[libvirt] [PATCH] apparmor: support finer-grained ptrace checks
Guido Günther
agx at sigxcpu.org
Fri Sep 22 15:46:52 UTC 2017
Hi,
On Fri, Sep 22, 2017 at 10:29:22AM -0500, Jamie Strandboge wrote:
> On Fri, 2017-09-22 at 14:52 +0200, Guido Günther wrote:
> > > + ptrace,
> >
> > ^^^^^^^
> >
> > This single line is enough to make things work for me on 4.13. AFAIK
> > dbus mediation is not upstream yet and I think unix socket and signal
> > support is neither. Should we drop these for now (the syntax and
> > behaviour might change while things are being upsreamed)?
>
> Note that if you are upstreaming profile changes for ptrace, you may as well add
> them for signal and dbus because an apparmor parser that can understand 'ptrace'
> can understand the other two. The parser is designed to deal with kernels that
> don't have the full set of apparmor capabilities. The policy syntax for all of
> these rules should not change as part of upstreaming dbus and unix.
>
> 'unix' is probably ok to add because support for it was added to the parser in
> devel releases of AppArmor within 6 months of ptrace and signal. 'dbus',
> 'ptrace', 'signal' and 'unix' were officially introduced in 2.9[1]. By adding
> 'ptrace' you are saying AppArmor 2.9 is required, therefore, the other 3 are
> parseable.
The assumption then is that upstreaming the kernel side will never
affect the parser, that's fine. Thanks for the clarification! That makes the
libvirt-qemu and usr.sbin.libvirtd parts look good.
What I don't understand yet is why we have in libvirt-lxc:
> diff --git a/examples/apparmor/libvirt-lxc b/examples/apparmor/libvirt-lxc
> index 4bfb503aa..0db137de0 100644
> --- a/examples/apparmor/libvirt-lxc
> +++ b/examples/apparmor/libvirt-lxc
> @@ -3,6 +3,9 @@
> #include <abstractions/base>
>
> umount,
> + dbus,
> + signal,
> + ptrace,
>
> # ignore DENIED message on / remount
> deny mount options=(ro, remount) -> /,
Why does it need dbus and why can't we go with a restricted ptrace and
signal specifications like in the libvirt-qemu case:
> + signal (receive) peer=/usr/sbin/libvirtd,
> + ptrace (tracedby) peer=/usr/sbin/libvirtd,
maybe having to add /usr/lib/libvirt/libvirt_lxc into the mix. (I'd
check myself but due to the lack of ustream support I can't). Maybe just
an omission?
Cheers,
-- Guido
More information about the libvir-list
mailing list