ 'libvirt-qemu', 'libvirt-lxc' ], + install_dir: apparmor_dir / 'abstractions', +) + +install_data( + [ 'TEMPLATE.qemu', 'TEMPLATE.lxc' ], + install_dir: apparmor_dir / 'libvirt', +) + +install_data( + 'usr.lib.libvirt.virt-aa-helper.local', + install_dir: apparmor_dir / 'local', + rename: 'usr.lib.libvirt.virt-aa-helper', +) diff --git a/src/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.in b/sr= c/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.in new file mode 100644 index 0000000000..ff1d46bebe --- /dev/null +++ b/src/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.in @@ -0,0 +1,75 @@ +#include + +profile virt-aa-helper @libexecdir@/virt-aa-helper { + #include + #include + + # needed for searching directories + capability dac_override, + capability dac_read_search, + + # needed for when disk is on a network filesystem + network inet, + network inet6, + + deny @{PROC}/[0-9]*/mounts r, + @{PROC}/[0-9]*/net/psched r, + owner @{PROC}/[0-9]*/status r, + @{PROC}/filesystems r, + + # Used when internally running another command (namely apparmor_parser) + @{PROC}/@{pid}/fd/ r, + + # allow reading libnl's classid file + @sysconfdir@/libnl{,-3}/classid r, + + # for gl enabled graphics + /dev/dri/{,*} r, + + # for hostdev + /sys/devices/ r, + /sys/devices/** r, + /sys/bus/usb/devices/ r, + deny /dev/sd* r, + deny /dev/vd* r, + deny /dev/dm-* r, + deny /dev/drbd[0-9]* r, + deny /dev/dasd* r, + deny /dev/nvme* r, + deny /dev/zd[0-9]* r, + deny /dev/mapper/ r, + deny /dev/mapper/* r, + + @libexecdir@/virt-aa-helper mr, + /{usr/,}sbin/apparmor_parser Ux, + + @sysconfdir@/apparmor.d/libvirt/* r, + @sysconfdir@/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0= -9a-f]*-[0-9a-f]* rw, + + # for backingstore -- allow access to non-hidden files in @{HOME} as well + # as storage pools + audit deny @{HOME}/.* mrwkl, + audit deny @{HOME}/.*/ rw, + audit deny @{HOME}/.*/** mrwkl, + audit deny @{HOME}/bin/ rw, + audit deny @{HOME}/bin/** mrwkl, + @{HOME}/ r, + @{HOME}/** r, + /var/lib/libvirt/images/ r, + /var/lib/libvirt/images/** r, + /var/lib/nova/instances/_base/* r, + /{media,mnt,opt,srv}/** r, + # For virt-sandbox + /{,var/}run/libvirt/**/[sv]d[a-z] r, + + /**.img r, + /**.raw r, + /**.qcow{,2} r, + /**.qed r, + /**.vmdk r, + /**.vhd r, + /**.[iI][sS][oO] r, + /**/disk{,.*} r, + + #include +} diff --git a/src/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.local b= /src/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.local new file mode 100644 index 0000000000..c0990e51d0 --- /dev/null +++ b/src/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.local @@ -0,0 +1 @@ +# Site-specific additions and overrides for 'usr.lib.libvirt.virt-aa-helpe= r' diff --git a/src/security/apparmor-2/usr.sbin.libvirtd.in b/src/security/ap= parmor-2/usr.sbin.libvirtd.in new file mode 100644 index 0000000000..edb8dd8e26 --- /dev/null +++ b/src/security/apparmor-2/usr.sbin.libvirtd.in @@ -0,0 +1,142 @@ +#include +@{LIBVIRT}=3D"libvirt" + +profile libvirtd @sbindir@/libvirtd flags=3D(attach_disconnected) { + #include + #include + + capability kill, + capability net_admin, + capability net_raw, + capability setgid, + capability sys_admin, + capability sys_module, + capability sys_ptrace, + capability sys_pacct, + capability sys_nice, + capability sys_chroot, + capability setuid, + capability dac_override, + capability dac_read_search, + capability fowner, + capability chown, + capability setpcap, + capability mknod, + capability fsetid, + capability audit_write, + capability ipc_lock, + capability sys_rawio, + capability bpf, + capability perfmon, + + # Needed for vfio + capability sys_resource, + + mount options=3D(rw,rslave) -> /, + mount options=3D(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/, + umount /{var/,}run/libvirt/qemu/*.dev/, + umount /dev/, + + # libvirt provides any mounts under /dev to qemu namespaces + mount options=3D(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/, + mount options=3D(rw, move) /dev/** -> /{,var/}run/libvirt/qemu/*{,/}, + mount