[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 1/4] AppArmor updates



On Thu, 12 Nov 2009, Jamie Strandboge wrote:

> 1_aa_profile_updates.patch:
> Adds pulseaudio, alsa and preliminary save/restore to the example
> apparmor abstraction. Also allows libvirtd access to inet dgram, inet6
> dgram, inet6 stream and /usr/lib/libvirt/*.
> 

-- 
Jamie Strandboge             | http://www.canonical.com
diff -Naurp libvirt.orig/examples/apparmor/libvirt-qemu libvirt/examples/apparmor/libvirt-qemu
--- libvirt.orig/examples/apparmor/libvirt-qemu	2009-10-08 09:48:50.000000000 -0500
+++ libvirt/examples/apparmor/libvirt-qemu	2009-11-12 07:29:13.000000000 -0600
@@ -1,4 +1,4 @@
-# Last Modified: Wed Jul  8 09:57:41 2009
+# Last Modified: Fri Nov  6 16:41:59 2009
 
   #include <abstractions/base>
   #include <abstractions/consoles>
@@ -24,6 +24,31 @@
   #/sys/devices/*/*/usb[0-9]*/** r,
   #/dev/bus/usb/*/[0-9]* rw,
 
+  # WARNING: this gives the guest direct access to host hardware and specific
+  # portions of shared memory. This is required for sound using ALSA with kvm,
+  # but may constitute a security risk. If your environment does not require
+  # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
+  # the rules for files in /dev.
+  /dev/shm/ r,
+  /dev/shm/pulse-shm* r,
+  /dev/shm/pulse-shm* rwk,
+  /dev/snd/* rw,
+  capability ipc_lock,
+  # 'kill' is not required for sound and is a security risk. Do not enable
+  # unless you absolutely need it.
+  deny capability kill,
+
+  /etc/pulse/client.conf r,
+  @{HOME}/.pulse-cookie rwk,
+  owner /root/.pulse-cookie rwk,
+  owner /root/.pulse/ rw,
+  owner /root/.pulse/* rw,
+  /usr/share/alsa/** r,
+  owner /tmp/pulse-*/ rw,
+  owner /tmp/pulse-*/* rw,
+  /var/lib/dbus/machine-id r,
+
+  # access to firmware's etc
   /usr/share/kvm/** r,
   /usr/share/qemu/** r,
   /usr/share/bochs/** r,
@@ -69,3 +94,16 @@
   /usr/bin/qemu-sparc32plus rmix,
   /usr/bin/qemu-sparc64 rmix,
   /usr/bin/qemu-x86_64 rmix,
+
+  # for save and resume
+  /bin/dash rmix,
+  /bin/dd rmix,
+  /bin/cat rmix,
+
+  # The svirt driver does not relabel the state file
+  # (https://bugzilla.redhat.com/show_bug.cgi?id=529363) resulting in denied
+  # messages. Uncommenting these lines can work around this somewhat by
+  # allowing users to save state files in the specified directory. We use
+  # 'owner' to make sure we don't overwrite the user's files.
+  #owner @{HOME}/libvirt-state-files/ r,
+  #owner @{HOME}/libvirt-state-files/** rw,
diff -Naurp libvirt.orig/examples/apparmor/usr.sbin.libvirtd libvirt/examples/apparmor/usr.sbin.libvirtd
--- libvirt.orig/examples/apparmor/usr.sbin.libvirtd	2009-10-08 09:48:50.000000000 -0500
+++ libvirt/examples/apparmor/usr.sbin.libvirtd	2009-11-12 07:29:47.000000000 -0600
@@ -23,6 +23,9 @@
   capability mknod,
 
   network inet stream,
+  network inet dgram,
+  network inet6 stream,
+  network inet6 dgram,
 
   # Very lenient profile for libvirtd since we want to first focus on confining
   # the guests. Guests will have a very restricted profile.
@@ -32,6 +35,7 @@
   /sbin/* Ux,
   /usr/bin/* Ux,
   /usr/sbin/* Ux,
+  /usr/lib/libvirt/* Ux,
 
   # force the use of virt-aa-helper
   audit deny /sbin/apparmor_parser rwxl,

Attachment: signature.asc
Description: Digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]