From nobody Mon Feb 9 15:09:56 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=quarantine dis=quarantine) header.from=suse.com ARC-Seal: i=1; a=rsa-sha256; t=1687994278; cv=none; d=zohomail.com; s=zohoarc; b=T2BVKk+5nnDn6CW1/cgLOaG2ZMG+KSsFdg4HRjySVxzlABg404IF7nqljNDgXLli7mRahyqtyc13OnXaePHSruw2ZE1n+g+UNKLqfXGmnlvwYbEwcPSCLSH1S7ZVmE3hSc3XoW2iu3rcB5rI86wklHa2Y7EoB7ZB8yDm6XQl5zI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1687994278; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=mYm0BflkTaT6ZwGKT/GqORZi9MS5sGWFPbFTchWiYpo=; b=PY7tMsxBAyiE9v9/elcjNHGPcuTq6dP9FvXXZWyfVC0yUOML+/sVi3L04McYjUgq0Px/kMD3UTmMnWRQqCbAFDo1oX6piz7VIb6idEzONGCSYWMcVdqVPg8f46ZBPjwSgm8m/PvlEE00WDBkoVoiWnJFBAqQ4PNt/oM7IZD4nq0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=quarantine dis=quarantine) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1687994278458440.41446190754584; Wed, 28 Jun 2023 16:17:58 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-371-BOVGvNZhNU2xONvFsIjGCA-1; Wed, 28 Jun 2023 19:17:54 -0400 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 3CDDB1044591; Wed, 28 Jun 2023 23:17:44 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 22E87400F54; Wed, 28 Jun 2023 23:17:44 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id E73F01946594; Wed, 28 Jun 2023 23:17:43 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 497C91946589 for ; Wed, 28 Jun 2023 23:17:42 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 39B384229B6; Wed, 28 Jun 2023 23:17:42 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 31AB4492B02 for ; Wed, 28 Jun 2023 23:17:42 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 0B26F1044590 for ; Wed, 28 Jun 2023 23:17:42 +0000 (UTC) Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2046.outbound.protection.outlook.com [40.107.22.46]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-651-t4ffxI76OSOUR_xkm6LWUA-1; Wed, 28 Jun 2023 19:17:40 -0400 Received: from DB7PR04MB5980.eurprd04.prod.outlook.com (2603:10a6:10:88::11) by PAXPR04MB8111.eurprd04.prod.outlook.com (2603:10a6:102:1c7::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6521.26; Wed, 28 Jun 2023 23:17:37 +0000 Received: from DB7PR04MB5980.eurprd04.prod.outlook.com ([fe80::8209:a05f:7b01:24c0]) by DB7PR04MB5980.eurprd04.prod.outlook.com ([fe80::8209:a05f:7b01:24c0%5]) with mapi id 15.20.6521.026; Wed, 28 Jun 2023 23:17:37 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1687994277; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=mYm0BflkTaT6ZwGKT/GqORZi9MS5sGWFPbFTchWiYpo=; b=JGK0Iplkm4Frve1RJzxhhrPcJYFcPq76o/wEN3pAqCwFb/giJH84nR5/XYSiH3GPkJMmdY mm31GOOrP9BygU2UJe27RSAsnNxqqurMzju3pzFlVfvIw/3HMp9nlQCPfk3bsZ6jzrd8SV c6gl4jrVqIF4xruUjmoMGCd6kUUtMpk= X-MC-Unique: BOVGvNZhNU2xONvFsIjGCA-1 X-Original-To: libvir-list@listman.corp.redhat.com X-MC-Unique: t4ffxI76OSOUR_xkm6LWUA-1 From: Jim Fehlig To: libvir-list@redhat.com Subject: [PATCH V2 1/3] apparmor: Create version specific apparmor profiles Date: Wed, 28 Jun 2023 17:15:27 -0600 Message-ID: <20230628231724.14632-2-jfehlig@suse.com> In-Reply-To: <20230628231724.14632-1-jfehlig@suse.com> References: <20230628231724.14632-1-jfehlig@suse.com> X-ClientProxiedBy: MW3PR06CA0026.namprd06.prod.outlook.com (2603:10b6:303:2a::31) To DB7PR04MB5980.eurprd04.prod.outlook.com (2603:10a6:10:88::11) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB7PR04MB5980:EE_|PAXPR04MB8111:EE_ X-MS-Office365-Filtering-Correlation-Id: 5cd7563d-3588-4543-2169-08db782ddc80 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0 X-Microsoft-Antispam-Message-Info: UCK6E4OP4ED270I2GJJGU7UAwNDvtS+CeIOp3M69J2zk/zd7IJLEbNe/IRko+uffZjo8I/6vAHR/l5jtRipk32H7wV/vGL++atrwMDz0PaCs6AKSUVQJmN4aPraqfxLXwp6crNQXIT38QSReicQF11PFvBYHsa63P445B36E74APJK8IPjouEKLvcxImfuudyUyqbea/SfL+089mWYg5mf7gQ+iBKXMqfdSK6r3zHGyT2JIMcpCdtTFk00eP4r5wEo2aYKPmBQnOxRjgQVfBjUtNFtDQcTNrxUlJcjNzd2u3Ta1pfNcIdnIJeLVphUht2U180kH5lKsM0MZglNdSbOamSLCil5FORGaiKy/T9111rAiMoyI/RsPOX5AvbOPg8iBmXwECNHfWtEoC9mylw5rZxNIbZIQvCkX2csWvGnqkhxI8CXeuETnBXw+GxElj3X1vLecvg2sg4KZFO9GMYOT7Io8MKHXqmaZsPtbJ+wn/OItZcUbUbukJtQlrWaXmNvRldx0daHtW4Y4nLjMms8EPmp26yXbB2EvRkiYwwjtOQqB9Rqcpd3TkR41tshJpPmF0JqHcwZgFNchjPduGMal3WtKmwCppgZfWeAdAIxU= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR04MB5980.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(396003)(39860400002)(366004)(376002)(346002)(136003)(451199021)(1076003)(2906002)(30864003)(6486002)(6666004)(6512007)(186003)(83380400001)(2616005)(38100700002)(6506007)(41300700001)(86362001)(66476007)(316002)(66946007)(66556008)(6916009)(4326008)(36756003)(8936002)(26005)(8676002)(478600001)(5660300002)(357404004); DIR:OUT; SFP:1101 X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?rOLk73pI5dpVdncHvGynDkBa2wIo5wPi6Nu5sojTeJs9fpGC8D4+OycGp3ve?