[PATCH v2 5/7] apparmor: Sort paths in blocks in libvirt-qemu profile

Christian Ehrhardt christian.ehrhardt at canonical.com
Thu Jan 30 07:46:24 UTC 2020 

On Thu, Jan 30, 2020 at 8:06 AM Michal Privoznik <mprivozn at redhat.com>
wrote:

> Even though we construct a domain specific profile for each
> domain we start (which should cover domain specific paths), there
> is also another file that is included from the profile and which
> contains domain agnostic paths (e.g. to cover libraries that qemu
> links with). The paths in the file are split into blocks divided
> by comments. Sort the paths in each block individually (ignoring
> case sensitivity).
>
> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
>

Acked-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>


> ---
>  src/security/apparmor/libvirt-qemu | 76 +++++++++++++++---------------
>  1 file changed, 38 insertions(+), 38 deletions(-)
>
> diff --git a/src/security/apparmor/libvirt-qemu
> b/src/security/apparmor/libvirt-qemu
> index d33348aa05..2291829270 100644
> --- a/src/security/apparmor/libvirt-qemu
> +++ b/src/security/apparmor/libvirt-qemu
> @@ -22,8 +22,8 @@
>    signal (receive) peer=libvirtd,
>    signal (receive) peer=/usr/sbin/libvirtd,
>
> -  /dev/net/tun rw,
>    /dev/kvm rw,
> +  /dev/net/tun rw,
>    /dev/ptmx rw,
>    @{PROC}/*/status r,
>    # When qemu is signaled to terminate, it will read cmdline of signaling
> @@ -39,19 +39,19 @@
>    /sys/bus/usb/devices/ r,
>    /sys/devices/**/usb[0-9]*/** r,
>    # libusb needs udev data about usb devices (~equal to content of lsusb
> -v)
> +  /run/udev/data/+usb* r,
>    /run/udev/data/c16[6,7]* r,
>    /run/udev/data/c18[0,8,9]* r,
> -  /run/udev/data/+usb* r,
>
>    # WARNING: this gives the guest direct access to host hardware and
> specific
>    # portions of shared memory. This is required for sound using ALSA with
> kvm,
>    # but may constitute a security risk. If your environment does not
> require
>    # the use of sound in your VMs, feel free to comment out or prepend
> 'deny' to
>    # the rules for files in /dev.
> +  /dev/snd/* rw,
>    /{dev,run}/shm r,
>    /{dev,run}/shmpulse-shm* r,
>    /{dev,run}/shmpulse-shm* rwk,
> -  /dev/snd/* rw,
>    capability ipc_lock,
>    # spice
>    owner /{dev,run}/shm/spice.* rw,
> @@ -73,21 +73,21 @@
>    /var/lib/dbus/machine-id r,
>
>    # access to firmware's etc
> -  /usr/share/kvm/** r,
> -  /usr/share/qemu/** r,
> -  /usr/share/qemu-kvm/** r,
> +  /usr/share/AAVMF/** r,
>    /usr/share/bochs/** r,
> +  /usr/share/kvm/** r,
> +  /usr/share/misc/sgabios.bin r,
>    /usr/share/openbios/** r,
>    /usr/share/openhackware/** r,
> -  /usr/share/proll/** r,
> -  /usr/share/vgabios/** r,
> -  /usr/share/seabios/** r,
> -  /usr/share/misc/sgabios.bin r,
