[PATCH 5/6] apparmor: Sort paths in blocks in libvirt-qemu profile

Jamie Strandboge jamie at canonical.com
Mon Jan 27 16:33:29 UTC 2020 

On Sat, 25 Jan 2020, Michal Privoznik wrote:

> Even though we construct a domain specific profile for each
> domain we start (which should cover domain specific paths), there
> is also another file that is included from the profile and which
> contains domain agnostic paths (e.g. to cover libraries that qemu
> links with). The paths in the file are split into blocks divided
> by comments. Sort the paths in each block individually (ignoring
> case sensitivity).
> 
> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
> ---
>  src/security/apparmor/libvirt-qemu | 76 +++++++++++++++---------------
>  1 file changed, 38 insertions(+), 38 deletions(-)
> 
> diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
> index d33348aa05..2291829270 100644
> --- a/src/security/apparmor/libvirt-qemu
> +++ b/src/security/apparmor/libvirt-qemu
> @@ -22,8 +22,8 @@
>    signal (receive) peer=libvirtd,
>    signal (receive) peer=/usr/sbin/libvirtd,
>  
> -  /dev/net/tun rw,
>    /dev/kvm rw,
> +  /dev/net/tun rw,
>    /dev/ptmx rw,
>    @{PROC}/*/status r,
>    # When qemu is signaled to terminate, it will read cmdline of signaling
> @@ -39,19 +39,19 @@
>    /sys/bus/usb/devices/ r,
>    /sys/devices/**/usb[0-9]*/** r,
>    # libusb needs udev data about usb devices (~equal to content of lsusb -v)
> +  /run/udev/data/+usb* r,
>    /run/udev/data/c16[6,7]* r,
>    /run/udev/data/c18[0,8,9]* r,
> -  /run/udev/data/+usb* r,
>  
>    # WARNING: this gives the guest direct access to host hardware and specific
>    # portions of shared memory. This is required for sound using ALSA with kvm,
>    # but may constitute a security risk. If your environment does not require
>    # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
>    # the rules for files in /dev.
> +  /dev/snd/* rw,
>    /{dev,run}/shm r,
>    /{dev,run}/shmpulse-shm* r,
>    /{dev,run}/shmpulse-shm* rwk,
> -  /dev/snd/* rw,
>    capability ipc_lock,
>    # spice
>    owner /{dev,run}/shm/spice.* rw,
> @@ -73,21 +73,21 @@
>    /var/lib/dbus/machine-id r,
>  
>    # access to firmware's etc
> -  /usr/share/kvm/** r,
> -  /usr/share/qemu/** r,
> -  /usr/share/qemu-kvm/** r,
> +  /usr/share/AAVMF/** r,
>    /usr/share/bochs/** r,
> +  /usr/share/kvm/** r,
> +  /usr/share/misc/sgabios.bin r,
>    /usr/share/openbios/** r,
>    /usr/share/openhackware/** r,
> -  /usr/share/proll/** r,
> -  /usr/share/vgabios/** r,
> -  /usr/share/seabios/** r,
> -  /usr/share/misc/sgabios.bin r,
> -  /usr/share/ovmf/** r,
>    /usr/share/OVMF/** r,
> -  /usr/share/AAVMF/** r,
> +  /usr/share/ovmf/** r,
> +  /usr/share/proll/** r,
>    /usr/share/qemu-efi/** r,
> +  /usr/share/qemu-kvm/** r,
> +  /usr/share/qemu/** r,
> +  /usr/share/seabios/** r,
>    /usr/share/slof/** r,
> +  /usr/share/vgabios/** r,
>  
>    # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140)
>    /etc/pki/CA/ r,
> @@ -98,7 +98,33 @@
>    # the various binaries
>    /usr/bin/kvm rmix,
>    /usr/bin/qemu rmix,
> +  /usr/bin/qemu-aarch64 rmix,
> +  /usr/bin/qemu-alpha rmix,
> +  /usr/bin/qemu-arm rmix,
> +  /usr/bin/qemu-armeb rmix,
> +  /usr/bin/qemu-cris rmix,
> +  /usr/bin/qemu-i386 rmix,
>    /usr/bin/qemu-kvm rmix,
> +  /usr/bin/qemu-m68k rmix,
> +  /usr/bin/qemu-microblaze rmix,
> +  /usr/bin/qemu-microblazeel rmix,
> +  /usr/bin/qemu-mips rmix,
> +  /usr/bin/qemu-mips64 rmix,
> +  /usr/bin/qemu-mips64el rmix,
> +  /usr/bin/qemu-mipsel rmix,
> +  /usr/bin/qemu-mipsn32 rmix,
> +  /usr/bin/qemu-mipsn32el rmix,
> +  /usr/bin/qemu-or32 rmix,
> +  /usr/bin/qemu-ppc rmix,
> +  /usr/bin/qemu-ppc64 rmix,
> +  /usr/bin/qemu-ppc64abi32 rmix,
> +  /usr/bin/qemu-ppc64le rmix,
> +  /usr/bin/qemu-s390x rmix,
> +  /usr/bin/qemu-sh4 rmix,
> +  /usr/bin/qemu-sh4eb rmix,
> +  /usr/bin/qemu-sparc rmix,
> +  /usr/bin/qemu-sparc32plus rmix,
> +  /usr/bin/qemu-sparc64 rmix,
>    /usr/bin/qemu-system-aarch64 rmix,
>    /usr/bin/qemu-system-alpha rmix,
>    /usr/bin/qemu-system-arm rmix,
> @@ -132,32 +158,6 @@
>    /usr/bin/qemu-system-x86_64 rmix,
>    /usr/bin/qemu-system-xtensa rmix,
>    /usr/bin/qemu-system-xtensaeb rmix,
> -  /usr/bin/qemu-aarch64 rmix,
> -  /usr/bin/qemu-alpha rmix,
> -  /usr/bin/qemu-arm rmix,
> -  /usr/bin/qemu-armeb rmix,
> -  /usr/bin/qemu-cris rmix,
> -  /usr/bin/qemu-i386 rmix,
> -  /usr/bin/qemu-m68k rmix,
> -  /usr/bin/qemu-microblaze rmix,
> -  /usr/bin/qemu-microblazeel rmix,
> -  /usr/bin/qemu-mips rmix,
> -  /usr/bin/qemu-mips64 rmix,
> -  /usr/bin/qemu-mips64el rmix,
> -  /usr/bin/qemu-mipsel rmix,
> -  /usr/bin/qemu-mipsn32 rmix,
> -  /usr/bin/qemu-mipsn32el rmix,
> -  /usr/bin/qemu-or32 rmix,
> -  /usr/bin/qemu-ppc rmix,
> -  /usr/bin/qemu-ppc64 rmix,
> -  /usr/bin/qemu-ppc64abi32 rmix,
> -  /usr/bin/qemu-ppc64le rmix,
> -  /usr/bin/qemu-s390x rmix,
> -  /usr/bin/qemu-sh4 rmix,
> -  /usr/bin/qemu-sh4eb rmix,
> -  /usr/bin/qemu-sparc rmix,
> -  /usr/bin/qemu-sparc32plus rmix,
> -  /usr/bin/qemu-sparc64 rmix,
>    /usr/bin/qemu-unicore32 rmix,
>    /usr/bin/qemu-x86_64 rmix,
>    # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761)

+1 to apply

-- 
Jamie Strandboge             | http://www.canonical.com

More information about the libvir-list mailing list