= =?us-ascii?Q?smS6UU2Mi6yGVoj0W6GnO9B5C4A3oFpepm4tcywBvvxL8Ur1rZ9SuKeYteF7?= =?us-ascii?Q?SW08edrUTmRqhmN3MM4UbdYZhL1kTUeJhJU2mSDo9KwCo1cvoQC84wEgrJm1?= =?us-ascii?Q?mZHhCqHTSBhJWXFXM680Y41UKA8nQ3PfvEdadqioHFqUYKNFmla+x1qVeGT0?= =?us-ascii?Q?jhl0ibCYXLbIOOKc/EOhcIASZzs4zEmMWb9Atev0hgo8uaj0OmMWDUUqr4I0?= =?us-ascii?Q?IZlgaCt+VsJvFTLdZMoTjnvyV1QkzDn8ijzUtNA1ENOynlOSthlnzyE1TFhj?= =?us-ascii?Q?isC+YFLtgrvKLtuZlR/SaEH7eOyHTFLxuIOsH1ORZKb2cctgUbjC6hXUrfRU?= =?us-ascii?Q?qzAfWAFTAjHWMeHPrEyQbhjIklv6LcSgG4pMxMhSaHPK0sMZC01o9v7yrqj9?= =?us-ascii?Q?AbBiWhXjIrgIC3tQc5DuqpdL4eFn/9N+AExC2qA6doayxxiSvQGpKhu+G1z3?= =?us-ascii?Q?bXhUWWs49suBbO3pn858S6eTfMDD5h6kmk3FpfVQEZZHTVSAj7K84TIMJNO3?= =?us-ascii?Q?PE4Cnled86SZjDOT+k3C+F5wR3h3SbDiBD34v7kLjjkOUKidbxHeZ4dobYsF?= =?us-ascii?Q?bXgoUjtPtMWsQ2du/uqeu6inWC+2gGtZLwASw/J4FcZkU+ODX4B0sa+ih0TA?= =?us-ascii?Q?olsdzgrhCo09euNlGp2IDSy0etxt3RqZmio7T6LxFdInRTwvazXRfVjGG/P5?= =?us-ascii?Q?n6Kr7f4H0zuZaa6KO28H+K7Vr/fkiT/2URA9wOpHS6+VQNHLTHYkBbHnXZY6?= =?us-ascii?Q?WuxlfdjpZPApAvmT713MHD0aG1yd7h8JZxYfphg2i1jgzVbE//snTbzjGhDQ?= =?us-ascii?Q?jNiXniybyr07Au4qFmLe/AeeOUQBdjlsk+T6g3wexOJ9Wk+ogpgoJ/5DIC/Q?= =?us-ascii?Q?48unyIiEPLAqYz49P/O3kxGvSm2a+LT9DQKAkq9Z4XSIbptvYMrhDENpIqU5?= =?us-ascii?Q?412bI1RqejXAwVtI6SgRC31sf2w4LY2TnF+LcqwbtBMHLW4YJysbra843qHv?= =?us-ascii?Q?Y7U6RsB3zoHzQiLt+Ey0aTllwSJC3lxndddQwCmjzYYOo0JjHrOmc1DF08j+?= =?us-ascii?Q?oge5FLYkMNtNvszw92XfuY+2RZLJXRgv+CfNBlH6t7c7EeAExaOKZ0rP5MvM?= =?us-ascii?Q?slShiRhXkfbFZ8sWWWVE56HiI7dpYwm6lCMMxijovEAHS6Pbc1Ja/51+DazC?= =?us-ascii?Q?aAc3qQqj6ttHmkm82f6VozANFAUhiAU7gSk0FYLTdula4QVyqsZHU+faE+qu?= =?us-ascii?Q?e1gXodLGWcHN8FUSoYVesDIFIktXamOSxJSD6VytRzK85iVybxb2Z+c/zv4k?= =?us-ascii?Q?VT2fEISczUq5X/YvvxjNhVZfTYfVmkd/kXZkVsm9hl/gK8vb775dUbiALmUB?= =?us-ascii?Q?w+vwT6GsRzzVt8qjkEM7/v2elUN7kXn/m5WOsKS6QBesLomzAztMrD+cQW80?= =?us-ascii?Q?PUfYOijVW34XLpIpMLD3r67RUnQH90oMycGrtTKzyErI2ZWijK0RpkWiIlSs?= =?us-ascii?Q?puBx5q0aswzxMN7pbxdKAPJ/yXnkZC5MnThuTF2F?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5cd7563d-3588-4543-2169-08db782ddc80 X-MS-Exchange-CrossTenant-AuthSource: DB7PR04MB5980.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Jun 2023 23:17:37.4123 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: YxhuCUYnfgPYtqG/aF2p4La9HxYKwKW5YWeFfwoOUSHyk2pwdwrlGsCRGjhsMYJjuZqOOeYBh24Onv2MKaaPSg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR04MB8111 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: apparmor@cboltz.de Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: suse.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1687994280154100001 Content-Type: text/plain; charset="utf-8" The tools in apparmor 2.x releases have problems with profile constructs commonly used with modern apparmor >=3D 3.0.0. Make a copy of the profiles for use with apparmor 2.x. Subsequent commits will modify the copies to be apparmor 2.x compliant. Signed-off-by: Jim Fehlig --- meson.build | 6 +- src/security/apparmor-2/TEMPLATE.lxc | 15 + src/security/apparmor-2/TEMPLATE.qemu | 9 + src/security/apparmor-2/libvirt-lxc | 118 ++++++++ src/security/apparmor-2/libvirt-qemu | 271 ++++++++++++++++++ src/security/apparmor-2/meson.build | 41 +++ .../usr.lib.libvirt.virt-aa-helper.in | 75 +++++ .../usr.lib.libvirt.virt-aa-helper.local | 1 + src/security/apparmor-2/usr.sbin.libvirtd.in | 142 +++++++++ src/security/apparmor-2/usr.sbin.virtqemud.in | 135 +++++++++ src/security/apparmor-2/usr.sbin.virtxend.in | 55 ++++ src/security/meson.build | 3 + 12 files changed, 870 insertions(+), 1 deletion(-) diff --git a/meson.build b/meson.build index aa391e7178..4a1e32eeaf 100644 --- a/meson.build +++ b/meson.build @@ -894,7 +894,11 @@ if not get_option('apparmor_profiles').disabled() endif =20 if apparmor_profiles_enable - conf.set('WITH_APPARMOR_PROFILES', 1) + if apparmor_dep.version().version_compare('>=3D3.0.0') + conf.set('WITH_APPARMOR_PROFILES', 1) + else + conf.set('WITH_APPARMOR_PROFILES_2', 1) + endif endif endif =20 diff --git a/src/security/apparmor-2/TEMPLATE.lxc b/src/security/apparmor-2= /TEMPLATE.lxc new file mode 100644 index 0000000000..f1005dc575 --- /dev/null +++ b/src/security/apparmor-2/TEMPLATE.lxc @@ -0,0 +1,15 @@ +# +# This profile is for the domain whose UUID matches this file. +# + +#include + +profile LIBVIRT_TEMPLATE flags=3D(attach_disconnected) { + #include + + # Globally allows everything to run under this profile + # These can be narrowed depending on the container's use. + file, + capability, + network, +} diff --git