[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 2/2] apparmor: convert libvirtd profile to a named profile

On 1/22/19 1:01 PM, Jamie Strandboge wrote:
On Mon, 14 Jan 2019, Jim Fehlig wrote:

Signed-off-by: Jim Fehlig <jfehlig suse com>

Optional patch that may need a bit of coorindation with upstream apparmor
since the dnsmasq profile currently has 'peer=/usr/sbin/libvirtd'.

  src/security/apparmor/usr.sbin.libvirtd | 5 +++--
  1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd
index 0db52c524c..29f9936ad9 100644
--- a/src/security/apparmor/usr.sbin.libvirtd
+++ b/src/security/apparmor/usr.sbin.libvirtd
@@ -2,7 +2,7 @@
  #include <tunables/global>
-/usr/sbin/libvirtd flags=(attach_disconnected) {
+profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
    #include <abstractions/base>
    #include <abstractions/dbus>
@@ -51,7 +51,7 @@
    unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
ptrace (read,trace) peer=unconfined,
-  ptrace (read,trace) peer=/usr/sbin/libvirtd,
+  ptrace (read,trace) peer= {profile_name},
    ptrace (read,trace) peer=dnsmasq,
    ptrace (read,trace) peer=/usr/sbin/dnsmasq,
    ptrace (read,trace) peer=libvirt-*,
@@ -123,6 +123,7 @@
     # For communication/control from libvirtd
     unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
     signal (receive) set=("term") peer=/usr/sbin/libvirtd,
+   signal (receive) set=("term") peer=libvirtd,
/dev/net/tun rw,
     /etc/qemu/** r,

This also LGTM. It'd be nice if there was a mechanism to specify the parent
profile like we can the current profile, but we can't now and this is fine.

Thanks for reviewing these patches! I've pushed them now.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]