[libvirt] PATCH 3/4: AppArmor updates
Daniel P. Berrange
berrange at redhat.com
Mon Aug 16 16:15:25 UTC 2010
On Fri, Aug 13, 2010 at 05:00:06PM -0500, Jamie Strandboge wrote:
> Attached is 0003-apparmor-examples.patch
Can you include full commit messages with each patch,
since it makes it easier to review & understand, and
will be needed when the patches are applied to GIT.
> diff -Naurp libvirt.orig/examples/apparmor/libvirt-qemu libvirt/examples/apparmor/libvirt-qemu
> --- libvirt.orig/examples/apparmor/libvirt-qemu 2010-04-06 16:14:52.000000000 -0500
> +++ libvirt/examples/apparmor/libvirt-qemu 2010-08-13 16:46:34.000000000 -0500
> @@ -1,4 +1,4 @@
> -# Last Modified: Mon Apr 5 15:11:27 2010
> +# Last Modified: Fri Aug 13 16:38:32 2010
>
> #include <abstractions/base>
> #include <abstractions/consoles>
> @@ -9,6 +9,10 @@
> capability dac_read_search,
> capability chown,
>
> + # needed to drop privileges
> + capability setgid,
> + capability setuid,
> +
> network inet stream,
> network inet6 stream,
>
> diff -Naurp libvirt.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper libvirt/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> --- libvirt.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper 2010-04-06 16:14:52.000000000 -0500
> +++ libvirt/examples/apparmor/usr.lib.libvirt.virt-aa-helper 2010-08-13 16:44:01.000000000 -0500
> @@ -1,8 +1,9 @@
> -# Last Modified: Mon Apr 5 15:10:27 2010
> +# Last Modified: Fri Aug 13 16:38:32 2010
> #include <tunables/global>
>
> /usr/lib/libvirt/virt-aa-helper {
> #include <abstractions/base>
> + #include <abstractions/user-tmp>
>
> # needed for searching directories
> capability dac_override,
> @@ -12,11 +13,16 @@
> network inet,
>
> deny @{PROC}/[0-9]*/mounts r,
> + @{PROC}/[0-9]*/net/psched r,
> @{PROC}/filesystems r,
>
> # for hostdev
> /sys/devices/ r,
> /sys/devices/** r,
> + /sys/bus/usb/devices/ r,
> + deny /dev/sd* r,
> + deny /dev/mapper/ r,
> + deny /dev/mapper/* r,
>
> /usr/lib/libvirt/virt-aa-helper mr,
> /sbin/apparmor_parser Ux,
> @@ -24,8 +30,11 @@
> /etc/apparmor.d/libvirt/* r,
> /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
>
> - # for backingstore -- allow access to non-hidden files in @{HOME} as well
> - # as storage pools
> + # For backingstore, virt-aa-helper may need to peek inside the disk image, so
> + # allow access to non-hidden files in @{HOME} as well as storage pools, and
> + # removable media and filesystems, and certain file extentions. A
> + # virt-aa-helper failure when checking a disk for backinsgstore is non-fatal
> + # (but obviously the backingstore won't be added).
> audit deny @{HOME}/.* mrwkl,
> audit deny @{HOME}/.*/ rw,
> audit deny @{HOME}/.*/** mrwkl,
ACK
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the libvir-list
mailing list