a/src/security/apparmor-2/TEMPLATE.qemu b/src/security/apparmor-= 2/TEMPLATE.qemu new file mode 100644 index 0000000000..a327315d92 --- /dev/null +++ b/src/security/apparmor-2/TEMPLATE.qemu @@ -0,0 +1,9 @@ +# +# This profile is for the domain whose UUID matches this file. +# + +#include + +profile LIBVIRT_TEMPLATE flags=3D(attach_disconnected) { + #include +} diff --git a/src/security/apparmor-2/libvirt-lxc b/src/security/apparmor-2/= libvirt-lxc new file mode 100644 index 0000000000..0c8b812743 --- /dev/null +++ b/src/security/apparmor-2/libvirt-lxc @@ -0,0 +1,118 @@ + #include + + # Allow receiving signals from libvirtd + signal (receive) peer=3Dlibvirtd, + signal (receive) peer=3D/usr/sbin/libvirtd, + + umount, + + # ignore DENIED message on / remount + deny mount options=3D(ro, remount) -> /, + + # allow tmpfs mounts everywhere + mount fstype=3Dtmpfs, + + # allow mqueue mounts everywhere + mount fstype=3Dmqueue, + + # allow fuse mounts everywhere + mount fstype=3Dfuse.*, + + # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted + mount fstype=3Dbinfmt_misc -> /proc/sys/fs/binfmt_misc/, + deny @{PROC}/sys/fs/** wklx, + + # allow efivars to be mounted, writing to it will be blocked though + mount fstype=3Defivarfs -> /sys/firmware/efi/efivars/, + + # block some other dangerous paths + deny @{PROC}/sysrq-trigger rwklx, + deny @{PROC}/mem rwklx, + deny @{PROC}/kmem rwklx, + + # deny writes in /sys except for /sys/fs/cgroup, also allow + # fusectl, securityfs and debugfs to be mounted there (read-only) + mount fstype=3Dfusectl -> /sys/fs/fuse/connections/, + mount fstype=3Dsecurityfs -> /sys/kernel/security/, + mount fstype=3Ddebugfs -> /sys/kernel/debug/, + mount fstype=3Dproc -> /proc/, + mount fstype=3Dsysfs -> /sys/, + deny /sys/firmware/efi/efivars/** rwklx, + deny /sys/kernel/security/** rwklx, + + # generated by: lxc-generate-aa-rules.py container-rules.base + deny /proc/sys/[^kn]*{,/**} wklx, + deny /proc/sys/k[^e]*{,/**} wklx, + deny /proc/sys/ke[^r]*{,/**} wklx, + deny /proc/sys/ker[^n]*{,/**} wklx, + deny /proc/sys/kern[^e]*{,/**} wklx, + deny /proc/sys/kerne[^l]*{,/**} wklx, + deny /proc/sys/kernel/[^smhd]*{,/**} wklx, + deny /proc/sys/kernel/d[^o]*{,/**} wklx, + deny /proc/sys/kernel/do[^m]*{,/**} wklx, + deny /proc/sys/kernel/dom[^a]*{,/**} wklx, + deny /proc/sys/kernel/doma[^i]*{,/**} wklx, + deny /proc/sys/kernel/domai[^n]*{,/**} wklx, + deny /proc/sys/kernel/domain[^n]*{,/**} wklx, + deny /proc/sys/kernel/domainn[^a]*{,/**} wklx, + deny /proc/sys/kernel/domainna[^m]*{,/**} wklx, + deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx, + deny /proc/sys/kernel/domainname?*{,/**} wklx, + deny /proc/sys/kernel/h[^o]*{,/**} wklx, + deny /proc/sys/kernel/ho[^s]*{,/**} wklx, + deny /proc/sys/kernel/hos[^t]*{,/**} wklx, + deny /proc/sys/kernel/host[^n]*{,/**} wklx, + deny /proc/sys/kernel/hostn[^a]*{,/**} wklx, + deny /proc/sys/kernel/hostna[^m]*{,/**} wklx, + deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx, + deny /proc/sys/kernel/hostname?*{,/**} wklx, + deny /proc/sys/kernel/m[^s]*{,/**} wklx, + deny /proc/sys/kernel/ms[^g]*{,/**} wklx, + deny /proc/sys/kernel/msg*/** wklx, + deny /proc/sys/kernel/s[^he]*{,/**} wklx, + deny /proc/sys/kernel/se[^m]*{,/**} wklx, + deny /proc/sys/kernel/sem*/** wklx, + deny /proc/sys/kernel/sh[^m]*{,/**} wklx, + deny /proc/sys/kernel/shm*/** wklx, + deny /proc/sys/kernel?*{,/**} wklx, + deny /proc/sys/n[^e]*{,/**} wklx, + deny /proc/sys/ne[^t]*{,/**} wklx, + deny /proc/sys/net?*{,/**} wklx, + deny /sys/[^fdc]*{,/**} wklx, + deny /sys/c[^l]*{,/**} wklx, + deny /sys/cl[^a]*{,/**} wklx, + deny /sys/cla[^s]*{,/**} wklx, + deny /sys/clas[^s]*{,/**} wklx, + deny /sys/class/[^n]*{,/**} wklx, + deny /sys/class/n[^e]*{,/**} wklx, + deny /sys/class/ne[^t]*{,/**} wklx, + deny /sys/class/net?*{,/**} wklx, + deny /sys/class?*{,/**} wklx, + deny /sys/d[^e]*{,/**} wklx, + deny /sys/de[^v]*{,/**} wklx, + deny /sys/dev[^i]*{,/**} wklx, + deny /sys/devi[^c]*{,/**} wklx, + deny /sys/devic[^e]*{,/**} wklx, + deny /sys/device[^s]*{,/**} wklx, + deny /sys/devices/[^v]*{,/**} wklx, + deny /sys/devices/v[^i]*{,/**} wklx, + deny /sys/devices/vi[^r]*{,/**} wklx, + deny /sys/devices/vir[^t]*{,/**} wklx, + deny /sys/devices/virt[^u]*{,/**} wklx, + deny /sys/devices/virtu[^a]*{,/**} wklx, + deny /sys/devices/virtua[^l]*{,/**} wklx, + deny /sys/devices/virtual/[^n]*{,/**} wklx, + deny /sys/devices/virtual/n[^e]*{,/**} wklx, + deny /sys/devices/virtual/ne[^t]*{,/**} wklx, + deny /sys/devices/virtual/net?*{,/**} wklx, + deny /sys/devices/virtual?*{,/**} wklx, + deny /sys/devices?