[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 2/2] apparmor: convert libvirtd profile to a named profile



On 1/22/19 1:01 PM, Jamie Strandboge wrote:
On Mon, 14 Jan 2019, Jim Fehlig wrote:

Signed-off-by: Jim Fehlig <jfehlig suse com>
---

Optional patch that may need a bit of coorindation with upstream apparmor
since the dnsmasq profile currently has 'peer=/usr/sbin/libvirtd'.

  src/security/apparmor/usr.sbin.libvirtd | 5 +++--
  1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd
index 0db52c524c..29f9936ad9 100644
--- a/src/security/apparmor/usr.sbin.libvirtd
+++ b/src/security/apparmor/usr.sbin.libvirtd
@@ -2,7 +2,7 @@
  #include <tunables/global>
  @{LIBVIRT}="libvirt"
-/usr/sbin/libvirtd flags=(attach_disconnected) {
+profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
    #include <abstractions/base>
    #include <abstractions/dbus>
@@ -51,7 +51,7 @@
    unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
ptrace (read,trace) peer=unconfined,
-  ptrace (read,trace) peer=/usr/sbin/libvirtd,
+  ptrace (read,trace) peer= {profile_name},
    ptrace (read,trace) peer=dnsmasq,
    ptrace (read,trace) peer=/usr/sbin/dnsmasq,
    ptrace (read,trace) peer=libvirt-*,
@@ -123,6 +123,7 @@
     # For communication/control from libvirtd
     unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
     signal (receive) set=("term") peer=/usr/sbin/libvirtd,
+   signal (receive) set=("term") peer=libvirtd,
/dev/net/tun rw,
     /etc/qemu/** r,

This also LGTM. It'd be nice if there was a mechanism to specify the parent
profile like we can the current profile, but we can't now and this is fine.

Thanks for reviewing these patches! I've pushed them now.

Regards,
Jim


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]