options=3D(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/, + mount options=3D(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**, + + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + network netlink raw, + network packet dgram, + network packet raw, + + # for --p2p migrations + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d addr=3Dnone), + + ptrace (read,trace) peer=3Dunconfined, + ptrace (read,trace) peer=3D@{profile_name}, + ptrace (read,trace) peer=3Ddnsmasq, + ptrace (read,trace) peer=3D/usr/sbin/dnsmasq, + ptrace (read,trace) peer=3Dlibvirt-*, + ptrace (read,trace) peer=3Dswtpm, + + signal (send) peer=3Ddnsmasq, + signal (send) peer=3D/usr/sbin/dnsmasq, + signal (read, send) peer=3Dlibvirt-*, + signal (send) set=3D("kill", "term") peer=3Dunconfined, + + # For communication/control to qemu-bridge-helper + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirtd/= /qemu_bridge_helper), + signal (send) set=3D("term") peer=3Dlibvirtd//qemu_bridge_helper, + + # allow connect with openGraphicsFD, direction reversed in newer versions + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirt-[= 0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*), + # unconfined also required if guests run without security module + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d), + + # required if guests run unconfined seclabel type=3D'none' but libvirtd = is confined + signal (read, send) peer=3Dunconfined, + + # Very lenient profile for libvirtd since we want to first focus on conf= ining + # the guests. Guests will have a very restricted profile. + / r, + /** rwmkl, + + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, + @sbindir@/virtlogd pix, + @sbindir@/* PUx, + /{usr/,}lib/udev/scsi_id PUx, + /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, + /usr/{lib,lib64,libexec}/xen/bin/* Ux, + /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx, + /usr/{lib,libexec}/xen-*/bin/pygrub PUx, + /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx, + /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx, + + # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to + # read and run an ebtables script. + /var/lib/libvirt/virtd* ixr, + + # force the use of virt-aa-helper + audit deny /{usr/,}sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + @libexecdir@/* PUxr, + @libexecdir@/libvirt_parthelper ix, + @libexecdir@/libvirt_iohelper ix, + /etc/libvirt/hooks/** rmix, + /etc/xen/scripts/** rmix, + + # allow changing to our UUID-based named profiles + change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-= 9a-f]*, + + /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_h= elper, + # child profile for bridge helper process + profile qemu_bridge_helper { + #include + + capability setuid, + capability setgid, + capability setpcap, + capability net_admin, + + network inet stream, + + # For communication/control from libvirtd + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirtd= ), + signal (receive) set=3D("term") peer=3D/usr/sbin/libvirtd, + signal (receive) set=3D("term") peer=3Dlibvirtd, + + /dev/net/tun rw, + /etc/qemu/** r, + owner @{PROC}/*/status r, + + /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, + } +} diff --git a/src/security/apparmor-2/usr.sbin.virtqemud.in b/src/security/a= pparmor-2/usr.sbin.virtqemud.in new file mode 100644 index 0000000000..f269c60809 --- /dev/null +++ b/src/security/apparmor-2/usr.sbin.virtqemud.in @@ -0,0 +1,135 @@ +#include +@{LIBVIRT}=3D"libvirt" + +profile virtqemud @sbindir@/virtqemud flags=3D(attach_disconnected) { + #include + #include + + capability kill, + capability net_admin, + capability net_raw, + capability setgid, + capability sys_admin, + capability sys_module, + capability sys_ptrace, + capability sys_pacct, + capability sys_nice, + capability sys_chroot, + capability setuid, + capability dac_override, + capability dac_read_search, + capability fowner, + capability chown, + capability setpcap, + capability mknod, + capability fsetid, + capability audit_write, + capability