*{,/**} wklx, + deny /sys/f[^s]*{,/**} wklx, + deny /sys/fs/[^c]*{,/**} wklx, + deny /sys/fs/c[^g]*{,/**} wklx, + deny /sys/fs/cg[^r]*{,/**} wklx, + deny /sys/fs/cgr[^o]*{,/**} wklx, + deny /sys/fs/cgro[^u]*{,/**} wklx, + deny /sys/fs/cgrou[^p]*{,/**} wklx, + deny /sys/fs/cgroup?*{,/**} wklx, + deny /sys/fs?*{,/**} wklx, diff --git a/src/security/apparmor-2/libvirt-qemu b/src/security/apparmor-2= /libvirt-qemu new file mode 100644 index 0000000000..44056b5f14 --- /dev/null +++ b/src/security/apparmor-2/libvirt-qemu @@ -0,0 +1,271 @@ + #include + #include + #include + + # required for reading disk images + capability dac_override, + capability dac_read_search, + capability chown, + + # needed to drop privileges + capability setgid, + capability setuid, + + network inet stream, + network inet6 stream, + + ptrace (readby, tracedby) peer=3Dlibvirtd, + ptrace (readby, tracedby) peer=3D/usr/sbin/libvirtd, + ptrace (readby, tracedby) peer=3Dvirtqemud, + + signal (receive) peer=3Dlibvirtd, + signal (receive) peer=3D/usr/sbin/libvirtd, + signal (receive) peer=3Dvirtqemud, + + /dev/kvm rw, + /dev/net/tun rw, + /dev/ptmx rw, + @{PROC}/*/status r, + # When qemu is signaled to terminate, it will read cmdline of signaling + # process for reporting purposes. Allowing read access to a process + # cmdline may leak sensitive information embedded in the cmdline. + @{PROC}/@{pid}/cmdline r, + # Per man(5) proc, the kernel enforces that a thread may + # only modify its comm value or those in its thread group. + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/sys/kernel/cap_last_cap r, + @{PROC}/sys/vm/overcommit_memory r, + # detect hardware capabilities via qemu_getauxval + owner @{PROC}/*/auxv r, + # allow reading libnl's classid file + /etc/libnl{,-3}/classid r, + + # For hostdev access. The actual devices will be added dynamically + /sys/bus/usb/devices/ r, + /sys/bus/usb/devices/* r, + /sys/devices/**/usb[0-9]*/** r, + # libusb needs udev data about usb devices (~equal to content of lsusb -= v) + /run/udev/data/+usb* r, + /run/udev/data/c16[6,7]* r, + /run/udev/data/c18[0,8,9]* r, + + # WARNING: this gives the guest direct access to host hardware and speci= fic + # portions of shared memory. This is required for sound using ALSA with = kvm, + # but may constitute a security risk. If your environment does not requi= re + # the use of sound in your VMs, feel free to comment out or prepend 'den= y' to + # the rules for files in /dev. + /dev/snd/* rw, + /{dev,run}/shm r, + /{dev,run}/shmpulse-shm* r, + /{dev,run}/shmpulse-shm* rwk, + capability ipc_lock, + # spice + owner /{dev,run}/shm/spice.* rw, + # 'kill' is not required for sound and is a security risk. Do not enable + # unless you absolutely need it. + deny capability kill, + + # Uncomment the following if you need access to /dev/fb* + #/dev/fb* rw, + + /etc/pulse/client.conf r, + @{HOME}/.pulse-cookie rwk, + owner /root/.pulse-cookie rwk, + owner /root/.pulse/ rw, + owner /root/.pulse/* rw, + /usr/share/alsa/** r, + owner /tmp/pulse-*/ rw, + owner /tmp/pulse-*/* rw, + /var/lib/dbus/machine-id r, + + # access to firmware's etc + /usr/share/AAVMF/** rk, + /usr/share/bochs/** r, + /usr/share/edk2-ovmf/** rk, + /usr/share/kvm/** r, + /usr/share/misc/sgabios.bin r, + /usr/share/openbios/** r, + /usr/share/openhackware/** r, + /usr/share/OVMF/** rk, + /usr/share/ovmf/** rk, + /usr/share/proll/** r, + /usr/share/qemu-efi/** r, + /usr/share/qemu-kvm/** r, + /usr/share/qemu/** rk, + /usr/share/seabios/** r, + /usr/share/sgabios/** r, + /usr/share/slof/** r, + /usr/share/vgabios/** r, + + # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140) + /etc/pki/CA/ r, + /etc/pki/CA/* r, + /etc/pki/libvirt{,-spice,-vnc}/ r, + /etc/pki/libvirt{,-spice,-vnc}/** r, + /etc/pki/qemu/ r, + /etc/pki/qemu/** r, + + # the various binaries + /usr/bin/kvm rmix, + /usr/bin/kvm-spice rmix, + /usr/bin/qemu rmix, + /usr/bin/qemu-aarch64 rmix, + /usr/bin/qemu-alpha rmix, + /usr/bin/qemu-arm rmix, + /usr/bin/qemu-armeb rmix, + /usr/bin/qemu-cris rmix, + /usr/bin/qemu-i386 rmix, + /usr/bin/qemu-kvm rmix, + /usr/bin/qemu-m68k rmix, + /usr/bin/qemu-microblaze rmix, + /usr/bin/qemu-microblazeel rmix, + /usr/bin/qemu-mips rmix, + /usr/bin/qemu-mips64 rmix, + /usr/bin/qemu-mips64el rmix, + /usr/bin/qemu-mipsel rmix, + /usr/bin/qemu-mipsn32 rmix, + /usr/bin/qemu-mipsn32el rmix, + /usr/bin/qemu-or32 rmix, + /usr/bin/qemu-ppc rmix, + /usr/bin/qemu-ppc64 rmix, + /usr/bin/qemu-ppc64abi32 rmix, + /usr/bin/qemu-ppc64le rmix, + /usr/bin/qemu-s390x rmix, + /usr/bin/qemu-sh4 rmix, + /usr/bin/qemu-sh4eb rmix, + /usr/bin/qemu-sparc rmix, + /usr/bin/qemu-sparc32plus rmix, + /usr/bin/qemu-sparc64 