From: intrigeri <intrigeri+libvirt@boum.org>
---
examples/apparmor/libvirt-qemu | 2 ++
examples/apparmor/usr.sbin.libvirtd | 6 ++++++
2 files changed, 8 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index b341e31f42..5994a35042 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -16,6 +16,8 @@
network inet stream,
network inet6 stream,
+ signal (receive) set=("term") peer=/usr/sbin/libvirtd,
+
/dev/net/tun rw,
/dev/kvm rw,
/dev/ptmx rw,
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index 819068ffc3..eb24726e08 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -30,10 +30,13 @@
# Needed for vfio
capability sys_resource,
+ mount,
+
network inet stream,
network inet dgram,
network inet6 stream,
network inet6 dgram,
+ network netlink raw,
network packet dgram,
network packet raw,
@@ -42,6 +45,9 @@
ptrace (trace) peer=/usr/sbin/dnsmasq,
ptrace (trace) peer=libvirt-*,
+ signal (send) set=("hup") peer=/usr/sbin/dnsmasq,
+ signal (send) set=("term") peer=libvirt-*,
+
# Very lenient profile for libvirtd since we want to first focus on confining
# the guests. Guests will have a very restricted profile.
/ r,
--
2.15.0.rc2
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Thu, 2017-10-26 at 10:22 +0000, intrigeri+libvirt@boum.org wrote:
> From: intrigeri <intrigeri+libvirt@boum.org>
>
> ---
> examples/apparmor/libvirt-qemu | 2 ++
> examples/apparmor/usr.sbin.libvirtd | 6 ++++++
> 2 files changed, 8 insertions(+)
>
> diff --git a/examples/apparmor/libvirt-qemu
> b/examples/apparmor/libvirt-qemu
> index b341e31f42..5994a35042 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -16,6 +16,8 @@
> network inet stream,
> network inet6 stream,
>
> + signal (receive) set=("term") peer=/usr/sbin/libvirtd,
I suggest this rule instead:
signal (receive) peer=/usr/sbin/libvirtd,
ie, let libvirtd send any signals it wants to its VMs.
> /dev/net/tun rw,
> /dev/kvm rw,
> /dev/ptmx rw,
> diff --git a/examples/apparmor/usr.sbin.libvirtd
> b/examples/apparmor/usr.sbin.libvirtd
> index 819068ffc3..eb24726e08 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -30,10 +30,13 @@
> # Needed for vfio
> capability sys_resource,
>
> + mount,
> +
This is interesting since the Ubuntu profile is missing mount rules.
What specific denials/libvirt actions prompted this rule?
> network inet stream,
> network inet dgram,
> network inet6 stream,
> network inet6 dgram,
> + network netlink raw,
This is fine.
> network packet dgram,
> network packet raw,
>
> @@ -42,6 +45,9 @@
> ptrace (trace) peer=/usr/sbin/dnsmasq,
> ptrace (trace) peer=libvirt-*,
>
> + signal (send) set=("hup") peer=/usr/sbin/dnsmasq,
I suspect you are missing 'term' to support net-destroy. I suggest this
instead:
signal (send) peer=/usr/sbin/dnsmasq,
Ie, let libvirtd send any signals to fully manage its dnsmasq.
> + signal (send) set=("term") peer=libvirt-*,
I suggest this instead:
signal (send) peer=libvirt-*,
Ie, let libvirtd send any signals to its VMs.
I think you are missing this in libvirt-qemu:
ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
and this in usr.sbin.libvirtd:
ptrace (read, trace) peer=libvirt-*,
--
Jamie Strandboge | http://www.canonical.com--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Thu, 2017-10-26 at 08:39 -0500, Jamie Strandboge wrote: > On Thu, 2017-10-26 at 10:22 +0000, intrigeri+libvirt@boum.org wrote: > > diff --git a/examples/apparmor/usr.sbin.libvirtd > > b/examples/apparmor/usr.sbin.libvirtd > > index 819068ffc3..eb24726e08 100644 > > --- a/examples/apparmor/usr.sbin.libvirtd > > +++ b/examples/apparmor/usr.sbin.libvirtd > > @@ -30,10 +30,13 @@ > > # Needed for vfio > > capability sys_resource, > > > > + mount, > > + > > This is interesting since the Ubuntu profile is missing mount rules. > What specific denials/libvirt actions prompted this rule? > Responding to myself now that I read the SUSE bug. I actually suggest using the fine-grained rules in the SUSE patch because it is much easier to add more rules for more access than to take them away. These rules are in the 'examples' directory so I think it is expected that a distribution may need to tailor them from time to time (hopefully upstreaming their changes! :). -- Jamie Strandboge | http://www.canonical.com-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Hi, thanks Jamie for this review. All your suggestions make sense to me, I'll implement + test them and will re-submit as v3. Cheers, -- intrigeri -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
© 2016 - 2025 Red Hat, Inc.