1. Patchew
  2. Libvirt
  3. [PATCH v2 0/4] fix AppArmor policy restore for runtime rules
  4. View patch

[PATCH v2 3/4] apparmor: fix UUID specification

Georgia Garcia posted 4 patches 1 year, 2 months ago
There is a newer version of this series
[PATCH v2 3/4] apparmor: fix UUID specification
Posted by Georgia Garcia 1 year, 2 months ago 
There is a common misconception when writing AppArmor policy that
[0-9]* applies * to the [0-9] class, but that's not the case. For this
example, [0-9]* matches a single digit followed by any number of
characters except for /

Create a UUID variable that uses the following format 8-4-4-4-12.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
---
 src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 5 ++++-
 src/security/apparmor/usr.sbin.libvirtd.in              | 7 +++++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
index 44645c6989..90a8b7072c 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -1,5 +1,8 @@
 #include <tunables/global>
 
+@{hextet}=[0-9a-f][0-9a-f][0-9a-f][0-9a-f]
+@{UUID}=@{hextet}@{hextet}-@{hextet}-@{hextet}-@{hextet}-@{hextet}@{hextet}@{hextet}
+
 profile virt-aa-helper @libexecdir@/virt-aa-helper {
   #include <abstractions/base>
   #include <abstractions/openssl>
@@ -44,7 +47,7 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
   /{usr/,}{s,}bin/apparmor_parser Ux,
 
   @sysconfdir@/apparmor.d/libvirt/* r,
-  @sysconfdir@/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+  @sysconfdir@/apparmor.d/libvirt/libvirt-@{UUID}* rw,
 
   # for backingstore -- allow access to non-hidden files in @{HOME} as well
   # as storage pools
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
index 70e586895f..3659ddc219 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -1,4 +1,7 @@
 #include <tunables/global>
+
+@{hextet}=[0-9a-f][0-9a-f][0-9a-f][0-9a-f]
+@{UUID}=@{hextet}@{hextet}-@{hextet}-@{hextet}-@{hextet}-@{hextet}@{hextet}@{hextet}
 @{LIBVIRT}="libvirt"
 
 profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
@@ -72,7 +75,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
   signal (send) set=("term") peer=libvirtd//qemu_bridge_helper,
 
   # allow connect with openGraphicsFD, direction reversed in newer versions
-  unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
+  unix (send, receive) type=stream addr=none peer=(label=libvirt-@{UUID}),
   # unconfined also required if guests run without security module
   unix (send, receive) type=stream addr=none peer=(label=unconfined),
 
@@ -115,7 +118,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
   /etc/xen/scripts/** rmix,
 
   # allow changing to our UUID-based named profiles
-  change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+  change_profile -> @{LIBVIRT}-@{UUID},
 
   /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper Cx -> qemu_bridge_helper,
   # child profile for bridge helper process
-- 
2.34.1
Re: [PATCH v2 3/4] apparmor: fix UUID specification
Posted by Jim Fehlig via Devel 1 year, 1 month ago 
On 11/13/24 07:28, Georgia Garcia wrote:
> There is a common misconception when writing AppArmor policy that
> [0-9]* applies * to the [0-9] class, but that's not the case. For this
> example, [0-9]* matches a single digit followed by any number of
> characters except for /
> 
> Create a UUID variable that uses the following format 8-4-4-4-12.
> 
> Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
> ---
>   src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 5 ++++-
>   src/security/apparmor/usr.sbin.libvirtd.in              | 7 +++++--
>   2 files changed, 9 insertions(+), 3 deletions(-)
> 
> diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> index 44645c6989..90a8b7072c 100644
> --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> @@ -1,5 +1,8 @@
>   #include <tunables/global>
>   
> +@{hextet}=[0-9a-f][0-9a-f][0-9a-f][0-9a-f]
> +@{UUID}=@{hextet}@{hextet}-@{hextet}-@{hextet}-@{hextet}-@{hextet}@{hextet}@{hextet}
> +
>   profile virt-aa-helper @libexecdir@/virt-aa-helper {
>     #include <abstractions/base>
>     #include <abstractions/openssl>
> @@ -44,7 +47,7 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
>     /{usr/,}{s,}bin/apparmor_parser Ux,
>   
>     @sysconfdir@/apparmor.d/libvirt/* r,
> -  @sysconfdir@/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
> +  @sysconfdir@/apparmor.d/libvirt/libvirt-@{UUID}* rw,
>   
>     # for backingstore -- allow access to non-hidden files in @{HOME} as well
>     # as storage pools
> diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
> index 70e586895f..3659ddc219 100644
> --- a/src/security/apparmor/usr.sbin.libvirtd.in
> +++ b/src/security/apparmor/usr.sbin.libvirtd.in

The changes here are also needed in usr.sbin.virtqemud.in.