rmix, + /usr/bin/qemu-system-aarch64 rmix, + /usr/bin/qemu-system-alpha rmix, + /usr/bin/qemu-system-arm rmix, + /usr/bin/qemu-system-cris rmix, + /usr/bin/qemu-system-hppa rmix, + /usr/bin/qemu-system-i386 rmix, + /usr/bin/qemu-system-lm32 rmix, + /usr/bin/qemu-system-m68k rmix, + /usr/bin/qemu-system-microblaze rmix, + /usr/bin/qemu-system-microblazeel rmix, + /usr/bin/qemu-system-mips rmix, + /usr/bin/qemu-system-mips64 rmix, + /usr/bin/qemu-system-mips64el rmix, + /usr/bin/qemu-system-mipsel rmix, + /usr/bin/qemu-system-moxie rmix, + /usr/bin/qemu-system-nios2 rmix, + /usr/bin/qemu-system-or1k rmix, + /usr/bin/qemu-system-or32 rmix, + /usr/bin/qemu-system-ppc rmix, + /usr/bin/qemu-system-ppc64 rmix, + /usr/bin/qemu-system-ppcemb rmix, + /usr/bin/qemu-system-riscv32 rmix, + /usr/bin/qemu-system-riscv64 rmix, + /usr/bin/qemu-system-s390x rmix, + /usr/bin/qemu-system-sh4 rmix, + /usr/bin/qemu-system-sh4eb rmix, + /usr/bin/qemu-system-sparc rmix, + /usr/bin/qemu-system-sparc64 rmix, + /usr/bin/qemu-system-tricore rmix, + /usr/bin/qemu-system-unicore32 rmix, + /usr/bin/qemu-system-x86_64 rmix, + /usr/bin/qemu-system-xtensa rmix, + /usr/bin/qemu-system-xtensaeb rmix, + /usr/bin/qemu-unicore32 rmix, + /usr/bin/qemu-x86_64 rmix, + # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761) + /usr/{lib,lib64}/qemu/*.so mr, + /usr/lib/@{multiarch}/qemu/*.so mr, + + # let qemu load old shared objects after upgrades (LP: #1847361) + /{var/,}run/qemu/*/*.so mr, + # but explicitly deny writing to these files + audit deny /{var/,}run/qemu/*/*.so w, + + # swtpm + /{usr/,}bin/swtpm rmpix, + /usr/{lib,lib64}/libswtpm_libtpms.so mr, + /usr/lib/@{multiarch}/libswtpm_libtpms.so mr, + + # support for passt network back-end + /usr/bin/passt Cx -> passt, + + profile passt { + /usr/bin/passt r, + + signal (receive) set=3D("term") peer=3D/usr/sbin/libvirtd, + signal (receive) set=3D("term") peer=3Dlibvirtd, + signal (receive) set=3D("term") peer=3Dvirtqemud, + + owner /{,var/}run/libvirt/qemu/passt/* rw, + + include if exists + } + + # for save and resume + /{usr/,}bin/dash rmix, + /{usr/,}bin/dd rmix, + /{usr/,}bin/cat rmix, + + # for restore + /{usr/,}bin/bash rmix, + + # for usb access + /dev/bus/usb/ r, + /etc/udev/udev.conf r, + /sys/bus/ r, + /sys/class/ r, + + # for rbd + /etc/ceph/*.conf r, + + # Various functions will need to enumerate /tmp (e.g. ceph), allow the b= ase + # dir and a few known functions like samba support. + # We want to avoid to give blanket rw permission to everything under /tm= p, + # users are expected to add site specific addons for more uncommon cases. + # Qemu processes usually all run as the same users, so the "owner" + # restriction prevents access to other services files, but not across + # different instances. + # This is a tradeoff between usability and security - if paths would be = more + # predictable that would be preferred - at least for write rules we would + # want more unique paths per rule. + /{,var/}tmp/ r, + owner /{,var/}tmp/**/ r, + + # for file-posix getting limits since 9103f1ce + /sys/devices/**/block/*/queue/max_segments r, + + # for ppc device-tree access + @{PROC}/device-tree/ r, + @{PROC}/device-tree/** r, + /sys/firmware/devicetree/** r, + + # allow connect with openGraphicsFD to work + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirtd), + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3D/usr/sbin= /libvirtd), + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dvirtqemud= ), + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dswtpm), + + # for gathering information about available host resources + /sys/devices/system/cpu/ r, + /sys/devices/system/node/ r, + /sys/devices/system/node/node[0-9]*/meminfo r, + /sys/module/vhost/parameters/max_mem_regions r, + + # silence refusals to open lttng files (see LP: #1432644) + deny /dev/shm/lttng-ust-wait-* r, + deny /run/shm/lttng-ust-wait-* r, + + # for vfio hotplug on systems without static vfio (LP: #1775777) + /dev/vfio/vfio rw, + + # required for sasl GSSAPI plugin + /etc/gss/mech.d/ r, + /etc/gss/mech.d/* r, + + # required by libpmem init to fts_open()/fts_read() the symlinks in + # /sys/bus/nd/devices + / r, # harmless on any lsb compliant system + /sys/bus/nd/devices/{,**/} r, + + # required for QEMU accessing UEFI nvram variables + owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk, + owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk, diff --git a/src/security/apparmor-2/meson.build b/src/security/apparmor-2/= meson.build new file mode 100644 index 0000000000..58b4024b85 --- /dev/null +++ b/src/security/apparmor-2/meson.build @@ -0,0 +1,41 @@ +apparmor_gen_profiles =3D [ + 'usr.lib.libvirt.virt-aa-helper', + 'usr.sbin.libvirtd', + 'usr.sbin.virtqemud', + 'usr.sbin.virtxend', +] + +apparmor_gen_profiles_conf =3D configuration_data({ + 'sysconfdir': sysconfdir, + 'sbindir': sbindir, + 'runstatedir': runstatedir, + 'libexecdir': libexecdir, +}) + +apparmor_dir =3D sysconfdir / 'apparmor.d' + +foreach name : apparmor_gen_profiles + configure_file( + input: '@0@.in'.format(name), + output: name, + configuration: apparmor_gen_profiles_conf, + install: true, + install_dir: apparmor_dir, + ) +endforeach + +install_data( + [ 'libvirt-qemu', 'libvirt-lxc' ], + install_dir: apparmor_dir / 'abstractions', +) + +install_data( + [ 'TEMPLATE.qemu', 'TEMPLATE.lxc' ], + install_dir: apparmor_dir / 'libvirt', +) + +install_data( + 'usr.lib.libvirt.virt-aa-helper.local', + install_dir: apparmor_dir / 'local', + rename: 'usr.lib.libvirt.virt-aa-helper', +) diff --git a/src/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.in b/sr= c/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.in new file mode 100644 index 0000000000..ff1d46bebe --- /dev/null +++ b/src/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.in @@ -0,0 +1,75 @@ +#include + +profile virt-aa-helper @libexecdir@/virt-aa-helper { + #include + #include + + # needed for searching directories + capability dac_override, + capability dac_read_search, + + # needed for when disk is on a network filesystem + network inet, + network inet6, + + deny @{PROC}/[0-9]*/mounts r, + @{PROC}/[0-9]*/net/psched r, + owner @{PROC}/[0-9]*/status r, + @{PROC}/filesystems r, + + # Used when internally running another command (namely apparmor_parser) + @{PROC}/@{pid}/fd/ r, + + # allow reading libnl's classid file + @sysconfdir@/libnl{,-3}/classid r, + + # for gl enabled graphics + /dev/dri/{,*} r, + + # for hostdev + /sys/devices/ r, + /sys/devices/** r, + /sys/bus/usb/devices/ r, + deny /dev/sd* r, + deny /dev/vd* r, + deny /dev/dm-* r, + deny /dev/drbd[0-9]* r, + deny /dev/dasd* r, + deny /dev/nvme* r, + deny /dev/zd[0-9]* r, + deny /dev/mapper/ r, + deny /dev/mapper/* r, + + @libexecdir@/virt-aa-helper mr, + /{usr/,}sbin/apparmor_parser Ux, + + @sysconfdir@/apparmor.d/libvirt/* r, + @sysconfdir@/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0= -9a-f]*-[0-9a-f]* rw, + + # for backingstore -- allow access to non-hidden files in @{HOME} as well + # as storage pools + audit deny @{HOME}/.* mrwkl, + audit deny @{HOME}/.*/ rw, + audit deny @{HOME}/.*/** mrwkl, + audit deny @{HOME}/bin/ rw, + audit deny @{HOME}/bin/** mrwkl, + @{HOME}/ r, + @{HOME}/** r, + /var/lib/libvirt/images/ r, + /var/lib/libvirt/images/** r, + /var/lib/nova/instances/_base/* r, + /{media,mnt,opt,srv}/** r, + # For virt-sandbox + /{,var/}run/libvirt/**/[sv]d[a-z] r, + + /**.img r, + /**.raw r, + /**.qcow{,2} r, + /**.qed r, + /**.vmdk r, + /**.vhd r, + /**.[iI][sS][oO] r, + /**/disk{,.*} r, + + #include +} diff --git a/src/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.local b= /src/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.local new file mode 100644 index 0000000000..c0990e51d0 --- /dev/null +++ b/src/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.local @@ -0,0 +1 @@ +# Site-specific additions and overrides for 'usr.lib.libvirt.virt-aa-helpe= r' diff --git a/src/security/apparmor-2/usr.sbin.libvirtd.in b/src/security/ap= parmor-2/usr.sbin.libvirtd.in new file mode 100644 index 0000000000..edb8dd8e26 --- /dev/null +++ b/src/security/apparmor-2/usr.sbin.libvirtd.in @@ -0,0 +1,142 @@ +#include +@{LIBVIRT}=3D"libvirt" + +profile libvirtd @sbindir@/libvirtd flags=3D(attach_disconnected) { + #include + #include + + capability kill, + capability net_admin, + capability net_raw, + capability setgid, + capability sys_admin, + capability sys_module, + capability sys_ptrace, + capability sys_pacct, + capability sys_nice, + capability sys_chroot, + capability setuid, + capability dac_override, + capability dac_read_search, + capability fowner, + capability chown, + capability setpcap, + capability mknod, + capability fsetid, + capability audit_write, + capability ipc_lock, + capability sys_rawio, + capability bpf, + capability perfmon, + + # Needed for vfio + capability sys_resource, + + mount options=3D(rw,rslave) -> /, + mount options=3D(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/, + umount /{var/,}run/libvirt/qemu/*.dev/, + umount /dev/, + + # libvirt provides any mounts under /dev to qemu namespaces + mount options=3D(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/, + mount options=3D(rw, move) /dev/** -> /{,var/}run/libvirt/qemu/*{,/}, + mount