> -  /usr/share/ovmf/** r,
>    /usr/share/OVMF/** r,
> -  /usr/share/AAVMF/** r,
> +  /usr/share/ovmf/** r,
> +  /usr/share/proll/** r,
>    /usr/share/qemu-efi/** r,
> +  /usr/share/qemu-kvm/** r,
> +  /usr/share/qemu/** r,
> +  /usr/share/seabios/** r,
>    /usr/share/slof/** r,
> +  /usr/share/vgabios/** r,
>
>    # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140)
>    /etc/pki/CA/ r,
> @@ -98,7 +98,33 @@
>    # the various binaries
>    /usr/bin/kvm rmix,
>    /usr/bin/qemu rmix,
> +  /usr/bin/qemu-aarch64 rmix,
> +  /usr/bin/qemu-alpha rmix,
> +  /usr/bin/qemu-arm rmix,
> +  /usr/bin/qemu-armeb rmix,
> +  /usr/bin/qemu-cris rmix,
> +  /usr/bin/qemu-i386 rmix,
>    /usr/bin/qemu-kvm rmix,
> +  /usr/bin/qemu-m68k rmix,
> +  /usr/bin/qemu-microblaze rmix,
> +  /usr/bin/qemu-microblazeel rmix,
> +  /usr/bin/qemu-mips rmix,
> +  /usr/bin/qemu-mips64 rmix,
> +  /usr/bin/qemu-mips64el rmix,
> +  /usr/bin/qemu-mipsel rmix,
> +  /usr/bin/qemu-mipsn32 rmix,
> +  /usr/bin/qemu-mipsn32el rmix,
> +  /usr/bin/qemu-or32 rmix,
> +  /usr/bin/qemu-ppc rmix,
> +  /usr/bin/qemu-ppc64 rmix,
> +  /usr/bin/qemu-ppc64abi32 rmix,
> +  /usr/bin/qemu-ppc64le rmix,
> +  /usr/bin/qemu-s390x rmix,
> +  /usr/bin/qemu-sh4 rmix,
> +  /usr/bin/qemu-sh4eb rmix,
> +  /usr/bin/qemu-sparc rmix,
> +  /usr/bin/qemu-sparc32plus rmix,
> +  /usr/bin/qemu-sparc64 rmix,
>    /usr/bin/qemu-system-aarch64 rmix,
>    /usr/bin/qemu-system-alpha rmix,
>    /usr/bin/qemu-system-arm rmix,
> @@ -132,32 +158,6 @@
>    /usr/bin/qemu-system-x86_64 rmix,
>    /usr/bin/qemu-system-xtensa rmix,
>    /usr/bin/qemu-system-xtensaeb rmix,
> -  /usr/bin/qemu-aarch64 rmix,
> -  /usr/bin/qemu-alpha rmix,
> -  /usr/bin/qemu-arm rmix,
> -  /usr/bin/qemu-armeb rmix,
> -  /usr/bin/qemu-cris rmix,
> -  /usr/bin/qemu-i386 rmix,
> -  /usr/bin/qemu-m68k rmix,
> -  /usr/bin/qemu-microblaze rmix,
> -  /usr/bin/qemu-microblazeel rmix,
> -  /usr/bin/qemu-mips rmix,
> -  /usr/bin/qemu-mips64 rmix,
> -  /usr/bin/qemu-mips64el rmix,
> -  /usr/bin/qemu-mipsel rmix,
> -  /usr/bin/qemu-mipsn32 rmix,
> -  /usr/bin/qemu-mipsn32el rmix,
> -  /usr/bin/qemu-or32 rmix,
> -  /usr/bin/qemu-ppc rmix,
> -  /usr/bin/qemu-ppc64 rmix,
> -  /usr/bin/qemu-ppc64abi32 rmix,
> -  /usr/bin/qemu-ppc64le rmix,
> -  /usr/bin/qemu-s390x rmix,
> -  /usr/bin/qemu-sh4 rmix,
> -  /usr/bin/qemu-sh4eb rmix,
> -  /usr/bin/qemu-sparc rmix,
> -  /usr/bin/qemu-sparc32plus rmix,
> -  /usr/bin/qemu-sparc64 rmix,
>    /usr/bin/qemu-unicore32 rmix,
>    /usr/bin/qemu-x86_64 rmix,
>    # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761)
> --
> 2.24.1
>
>

-- 
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20200130/f4076633/attachment-0001.htm>

More information about the libvir-list mailing list