ipc_lock, + capability sys_rawio, + capability bpf, + capability perfmon, + + # Needed for vfio + capability sys_resource, + + mount options=3D(rw,rslave) -> /, + mount options=3D(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/, + umount /{var/,}run/libvirt/qemu/*.dev/, + umount /dev/, + + # libvirt provides any mounts under /dev to qemu namespaces + mount options=3D(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/, + mount options=3D(rw, move) /dev/** -> /{,var/}run/libvirt/qemu/*{,/}, + mount options=3D(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/, + mount options=3D(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**, + + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + network netlink raw, + network packet dgram, + network packet raw, + + # for --p2p migrations + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d addr=3Dnone), + + ptrace (read,trace) peer=3Dunconfined, + ptrace (read,trace) peer=3D@{profile_name}, + ptrace (read,trace) peer=3Ddnsmasq, + ptrace (read,trace) peer=3D/usr/sbin/dnsmasq, + ptrace (read,trace) peer=3Dlibvirt-*, + + signal (send) peer=3Ddnsmasq, + signal (send) peer=3D/usr/sbin/dnsmasq, + signal (read, send) peer=3Dlibvirt-*, + signal (send) set=3D(kill, term) peer=3Dunconfined, + + # For communication/control to qemu-bridge-helper + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirtd/= /qemu_bridge_helper), + signal (send) set=3D(term) peer=3Dlibvirtd//qemu_bridge_helper, + + # allow connect with openGraphicsFD, direction reversed in newer versions + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirt-[= 0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*), + # unconfined also required if guests run without security module + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d), + + # required if guests run unconfined seclabel type=3D'none' but libvirtd = is confined + signal (read, send) peer=3Dunconfined, + + # Very lenient profile for libvirtd since we want to first focus on conf= ining + # the guests. Guests will have a very restricted profile. + / r, + /** rwmkl, + + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, + @sbindir@/virtlogd pix, + @sbindir@/* PUx, + /{usr/,}lib/udev/scsi_id PUx, + /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx, + /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx, + + # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to + # read and run an ebtables script. + /var/lib/libvirt/virtd* ixr, + + # force the use of virt-aa-helper + audit deny /{usr/,}sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + @libexecdir@/* PUxr, + @libexecdir@/libvirt_parthelper ix, + @libexecdir@/libvirt_iohelper ix, + /etc/libvirt/hooks/** rmix, + + # allow changing to our UUID-based named profiles + change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-= 9a-f]*, + + /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_h= elper, + # child profile for bridge helper process + profile qemu_bridge_helper { + #include + + capability setuid, + capability setgid, + capability setpcap, + capability net_admin, + + network inet stream, + + # For communication/control from virtqemud + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dvirtqemu= d), + signal (receive) set=3D(term) peer=3Dvirtqemud, + + /dev/net/tun rw, + /etc/qemu/** r, + owner @{PROC}/*/status r, + + /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, + } +} diff --git a/src/security/apparmor-2/usr.sbin.virtxend.in b/src/security/ap= parmor-2/usr.sbin.virtxend.in new file mode 100644 index 0000000000..72e0d801e5 --- /dev/null +++ b/src/security/apparmor-2/usr.sbin.virtxend.in @@ -0,0 +1,55 @@ +#include + +profile virtxend @sbindir@/virtxend flags=3D(attach_disconnected) { + #include + #include + + capability kill, + capability setgid, + capability setuid, + capability sys_pacct, + capability ipc_lock, + + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + network netlink raw, + network packet dgram, + network packet raw, + + # for --p2p migrations + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d