Regards,
Jim

> @@ -1,4 +1,7 @@
>   #include <tunables/global>
> +
> +@{hextet}=[0-9a-f][0-9a-f][0-9a-f][0-9a-f]
> +@{UUID}=@{hextet}@{hextet}-@{hextet}-@{hextet}-@{hextet}-@{hextet}@{hextet}@{hextet}
>   @{LIBVIRT}="libvirt"
>   
>   profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
> @@ -72,7 +75,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
>     signal (send) set=("term") peer=libvirtd//qemu_bridge_helper,
>   
>     # allow connect with openGraphicsFD, direction reversed in newer versions
> -  unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
> +  unix (send, receive) type=stream addr=none peer=(label=libvirt-@{UUID}),
>     # unconfined also required if guests run without security module
>     unix (send, receive) type=stream addr=none peer=(label=unconfined),
>   
> @@ -115,7 +118,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
>     /etc/xen/scripts/** rmix,
>   
>     # allow changing to our UUID-based named profiles
> -  change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
> +  change_profile -> @{LIBVIRT}-@{UUID},
>   
>     /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper Cx -> qemu_bridge_helper,
>     # child profile for bridge helper process
Re: [PATCH v2 3/4] apparmor: fix UUID specification
Posted by Georgia Garcia 1 year, 1 month ago 
On Mon, 2025-01-06 at 17:59 -0700, Jim Fehlig wrote:
> On 11/13/24 07:28, Georgia Garcia wrote:
> > There is a common misconception when writing AppArmor policy that
> > [0-9]* applies * to the [0-9] class, but that's not the case. For this
> > example, [0-9]* matches a single digit followed by any number of
> > characters except for /
> > 
> > Create a UUID variable that uses the following format 8-4-4-4-12.
> > 
> > Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
> > ---
> >   src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 5 ++++-
> >   src/security/apparmor/usr.sbin.libvirtd.in              | 7 +++++--
> >   2 files changed, 9 insertions(+), 3 deletions(-)
> > 
> > diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> > index 44645c6989..90a8b7072c 100644
> > --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> > +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> > @@ -1,5 +1,8 @@
> >   #include <tunables/global>
> >   
> > +@{hextet}=[0-9a-f][0-9a-f][0-9a-f][0-9a-f]
> > +@{UUID}=@{hextet}@{hextet}-@{hextet}-@{hextet}-@{hextet}-@{hextet}@{hextet}@{hextet}
> > +
> >   profile virt-aa-helper @libexecdir@/virt-aa-helper {
> >     #include <abstractions/base>
> >     #include <abstractions/openssl>
> > @@ -44,7 +47,7 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
> >     /{usr/,}{s,}bin/apparmor_parser Ux,
> >   
> >     @sysconfdir@/apparmor.d/libvirt/* r,
> > -  @sysconfdir@/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
> > +  @sysconfdir@/apparmor.d/libvirt/libvirt-@{UUID}* rw,
> >   
> >     # for backingstore -- allow access to non-hidden files in @{HOME} as well
> >     # as storage pools
> > diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
> > index 70e586895f..3659ddc219 100644
> > --- a/src/security/apparmor/usr.sbin.libvirtd.in
> > +++ b/src/security/apparmor/usr.sbin.libvirtd.in
> 
> The changes here are also needed in usr.sbin.virtqemud.in.
> 

Thanks for catching that!

> Regards,
> Jim
> 
> > @@ -1,4 +1,7 @@
> >   #include <tunables/global>
> > +
> > +@{hextet}=[0-9a-f][0-9a-f][0-9a-f][0-9a-f]
> > +@{UUID}=@{hextet}@{hextet}-@{hextet}-@{hextet}-@{hextet}-@{hextet}@{hextet}@{hextet}
> >   @{LIBVIRT}="libvirt"
> >   
> >   profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
> > @@ -72,7 +75,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
> >     signal (send) set=("term") peer=libvirtd//qemu_bridge_helper,
> >   
> >     # allow connect with openGraphicsFD, direction reversed in newer versions
> > -  unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
> > +  unix (send, receive) type=stream addr=none peer=(label=libvirt-@{UUID}),
> >     # unconfined also required if guests run without security module
> >     unix (send, receive) type=stream addr=none peer=(label=unconfined),
> >   
> > @@ -115,7 +118,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
> >     /etc/xen/scripts/** rmix,
> >   
> >     # allow changing to our UUID-based named profiles
> > -  change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
> > +  change_profile -> @{LIBVIRT}-@{UUID},
> >   
> >     /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper Cx -> qemu_bridge_helper,
> >     # child profile for bridge helper process
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.