options=3D(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/, + mount options=3D(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**, + + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + network netlink raw, + network packet dgram, + network packet raw, + + # for --p2p migrations + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d addr=3Dnone), + + ptrace (read,trace) peer=3Dunconfined, + ptrace (read,trace) peer=3D@{profile_name}, + ptrace (read,trace) peer=3Ddnsmasq, + ptrace (read,trace) peer=3D/usr/sbin/dnsmasq, + ptrace (read,trace) peer=3Dlibvirt-*, + ptrace (read,trace) peer=3Dswtpm, + + signal (send) peer=3Ddnsmasq, + signal (send) peer=3D/usr/sbin/dnsmasq, + signal (read, send) peer=3Dlibvirt-*, + signal (send) set=3D("kill", "term") peer=3Dunconfined, + + # For communication/control to qemu-bridge-helper + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirtd/= /qemu_bridge_helper), + signal (send) set=3D("term") peer=3Dlibvirtd//qemu_bridge_helper, + + # allow connect with openGraphicsFD, direction reversed in newer versions + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirt-[= 0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*), + # unconfined also required if guests run without security module + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d), + + # required if guests run unconfined seclabel type=3D'none' but libvirtd = is confined + signal (read, send) peer=3Dunconfined, + + # Very lenient profile for libvirtd since we want to first focus on conf= ining + # the guests. Guests will have a very restricted profile. + / r, + /** rwmkl, + + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, + @sbindir@/virtlogd pix, + @sbindir@/* PUx, + /{usr/,}lib/udev/scsi_id PUx, + /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, + /usr/{lib,lib64,libexec}/xen/bin/* Ux, + /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx, + /usr/{lib,libexec}/xen-*/bin/pygrub PUx, + /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx, + /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx, + + # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to + # read and run an ebtables script. + /var/lib/libvirt/virtd* ixr, + + # force the use of virt-aa-helper + audit deny /{usr/,}sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + @libexecdir@/* PUxr, + @libexecdir@/libvirt_parthelper ix, + @libexecdir@/libvirt_iohelper ix, + /etc/libvirt/hooks/** rmix, + /etc/xen/scripts/** rmix, + + # allow changing to our UUID-based named profiles + change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-= 9a-f]*, + + /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_h= elper, + # child profile for bridge helper process + profile qemu_bridge_helper { + #include + + capability setuid, + capability setgid, + capability setpcap, + capability net_admin, + + network inet stream, + + # For communication/control from libvirtd + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirtd= ), + signal (receive) set=3D("term") peer=3D/usr/sbin/libvirtd, + signal (receive) set=3D("term") peer=3Dlibvirtd, + + /dev/net/tun rw, + /etc/qemu/** r, + owner @{PROC}/*/status r, + + /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, + } +} diff --git a/src/security/apparmor-2/usr.sbin.virtqemud.in b/src/security/a= pparmor-2/usr.sbin.virtqemud.in new file mode 100644 index 0000000000..f269c60809 --- /dev/null +++ b/src/security/apparmor-2/usr.sbin.virtqemud.in @@ -0,0 +1,135 @@ +#include +@{LIBVIRT}=3D"libvirt" + +profile virtqemud @sbindir@/virtqemud flags=3D(attach_disconnected) { + #include + #include + + capability kill, + capability net_admin, + capability net_raw, + capability setgid, + capability sys_admin, + capability sys_module, + capability sys_ptrace, + capability sys_pacct, + capability sys_nice, + capability sys_chroot, + capability setuid, + capability dac_override, + capability dac_read_search, + capability fowner, + capability chown, + capability setpcap, + capability mknod, + capability fsetid, + capability audit_write, + capability ipc_lock, + capability sys_rawio, + capability bpf, + capability perfmon, + + # Needed for vfio + capability sys_resource, + + mount options=3D(rw,rslave) -> /, + mount options=3D(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/, + umount /{var/,}run/libvirt/qemu/*.dev/, + umount /dev/, + + # libvirt provides any mounts under /dev to qemu namespaces + mount options=3D(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/, + mount options=3D(rw, move) /dev/** -> /{,var/}run/libvirt/qemu/*{,/}, + mount options=3D(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/, + mount