addr=3Dnone), + + ptrace (read,trace) peer=3Dunconfined, + + signal (send) set=3D(kill, term, hup) peer=3Dunconfined, + + # Very lenient profile for virtxend + / r, + /** rwmkl, + + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, + @sbindir@/virtlogd pix, + @sbindir@/* PUx, + /{usr/,}lib/udev/scsi_id PUx, + /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, + /usr/{lib,lib64,libexec}/xen/bin/* Ux, + /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx, + /usr/{lib,libexec}/xen-*/bin/pygrub PUx, + + # force the use of virt-aa-helper + audit deny /{usr/,}sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + @libexecdir@/* PUxr, + @libexecdir@/libvirt_parthelper ix, + @libexecdir@/libvirt_iohelper ix, + /etc/libvirt/hooks/** rmix, + /etc/xen/scripts/** rmix, +} diff --git a/src/security/meson.build b/src/security/meson.build index 6230b34aa4..078111d251 100644 --- a/src/security/meson.build +++ b/src/security/meson.build @@ -55,3 +55,6 @@ endif if conf.has('WITH_APPARMOR_PROFILES') subdir('apparmor') endif +if conf.has('WITH_APPARMOR_PROFILES_2') + subdir('apparmor-2') +endif --=20 2.41.0 From nobody Tue May 21 20:59:00 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=quarantine dis=quarantine) header.from=suse.com ARC-Seal: i=1; a=rsa-sha256; t=1687994284; cv=none; d=zohomail.com; s=zohoarc; b=SX3NZwDjQP3p2/KKvkBXXE79Fh0ust3ldBhufAMCBuJKEcT8gsmL/Tcyk88sFwnbYJHTymzCoIh8NBrvzk9eX5eANKRr3AM7KMSrvkG57DJeMFo3KyCWVoaAcd3CFnmeFbSsxL86bL4ExniHemIEgN2vGnISu1/MY7f75mCGFgQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1687994284; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=JXqvn5q5owRw4KRkpKO4XaQm2duaZvWQxtu5o1O5OuY=; b=nfhjvXjto9CY1IQayWz3XPFwgL/spxxDbXs5uvSLufX7FO744S2rqnVN38enMKWOaMT2G0mRca9SUonkUL3CtQkQGPQLUhXJlKUdTLnLn6DE7SRbPcp8KoJ2B/gaNEbzUwqHueLvFSdH3m5wuMRGBTTGW5wzAAuARBMsd/tSmd4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=quarantine dis=quarantine) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1687994284095970.9709054410455; Wed, 28 Jun 2023 16:18:04 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-653-lgs_qrm0NPSbv7nYTmFy7A-1; Wed, 28 Jun 2023 19:17:59 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 869E11C04B59; Wed, 28 Jun 2023 23:17:52 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 739D040C2063; Wed, 28 Jun 2023 23:17:52 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 4019D1946A41; Wed, 28 Jun 2023 23:17:52 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id E7F4A1946589 for ; Wed, 28 Jun 2023 23:17:50 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id CB91EF5CD2; Wed, 28 Jun 2023 23:17:50 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast06.extmail.prod.ext.rdu2.redhat.com [10.11.55.22]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C43CEF5CD4 for ; Wed, 28 Jun 2023 23:17:50 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id A66FA185A78B for ; Wed, 28 Jun 2023 23:17:50 +0000 (UTC) Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2071.outbound.protection.outlook.com [40.107.22.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-491-W4mZ1WOXO5SXqAcR9vmOjw-1; Wed, 28 Jun 2023 19:17:46 -0400 Received: from DB7PR04MB5980.eurprd04.prod.outlook.com (2603:10a6:10:88::11) by PAXPR04MB8111.eurprd04.prod.outlook.com (2603:10a6:102:1c7::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6521.26; Wed, 28 Jun 2023 23:17:43 +0000 Received: from DB7PR04MB5980.eurprd04.prod.outlook.com ([fe80::8209:a05f:7b01:24c0]) by DB7PR04MB5980.eurprd04.prod.outlook.com ([fe80::8209:a05f:7b01:24c0%5]) with mapi id 15.20.6521.026; Wed, 28 Jun 2023 23:17:43 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1687994283; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=JXqvn5q5owRw4KRkpKO4XaQm2duaZvWQxtu5o1O5OuY=; b=DH/RWF0DA9HlYFSjNWzizee+K+tH1/JXfekbLXyanVUElBlZbqoOEIeCFnglKPbPzLofC8 vafAwqgE9oue9SWZ0GmM1jiDrSdeMYetS1XO/aHp7NTze2saun8dSuLHW5wQBoihaS4HLA 68LWApGTnVCN4AAKXqgoSWr3kJFhl6g= X-MC-Unique: lgs_qrm0NPSbv7nYTmFy7A-1 X-Original-To: libvir-list@listman.corp.redhat.com