[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] 9/10 AppArmor driver updates



On Mon, 2010-04-05 at 16:15 -0500, Jamie Strandboge wrote:

> 9_apparmor-examples.patch: adjustments to the example profiles

-- 
Jamie Strandboge             | http://www.canonical.com
diff -Naur libvirt.orig/examples/apparmor/libvirt-qemu libvirt/examples/apparmor/libvirt-qemu
--- libvirt.orig/examples/apparmor/libvirt-qemu	2009-11-30 17:04:23.000000000 -0600
+++ libvirt/examples/apparmor/libvirt-qemu	2010-04-05 15:49:46.000000000 -0500
@@ -1,4 +1,4 @@
-# Last Modified: Fri Nov  6 16:41:59 2009
+# Last Modified: Mon Apr  5 15:11:27 2010
 
   #include <abstractions/base>
   #include <abstractions/consoles>
@@ -16,13 +16,11 @@
   /dev/kvm rw,
   /dev/ptmx rw,
   /dev/kqemu rw,
+  @{PROC}/*/status r,
 
-  # WARNING: uncommenting these gives the guest direct access to host hardware.
-  # This is required for USB pass through but is a security risk. You have been
-  # warned.
-  #/sys/bus/usb/devices/ r,
-  #/sys/devices/*/*/usb[0-9]*/** r,
-  #/dev/bus/usb/*/[0-9]* rw,
+  # For hostdev access. The actual devices will be added dynamically
+  /sys/bus/usb/devices/ r,
+  /sys/devices/*/*/usb[0-9]*/** r,
 
   # WARNING: this gives the guest direct access to host hardware and specific
   # portions of shared memory. This is required for sound using ALSA with kvm,
@@ -38,6 +36,9 @@
   # unless you absolutely need it.
   deny capability kill,
 
+  # Uncomment the following if you need access to /dev/fb*
+  #/dev/fb* rw,
+
   /etc/pulse/client.conf r,
   @{HOME}/.pulse-cookie rwk,
   owner /root/.pulse-cookie rwk,
@@ -56,6 +57,10 @@
   /usr/share/openhackware/** r,
   /usr/share/proll/** r,
   /usr/share/vgabios/** r,
+  /usr/share/seabios/** r,
+
+  # access PKI infrastructure
+  /etc/pki/libvirt-vnc/** r,
 
   # the various binaries
   /usr/bin/kvm rmix,
@@ -99,11 +104,3 @@
   /bin/dash rmix,
   /bin/dd rmix,
   /bin/cat rmix,
-
-  # The svirt driver does not relabel the state file
-  # (https://bugzilla.redhat.com/show_bug.cgi?id=529363) resulting in denied
-  # messages. Uncommenting these lines can work around this somewhat by
-  # allowing users to save state files in the specified directory. We use
-  # 'owner' to make sure we don't overwrite the user's files.
-  #owner @{HOME}/libvirt-state-files/ r,
-  #owner @{HOME}/libvirt-state-files/** rw,
diff -Naur libvirt.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper libvirt/examples/apparmor/usr.lib.libvirt.virt-aa-helper
--- libvirt.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper	2009-10-08 09:48:50.000000000 -0500
+++ libvirt/examples/apparmor/usr.lib.libvirt.virt-aa-helper	2010-04-05 15:48:28.000000000 -0500
@@ -1,4 +1,4 @@
-# Last Modified: Mon Jul  06 17:22:37 2009
+# Last Modified: Mon Apr  5 15:10:27 2010
 #include <tunables/global>
 
 /usr/lib/libvirt/virt-aa-helper {
@@ -14,9 +14,25 @@
   deny @{PROC}/[0-9]*/mounts r,
   @{PROC}/filesystems r,
 
+  # for hostdev
+  /sys/devices/ r,
+  /sys/devices/** r,
+
   /usr/lib/libvirt/virt-aa-helper mr,
   /sbin/apparmor_parser Ux,
 
   /etc/apparmor.d/libvirt/* r,
   /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+
+  # for backingstore -- allow access to non-hidden files in @{HOME} as well
+  # as storage pools
+  audit deny @{HOME}/.* mrwkl,
+  audit deny @{HOME}/.*/ rw,
+  audit deny @{HOME}/.*/** mrwkl,
+  audit deny @{HOME}/bin/ rw,
+  audit deny @{HOME}/bin/** mrwkl,
+  @{HOME}/ r,
+  @{HOME}/** r,
+  /var/lib/libvirt/images/ r,
+  /var/lib/libvirt/images/** r,
 }
diff -Naur libvirt.orig/examples/apparmor/usr.sbin.libvirtd libvirt/examples/apparmor/usr.sbin.libvirtd
--- libvirt.orig/examples/apparmor/usr.sbin.libvirtd	2009-11-30 17:04:24.000000000 -0600
+++ libvirt/examples/apparmor/usr.sbin.libvirtd	2010-04-05 15:48:28.000000000 -0500
@@ -1,4 +1,4 @@
-# Last Modified: Wed Sep 23 23:23:58 2009
+# Last Modified: Mon Apr  5 15:03:58 2010
 #include <tunables/global>
 @{LIBVIRT}="libvirt"
 
@@ -21,6 +21,7 @@
   capability chown,
   capability setpcap,
   capability mknod,
+  capability fsetid,
 
   network inet stream,
   network inet dgram,
@@ -35,7 +36,6 @@
   /sbin/* Ux,
   /usr/bin/* Ux,
   /usr/sbin/* Ux,
-  /usr/lib/libvirt/* Ux,
 
   # force the use of virt-aa-helper
   audit deny /sbin/apparmor_parser rwxl,
@@ -44,7 +44,7 @@
   audit deny /sys/kernel/security/apparmor/matching rwxl,
   audit deny /sys/kernel/security/apparmor/.* rwxl,
   /sys/kernel/security/apparmor/profiles r,
-  /usr/lib/libvirt/virt-aa-helper Pxr,
+  /usr/lib/libvirt/* PUxr,
 
   # allow changing to our UUID-based named profiles
   change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]