options=3D(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**, + + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + network netlink raw, + network packet dgram, + network packet raw, + + # for --p2p migrations + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d addr=3Dnone), + + ptrace (read,trace) peer=3Dunconfined, + ptrace (read,trace) peer=3D@{profile_name}, + ptrace (read,trace) peer=3Ddnsmasq, + ptrace (read,trace) peer=3D/usr/sbin/dnsmasq, + ptrace (read,trace) peer=3Dlibvirt-*, + + signal (send) peer=3Ddnsmasq, + signal (send) peer=3D/usr/sbin/dnsmasq, + signal (read, send) peer=3Dlibvirt-*, + signal (send) set=3D(kill, term) peer=3Dunconfined, + + # For communication/control to qemu-bridge-helper + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirtd/= /qemu_bridge_helper), + signal (send) set=3D(term) peer=3Dlibvirtd//qemu_bridge_helper, + + # allow connect with openGraphicsFD, direction reversed in newer versions + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirt-[= 0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*), + # unconfined also required if guests run without security module + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d), + + # required if guests run unconfined seclabel type=3D'none' but libvirtd = is confined + signal (read, send) peer=3Dunconfined, + + # Very lenient profile for libvirtd since we want to first focus on conf= ining + # the guests. Guests will have a very restricted profile. + / r, + /** rwmkl, + + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, + @sbindir@/virtlogd pix, + @sbindir@/* PUx, + /{usr/,}lib/udev/scsi_id PUx, + /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx, + /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx, + + # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to + # read and run an ebtables script. + /var/lib/libvirt/virtd* ixr, + + # force the use of virt-aa-helper + audit deny /{usr/,}sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + @libexecdir@/* PUxr, + @libexecdir@/libvirt_parthelper ix, + @libexecdir@/libvirt_iohelper ix, + /etc/libvirt/hooks/** rmix, + + # allow changing to our UUID-based named profiles + change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-= 9a-f]*, + + /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_h= elper, + # child profile for bridge helper process + profile qemu_bridge_helper { + #include + + capability setuid, + capability setgid, + capability setpcap, + capability net_admin, + + network inet stream, + + # For communication/control from virtqemud + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dvirtqemu= d), + signal (receive) set=3D(term) peer=3Dvirtqemud, + + /dev/net/tun rw, + /etc/qemu/** r, + owner @{PROC}/*/status r, + + /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, + } +} diff --git a/src/security/apparmor-2/usr.sbin.virtxend.in b/src/security/ap= parmor-2/usr.sbin.virtxend.in new file mode 100644 index 0000000000..72e0d801e5 --- /dev/null +++ b/src/security/apparmor-2/usr.sbin.virtxend.in @@ -0,0 +1,55 @@ +#include + +profile virtxend @sbindir@/virtxend flags=3D(attach_disconnected) { + #include + #include + + capability kill, + capability setgid, + capability setuid, + capability sys_pacct, + capability ipc_lock, + + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + network netlink raw, + network packet dgram, + network packet raw, + + # for --p2p migrations + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d addr=3Dnone), + + ptrace (read,trace) peer=3Dunconfined, + + signal (send) set=3D(kill, term, hup) peer=3Dunconfined, + + # Very lenient profile for virtxend + / r, + /** rwmkl, + + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, + @sbindir@/virtlogd pix, + @sbindir@/* PUx, + /{usr/,}lib/udev/scsi_id PUx, + /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, + /usr/{lib,lib64,libexec}/xen/bin/* Ux, + /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx, + /usr/{lib,libexec}/xen-*/bin/pygrub PUx, + + # force the use of virt-aa-helper + audit deny /{usr/,}sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + @libexecdir@/* PUxr, + @libexecdir@/libvirt_parthelper ix, + @libexecdir@/libvirt_iohelper ix, + /etc/libvirt/hooks/** rmix, + /etc/xen/scripts/** rmix, +} diff --git a/src/security/meson.build b/src/security/meson.build index 6230b34aa4..078111d251 100644 --- a/src/security/meson.build +++ b/src/security/meson.build @@ -55,3 +55,6 @@ endif if conf.has('WITH_APPARMOR_PROFILES') subdir('apparmor') endif +if conf.has('WITH_APPARMOR_PROFILES_2') + subdir('apparmor-2') +endif --=20 2.41.0