X-MC-Unique: W4mZ1WOXO5SXqAcR9vmOjw-1 From: Jim Fehlig To: libvir-list@redhat.com Subject: [PATCH V2 2/3] apparmor: Remove support for passt from apparmor 2.x Date: Wed, 28 Jun 2023 17:15:28 -0600 Message-ID: <20230628231724.14632-3-jfehlig@suse.com> In-Reply-To: <20230628231724.14632-1-jfehlig@suse.com> References: <20230628231724.14632-1-jfehlig@suse.com> X-ClientProxiedBy: MW3PR06CA0021.namprd06.prod.outlook.com (2603:10b6:303:2a::26) To DB7PR04MB5980.eurprd04.prod.outlook.com (2603:10a6:10:88::11) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB7PR04MB5980:EE_|PAXPR04MB8111:EE_ X-MS-Office365-Filtering-Correlation-Id: d79b5b3f-5ab1-48ce-f899-08db782de034 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0 X-Microsoft-Antispam-Message-Info: r1s0N9PUmMeanu7fuc66m/GA4xGLp815DbgK0lQz2U/Xp6Z+0jHsmhvMJ2sNkib4ZeCBb5G+beS00ElW8hTCu6hTSp38eK2mJAA0z89TVK4Mxh25FKBtSKAM6WIGDtvns3uuJ750oCwCsYmzKhuTbnZdlvxhHhvgEE9OoWDcfJrV3sHwVUo5tlPhwNkLHTXdeZYaRjPttl9S2tfdaprr9+qTP3mddGs4ajqvWsq0yFWYjEYd6RGbw7EKmYSIbd0fGJJHZx5Mf7ZK/I/HAen72hNvkD0EetGrVU0jMRPdoQoc8qr/cd5pAQcY/0yKYIRZyWhHIJTyZse1wiPtLt1jJKMo2k+CY+LVsxaMto34VREUgqmrqFMRRIOpwhM0FBFx2XEF/wsGqMYhh46xfPaThxZJ4GmoxwsKjv4oE+srF8XN/nOsudZ3bkjJMYBcBU8XZRhxKQKN0MJ9mrTltURPmEiqn3j4emrA875YBOpqEJIBFXOuk7VVoFyQJnGpyFm0yMaVp1cd6URTzuBtiMqpSBqzdEU6fcV2ctDoTb8X695Jp0Z5i74GPeQMnL463SSO X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR04MB5980.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(396003)(39860400002)(366004)(376002)(346002)(136003)(451199021)(1076003)(2906002)(6486002)(6666004)(6512007)(186003)(83380400001)(2616005)(38100700002)(6506007)(41300700001)(86362001)(66476007)(316002)(66946007)(66556008)(6916009)(4326008)(36756003)(8936002)(26005)(8676002)(478600001)(5660300002); DIR:OUT; SFP:1101 X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?VOTZgvmMAxrkwB4/2twCFW6AVJEIqnTmx8qyxnwqx3ywwFK3qc/S1Znlna7c?= =?us-ascii?Q?neBKUSO7O/B/03+tZewLUsanytwiW8ULvFok4wOm4o4lSiINX+OkrHUau8rb?= =?us-ascii?Q?IsXA8DSl97xk4UOoO1j+BfNqC1X6I6cBjxkHCLRpPdfwPCOFy43SO98tbfhZ?= =?us-ascii?Q?vkC9j5j6XY4HDWprujl/3Ep13gYY3Wanrah07dnOdFwp7/u3TORfPqqJogHZ?= =?us-ascii?Q?3K+/E8zoByutTXfRxg7pIYe4tprFEBqAzlYrm5x/4miDHemWFda6WANcFNki?= =?us-ascii?Q?3TYQX2DC6V7fjVeYmdLWsgRx810ve00ujKiJgzxCwg2s1AzM7QqTcp/Mz2c3?= =?us-ascii?Q?exvX4l60EP4d4PwsoyWBcKVVLBJHA0CaxCCN5i/k92hF0qwX2A4EwZQt88I1?= =?us-ascii?Q?wUQeg9ForF14HwBGYN2H2prjFsUQ1ALwgBDcEfoDZnYuFo1lcjepkpbvuEJL?= =?us-ascii?Q?KgV+/JtyLFMwVaj6wVYxRcT2pF/CzDhXCYrZKKZS2jt+M8QteU3spGn3j5Wi?= =?us-ascii?Q?pGjCXcy71vVkUwHPFpmYXMbAD+fOx/W1AkvKlMClcgw7d0++ZqaZiE9q58IW?= =?us-ascii?Q?fK2b7ti+y60SURyozb0grOyeD9ipUcouvjH/B6wxBKPaVbc4t2Ddc1zPxy2a?= =?us-ascii?Q?O7t1HnJHsMBoT2NTKH2zCD94p1M+q8LhF+lr0qzRwb9nQYy0EoO+edCQ2KNH?= =?us-ascii?Q?BiB2XZhHEGe5xizKwwN40Xep7AKtq4ipzldZoW0qi9Ui343GmmLvJ1Pslogh?= =?us-ascii?Q?npRye1iyStNpw2qjh1bMgtO//VmRNHgc6s3Khjs14BK7M6y76sP2ncU/Syh5?= =?us-ascii?Q?dBD+IkXJjG3bI5GczOpC1o9caIik4C7hEJj/u8tLNAYvTRZqnRUiVuxt3frK?= =?us-ascii?Q?/TmSlFhkeGBZXrzJX30ycMHLBBrYme9Bq6DgTKjwREr9b20yEGqcss99sm0X?= =?us-ascii?Q?uKNDDzjpeaK/8nJ4jmWHK/vftmZBXsI4d/yIEL00cHNY0ZGal2saW66c5MAH?= =?us-ascii?Q?cHmT+4XLJNn7WKYEK0VjPQ/i9pYqunk72KA4PgAm8Ro2IV4LSI4dDWdHCsp8?= =?us-ascii?Q?R1Dlq+PYA7+rlyKnOGWctfpkeDBtKqHNya7gPhUxVp/2QoK9JgkaPM5Insh4?= =?us-ascii?Q?WDzyKZq3KFBLWz1rD7mWu09vYywH5L6f20Q6j0PN50kI2jcgX4QnVjqVcSPp?= =?us-ascii?Q?jAU4/e8b8yAOG+5+ScOVfdtsTOmQ4g8aTgYdhLQuSL4omkWjFL8sSysS5DQA?= =?us-ascii?Q?gS9aSLPd3WuX4l1p9MNgl7zcB/Htj8IBnCPZpUmfoL07LVHm6Y4fFafgEw0m?= =?us-ascii?Q?gJpkWXCpTCcuf8/5Do86eV/zOFmdRrDHfD3I2SMkV/rnPH+BRM5recUJIXzJ?= =?us-ascii?Q?ZI7chn0y5+4oQuewtt3uZV9nEvzhkecd+T/vrV9fEjgxKGoDiLdkBa99e1w2?= =?us-ascii?Q?nT8CXq8dEG/oUAKYX0uSaZV6z1XPc14nZeg0B7Y5EqhmOZfl6KHetOsf1xD8?= =?us-ascii?Q?uT+NNmzmMMKFdPH97k8ga/1a+fdaajNZd5V/E7+C9O7OO5wZnjQeahDmbV+d?= =?us-ascii?Q?bO6/zLcc10BQX373ErXQqNJSCurpMy0inCy+YH/n?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: d79b5b3f-5ab1-48ce-f899-08db782de034 X-MS-Exchange-CrossTenant-AuthSource: DB7PR04MB5980.