[libvirt] PATCH 3/4: AppArmor updates

Daniel P. Berrange berrange at redhat.com
Mon Aug 16 16:15:25 UTC 2010 

On Fri, Aug 13, 2010 at 05:00:06PM -0500, Jamie Strandboge wrote:
> Attached is 0003-apparmor-examples.patch

Can you include full commit messages with each patch,
since it makes it easier to review & understand, and
will be needed when the patches are applied to GIT.

> diff -Naurp libvirt.orig/examples/apparmor/libvirt-qemu libvirt/examples/apparmor/libvirt-qemu
> --- libvirt.orig/examples/apparmor/libvirt-qemu	2010-04-06 16:14:52.000000000 -0500
> +++ libvirt/examples/apparmor/libvirt-qemu	2010-08-13 16:46:34.000000000 -0500
> @@ -1,4 +1,4 @@
> -# Last Modified: Mon Apr  5 15:11:27 2010
> +# Last Modified: Fri Aug 13 16:38:32 2010
>  
>    #include <abstractions/base>
>    #include <abstractions/consoles>
> @@ -9,6 +9,10 @@
>    capability dac_read_search,
>    capability chown,
>  
> +  # needed to drop privileges
> +  capability setgid,
> +  capability setuid,
> +
>    network inet stream,
>    network inet6 stream,
>  
> diff -Naurp libvirt.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper libvirt/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> --- libvirt.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper	2010-04-06 16:14:52.000000000 -0500
> +++ libvirt/examples/apparmor/usr.lib.libvirt.virt-aa-helper	2010-08-13 16:44:01.000000000 -0500
> @@ -1,8 +1,9 @@
> -# Last Modified: Mon Apr  5 15:10:27 2010
> +# Last Modified: Fri Aug 13 16:38:32 2010
>  #include <tunables/global>
>  
>  /usr/lib/libvirt/virt-aa-helper {
>    #include <abstractions/base>
> +  #include <abstractions/user-tmp>
>  
>    # needed for searching directories
>    capability dac_override,
> @@ -12,11 +13,16 @@
>    network inet,
>  
>    deny @{PROC}/[0-9]*/mounts r,
> +  @{PROC}/[0-9]*/net/psched r,
>    @{PROC}/filesystems r,
>  
>    # for hostdev
>    /sys/devices/ r,
>    /sys/devices/** r,
> +  /sys/bus/usb/devices/ r,
> +  deny /dev/sd* r,
> +  deny /dev/mapper/ r,
> +  deny /dev/mapper/* r,
>  
>    /usr/lib/libvirt/virt-aa-helper mr,
>    /sbin/apparmor_parser Ux,
> @@ -24,8 +30,11 @@
>    /etc/apparmor.d/libvirt/* r,
>    /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
>  
> -  # for backingstore -- allow access to non-hidden files in @{HOME} as well
> -  # as storage pools
> +  # For backingstore, virt-aa-helper may need to peek inside the disk image, so
> +  # allow access to non-hidden files in @{HOME} as well as storage pools, and
> +  # removable media and filesystems, and certain file extentions. A
> +  # virt-aa-helper failure when checking a disk for backinsgstore is non-fatal
> +  # (but obviously the backingstore won't be added).
>    audit deny @{HOME}/.* mrwkl,
>    audit deny @{HOME}/.*/ rw,
>    audit deny @{HOME}/.*/** mrwkl,


ACK

Daniel
-- 
|: Red Hat, Engineering, London    -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org        -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list