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Jun 2023 23:17:43.4245 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: piJ4VXrfZGbKGe5ZpuGMANL+p8UW0r/KZ+NNvmSfXXqQOLofFV7RPywdKDTms82BG7+h3btp7nyVmKuHJeW+zQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR04MB8111 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 3.1 on 10.11.54.5 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: apparmor@cboltz.de Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: suse.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1687994286297100001 Content-Type: text/plain; charset="utf-8" Commit 7a39b04d683f introduced support for passt in the qemu apparmor abstraction, but it contains an 'include if exists' directive that is only stable on apparmor 3.x. Remove support for passt from the 2.x variant of the abstraction. Signed-off-by: Jim Fehlig --- src/security/apparmor-2/libvirt-qemu | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/src/security/apparmor-2/libvirt-qemu b/src/security/apparmor-2= /libvirt-qemu index 44056b5f14..9af1333b22 100644 --- a/src/security/apparmor-2/libvirt-qemu +++ b/src/security/apparmor-2/libvirt-qemu @@ -185,21 +185,6 @@ /usr/{lib,lib64}/libswtpm_libtpms.so mr, /usr/lib/@{multiarch}/libswtpm_libtpms.so mr, =20 - # support for passt network back-end - /usr/bin/passt Cx -> passt, - - profile passt { - /usr/bin/passt r, - - signal (receive) set=3D("term") peer=3D/usr/sbin/libvirtd, - signal (receive) set=3D("term") peer=3Dlibvirtd, - signal (receive) set=3D("term") peer=3Dvirtqemud, - - owner /{,var/}run/libvirt/qemu/passt/* rw, - - include if exists - } - # for save and resume /{usr/,}bin/dash rmix, /{usr/,}bin/dd rmix, --=20 2.41.0 From nobody Tue May 21 20:59:00 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=quarantine dis=quarantine) header.from=suse.com ARC-Seal: i=1; a=rsa-sha256; t=1687994286; cv=none; d=zohomail.com; s=zohoarc; b=i5ZvDKIT1OH3a2KMlKOh/siyyDnTutmlPhlU9KVIJ28wF3fnsZLK9SDjrrHRbEleyVbNXgueJmEpj8CzhS586SeRiyBQYTjQtF8p2tsyAKKr8TiPVDQk4p6jRrduqWeEAy02OobN6p7uWWRTnop2Egepr9Ez2ua2+jl2deh0J7k= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1687994286; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=im7Y3AGpDxO2j1ilgmJ7sdAi/oBEbw+ZCwC3pSyze64=; b=dQYnPChQnMCCDRDTqWUc0qXClRKCCk/HG8JgUIyGKQVmqFGXWNqKQgPCjXEMi9zgv7jHEQkR2XZdRkvktWMDgvFJUfJp3DLwCnZpAs/0HQhOHRxi+L4UHiVVSyTCb5VEtYH5ub1bXLsUw8PyFAJBMM7vTfB4+jkvxY1sZBdQtKI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=quarantine dis=quarantine) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1687994286767172.13433030283386; Wed, 28 Jun 2023 16:18:06 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-631-PRe2W4g-MlyFjVNntfr5HQ-1; Wed, 28 Jun 2023 19:17:59 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id B5F7E856F67; Wed, 28 Jun 2023 23:17:53 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9C4A340C6CD1; Wed, 28 Jun 2023 23:17:53 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 4A5961946594; Wed, 28 Jun 2023 23:17:53 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 9088B19465B6 for ; Wed, 28 Jun 2023 23:17:52 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 7F88640D1C9; Wed, 28 Jun 2023 23:17:52 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 77FAB492B02 for ; Wed, 28 Jun 2023 23:17:52 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 418DE101A54E for ; Wed, 28 Jun 2023 23:17:52 +0000 (UTC) Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2083.outbound.protection.outlook.com [40.107.22.83]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-128-ykNIE_xGODqa6pNYDiPsZg-1; Wed, 28 Jun 2023 19:17:50 -0400 Received: from DB7PR04MB5980.eurprd04.prod.outlook.com (2603:10a6:10:88::11) by PAXPR04MB8111.eurprd04.prod.outlook.com (2603:10a6:102:1c7::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6521.26; Wed, 28 Jun 2023 23:17:48 +0000 Received: from DB7PR04MB5980.eurprd04.prod.outlook.com ([fe80::8209:a05f:7b01:24c0]) by DB7PR04MB5980.eurprd04.prod.outlook.com ([fe80::8209:a05f:7b01:24c0%5]) with mapi id 15.20.6521.026; Wed, 28 Jun 2023 23:17:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1687994285; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=im7Y3AGpDxO2j1ilgmJ7sdAi/oBEbw+ZCwC3pSyze64=; b=aBjHq9T+lPaMcw6wp/gmq/x4HS4PIqVHVFF6dJTXfTRY+5ngh7lPy45lScEOGO7iYgwtBw 1TNEwVkQU6X2RL9d8SCuJmDTVkngFEjDnVTrLOdUawXXxw7SBkRJMw7cVHgXWXSnHikkIA JZgZOuzcKGJsi315VqEnCmPv0bAltD0= X-MC-Unique: PRe2W4g-MlyFjVNntfr5HQ-1 X-Original-To: libvir-list@listman.corp.redhat.com X-MC-Unique: ykNIE_xGODqa6pNYDiPsZg-1 From: Jim Fehlig To: libvir-list@redhat.com Subject: [PATCH V2 3/3] apparmor: Add support for local profile customizations Date: Wed, 28 Jun 2023 17:15:29 -0600 Message-ID: <20230628231724.14632-4-jfehlig@suse.com> In-Reply-To: <20230628231724.14632-1-jfehlig@suse.com> References: <20230628231724.14632-1-jfehlig@suse.com> X-ClientProxiedBy: MW3PR06CA0028.namprd06.prod.outlook.com (2603:10b6:303:2a::33) To DB7PR04MB5980.eurprd04.prod.outlook.com (2603:10a6:10:88::11) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB7PR04MB5980:EE_|PAXPR04MB8111:EE_ X-MS-Office365-Filtering-Correlation-Id: ec4a56f8-7eaf-4fc4-a437-08db782de2f6 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0 X-Microsoft-Antispam-Message-Info: A4X0s+bRld7yA8CfJ33cl1OcB0wSLxTUItb2lfZv0PmD2Hdk7qMM0XqF1rid0Tr9FqzSLUgnWJPxu1EWiD5l8xcEHHy/sku53OaLyJV7nCHuVmc5XqhHxPT8EwORoupnyj4Ilzeyh9DoTmy6Ch8AlGnLSlTc+Ivmdr3Lk+PjZQ08PrjKJdlIViBrLJiEt+c3QqKeQTCa+qLrDK8DZgJwxQ3i4vKCYH0cWVsRzohnozFH7lfAoUvjjy/OL2SHVdnEaQpk1Qo09Q3NGEG5RKNZRIpu0NtjP+p0cDdkMT9nCn3HeVLbnklCTMLgQpUpFlY12nqJNelTGvvPcgGQJo8G95MhhnbuvawjL20iggP9O/06m8rV1UCUBYtqOryvJ0Iu8LzjdwZbHEZRhVyzNb07Tq/JgA9JNqvRopKwgf9ZjqblJVFP0IsUQ4NKSwq4oi/SDOgaEAcz2eQiahqfBNn6EH97Vc5DohSTOukwF+nL/HWVgSlZz9RevbgQ/WnsVv0W0WgFY49JXSTLkImw9NprvJ3ryDzIciDoST7EIvgub3KbMnTOnM5iF9LKnyienH+e X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR04MB5980.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(396003)(39860400002)(366004)(376002)(346002)(136003)(451199021)(1076003)(2906002)(6486002)(6666004)(6512007)(186003)(83380400001)(2616005)(38100700002)(6506007)(41300700001)(86362001)(66476007)(316002)(66946007)(66556008)(6916009)(4326008)(36756003)(8936002)(26005)(8676002)(478600001)(5660300002); DIR:OUT; SFP:1101 X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?7OxbIiG9hYd1TqO3x/nUrX3MILjk5VWqyWt9IWa6IjpIChkHQNMQUvZkmOlx?= =?us-ascii?Q?6b3mm9d7KmdGyZ1x3WbDDdDZDCFMzga11Rk8HEuV6FZQziLRkcAct+eVTebQ?= =?us-ascii?Q?YdecHNEzPzTvZmJI2ZbXqTAOaf9TZ82D3dWjmm0y49YlTaG7K4shqGQsQb56?= =?us-ascii?Q?bSPUqJwPy0mqOonj6gkOE0SpBY2fx5QYzeAE1puO9NJuyUpeAF97f4RmVmg4?= =?us-ascii?Q?Lf769P430jFhBKiJylewVq8bUjbe5Kl39R1Y8s7gVyRW5Az7xwT5hTAUktWw?= =?us-ascii?Q?m1hggKezGfnCuf+D8IvUxxptW1+creutH1roz1A756aaCgVgdXKap/l8pW8T?= =?us-ascii?Q?9yvpIoj7sjddByel1EyBch7/9VgjJB2dNaksWw9SfH3cdmrrxE5NXk3/NBS5?= =?us-ascii?Q?Tik6bTxiulklg0B9y+bU2Ss2qIhZ1utQv7Y9fU9GgDgcZHz6LJUJ5+QoHaW1?= =?us-ascii?Q?VO5GbSMflYE9Q7F0+geYxGIpmRA82HwjYe/VZfCvf5G4j23hYcLidSSxhlcV?= =?us-ascii?Q?YmVIOEO9hs6m5eVXUFCQZ0HEtFyX6a20Vmk7LFtSsHY+vBWMPZHVGs96qIEU?= =?us-ascii?Q?YZKzrMQHKfis+gm8GPRYaZ4YUl/HuGsl3UEEJvQoj6YeUAvyS5ry2mzz1lpO?= =?us-ascii?Q?vatBv06dhjL565w38QICM7OzYAPAbSojfkzqOUulTT2xyAJ9PYMU7rKJjhvY?= =?us-ascii?Q?tYTYlWeLNFDysLSiSfI/dYbwkQwm/1Ka2e/5ZG7de+WyPmVpEQ1SPJWMd6CT?= =?us-ascii?Q?S/MtH6s5wfyorrES2z10O+6VNsVt8gNMuO0DCJPq9dGNPPfsmfxLqVYox0T6?= =?us-ascii?Q?0jSomX/cJEy0GurI5Rbv+kI6x3q2lSH0M0Y0bTqosWhlS6pIZ/NsXYLowWvx?= =?us-ascii?Q?xN2WeGZ1aJJiCzkzuqR8hp67CYhT9pBr59dTI92+BOZIQSgKBKXwglSPweDW?= =?us-ascii?Q?XFdRAapcAMS0siALOt8D2vYYT5YkCHUG631U3KmXlQzDx8QJVxHIgjdtxYRN?= =?us-ascii?Q?fVwtFQ7uEzyvvRA//jf4HXANe0YRI9kY7EKht7L9XBs/7qJgCKTUCaGT47ZH?= =?us-ascii?Q?7ItxHYdaeqfzVvVTjaCScGr7R7XR7MRoqLLkvIy/LcCWrfYwpYJ54LJM3+zm?= =?us-ascii?Q?6NJrbtBL27t7iTcrCEJVJqIBoENAunGcOYXUMkLzcu02YTkxcgKyNaFz9d7q?= =?us-ascii?Q?9rr2nzFzDRwhrogubx4HETkzbzSabM6JFlRsF+p6GGZ6jBb3m3cN+DTKJcpT?= =?us-ascii?Q?nPunr/kd7PYZ7BsBV5qI+4swVMbEXtRpbdP3JCKrZZHYzgmKXMgj1+/u+ICh?= =?us-ascii?Q?H2AoDHDCqxr8ekqoE1xjlSk1YzdWYl4spmuvJ0G5XNDKu5FEV3zTkRQ5ecWT?= =?us-ascii?Q?QP/7KVTiIrdXbSfQrBQz2RCd37AV2/rNWc4z4jH+0JIKthIU/cYjLq5Gaq6c?= =?us-ascii?Q?kFihydzI1cGNVZMt9dwsI72YgZ4iOoYnTGG3B6GrLi3Of0Tnd5Y5nNbV+xF6?= =?us-ascii?Q?9u3qxuUuxUw6d0oELjsjyVz55Enhj2F4TcIo4NG1HGPI9g3W5iY3FfkJSfZc?= =?us-ascii?Q?xkU47p2hr7q1TPW1tXK2pM2V5TETmEXd5ePA6lhb?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: ec4a56f8-7eaf-4fc4-a437-08db782de2f6 X-MS-Exchange-CrossTenant-AuthSource: DB7PR04MB5980.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Jun 2023 23:17:48.1850 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: VAUoh2MMGpKWvF+3Da6b+ji48/unqs4KONTA1UZ39K10uW5i1bl4zAzDVt6JpLKT2fUUBHNJ/AF8884+FGIlWQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR04MB8111 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: apparmor@cboltz.de Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: suse.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1687994288600100001 Content-Type: text/plain; charset="utf-8" Apparmor profiles in /etc/apparmor.d/ are config files that can be replaced on package upgrade, which introduces the potential to overwrite any local changes. Apparmor supports local profile customizations via /etc/apparmor.d/local/ [1]. In addition, apparmor 3.x supports local customizations of profile abstractions via an abstractions/.d drop directory. In order to support local customizations, the main profiles and abstractions must 'include if exists' the local changes. This directive is only stable on apparmor 3.x, so support for local profile customizations is limited to apparmor >=3D 3.0.0. Signed-off-by: Jim Fehlig --- src/security/apparmor/libvirt-lxc | 3 +++ src/security/apparmor/libvirt-qemu | 3 +++ src/security/apparmor/usr.sbin.libvirtd.in | 5 ++++- src/security/apparmor/usr.sbin.virtqemud.in | 3 +++ src/security/apparmor/usr.sbin.virtxend.in | 3 +++ 5 files changed, 16 insertions(+), 1 deletion(-) diff --git a/src/security/apparmor/libvirt-lxc b/src/security/apparmor/libv= irt-lxc index 0c8b812743..734dd95c6e 100644 --- a/src/security/apparmor/libvirt-lxc +++ b/src/security/apparmor/libvirt-lxc @@ -116,3 +116,6 @@ deny /sys/fs/cgrou[^p]*{,/**} wklx, deny /sys/fs/cgroup?*{,/**} wklx, deny /sys/fs?*{,/**} wklx, + + # Site-specific additions and overrides. + include if exists diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/lib= virt-qemu index 44056b5f14..bed7c4ad76 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -269,3 +269,6 @@ # required for QEMU accessing UEFI nvram variables owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk, owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk, + + # Site-specific additions and overrides. + include if exists diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/appa= rmor/usr.sbin.libvirtd.in index edb8dd8e26..20041fcf67 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -139,4 +139,7 @@ profile libvirtd @sbindir@/libvirtd flags=3D(attach_dis= connected) { =20 /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, } -} + + # Site-specific additions and overrides. See local/README for details. + include if exists + } diff --git a/src/security/apparmor/usr.sbin.virtqemud.in b/src/security/app= armor/usr.sbin.virtqemud.in index f269c60809..3ebdbf2a8f 100644 --- a/src/security/apparmor/usr.sbin.virtqemud.in +++ b/src/security/apparmor/usr.sbin.virtqemud.in @@ -132,4 +132,7 @@ profile virtqemud @sbindir@/virtqemud flags=3D(attach_d= isconnected) { =20 /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, } + + # Site-specific additions and overrides. See local/README for details. + include if exists } diff --git a/src/security/apparmor/usr.sbin.virtxend.in b/src/security/appa= rmor/usr.sbin.virtxend.in index 72e0d801e5..719766a0c1 100644 --- a/src/security/apparmor/usr.sbin.virtxend.in +++ b/src/security/apparmor/usr.sbin.virtxend.in @@ -52,4 +52,7 @@ profile virtxend @sbindir@/virtxend flags=3D(attach_disco= nnected) { @libexecdir@/libvirt_iohelper ix, /etc/libvirt/hooks/** rmix, /etc/xen/scripts/** rmix, + + # Site-specific additions and overrides. See local/README for details. + include if exists } --=20 2.41.0