From nobody Tue Apr 23 12:55:33 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1534227517817895.891464934744; Mon, 13 Aug 2018 23:18:37 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 70B863082A3C; Tue, 14 Aug 2018 06:18:35 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id DC8C01001F44; Tue, 14 Aug 2018 06:18:34 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 3493F18037ED; Tue, 14 Aug 2018 06:18:33 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w7E6IW2I031670 for ; Tue, 14 Aug 2018 02:18:32 -0400 Received: by smtp.corp.redhat.com (Postfix) id 0B288308BDA4; Tue, 14 Aug 2018 06:18:32 +0000 (UTC) Received: from mx1.redhat.com (ext-mx08.extmail.prod.ext.phx2.redhat.com [10.5.110.32]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 031E8308BDAF for ; Tue, 14 Aug 2018 06:18:28 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 99134C057F85 for ; Tue, 14 Aug 2018 06:18:27 +0000 (UTC) Received: from 1.general.paelzer.uk.vpn ([10.172.196.172] helo=lap.fritz.box) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1fpSew-0002Mo-Fb; Tue, 14 Aug 2018 06:18:26 +0000 From: Christian Ehrhardt To: libvir-list@redhat.com, =?UTF-8?q?Guido=20G=C3=BCnther?= , intrigeri , Jamie Strandboge Date: Tue, 14 Aug 2018 08:18:18 +0200 Message-Id: <20180814061822.15439-2-christian.ehrhardt@canonical.com> In-Reply-To: <20180814061822.15439-1-christian.ehrhardt@canonical.com> References: <20180814061822.15439-1-christian.ehrhardt@canonical.com> X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 212 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Tue, 14 Aug 2018 06:18:27 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Tue, 14 Aug 2018 06:18:27 +0000 (UTC) for IP:'91.189.89.112' DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com' FROM:'christian.ehrhardt@canonical.com' RCPT:'' X-RedHat-Spam-Score: -5 (RCVD_IN_DNSWL_HI) 91.189.89.112 youngberry.canonical.com 91.189.89.112 youngberry.canonical.com X-Scanned-By: MIMEDefang 2.78 on 10.5.110.32 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.24 X-loop: libvir-list@redhat.com Cc: Christian Ehrhardt Subject: [libvirt] [PATCH v2 1/5] apparmor: allow openGraphicsFD for virt manager >1.4 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk Reply-To: 20180813143946.29346-1-christian.ehrhardt@canonical.com List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.45]); Tue, 14 Aug 2018 06:18:36 +0000 (UTC) X-ZohoMail: RDMRC_1 RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" virt-manager's UI connection will need socket access for openGraphicsFD to work - otherwise users will face a failed connection error when opening the UI view. Depending on the exact versions of libvirt and qemu involved this needs either a rule from qemu to libvirt or vice versa. Acked-by: Jamie Strandboge Signed-off-by: Christian Ehrhardt --- examples/apparmor/libvirt-qemu | 3 +++ examples/apparmor/usr.sbin.libvirtd | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index df5f512487..5caf14e418 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -188,6 +188,9 @@ @{PROC}/device-tree/** r, /sys/firmware/devicetree/** r, =20 + # allow connect with openGraphicsFD to work + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3D/usr/sbin= /libvirtd), + # for gathering information about available host resources /sys/devices/system/cpu/ r, /sys/devices/system/node/ r, diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sb= in.libvirtd index 3102cab382..dd37866c2a 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -69,6 +69,11 @@ unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3D/usr/sbin= /libvirtd//qemu_bridge_helper), signal (send) set=3D("term") peer=3D/usr/sbin/libvirtd//qemu_bridge_help= er, =20 + # allow connect with openGraphicsFD, direction reversed in newer versions + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirt-[= 0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*), + # unconfined also required if guests run without security module + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d), + # Very lenient profile for libvirtd since we want to first focus on conf= ining # the guests. Guests will have a very restricted profile. / r, --=20 2.17.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Tue Apr 23 12:55:33 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1534227523645296.3553706614084; Mon, 13 Aug 2018 23:18:43 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C88D73082A3A; Tue, 14 Aug 2018 06:18:41 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 929445D6B4; Tue, 14 Aug 2018 06:18:41 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 42B084A469; Tue, 14 Aug 2018 06:18:41 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w7E6IWeq031675 for ; Tue, 14 Aug 2018 02:18:32 -0400 Received: by smtp.corp.redhat.com (Postfix) id 660CD4D9E0; Tue, 14 Aug 2018 06:18:32 +0000 (UTC) Received: from mx1.redhat.com (ext-mx19.extmail.prod.ext.phx2.redhat.com [10.5.110.48]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5FDA8177D4 for ; Tue, 14 Aug 2018 06:18:29 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C162A307D853 for ; Tue, 14 Aug 2018 06:18:28 +0000 (UTC) Received: from 1.general.paelzer.uk.vpn ([10.172.196.172] helo=lap.fritz.box) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1fpSex-0002Mo-KB; Tue, 14 Aug 2018 06:18:27 +0000 From: Christian Ehrhardt To: libvir-list@redhat.com, =?UTF-8?q?Guido=20G=C3=BCnther?= , intrigeri , Jamie Strandboge Date: Tue, 14 Aug 2018 08:18:19 +0200 Message-Id: <20180814061822.15439-3-christian.ehrhardt@canonical.com> In-Reply-To: <20180814061822.15439-1-christian.ehrhardt@canonical.com> References: <20180814061822.15439-1-christian.ehrhardt@canonical.com> X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 212 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.48]); Tue, 14 Aug 2018 06:18:28 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.48]); Tue, 14 Aug 2018 06:18:28 +0000 (UTC) for IP:'91.189.89.112' DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com' FROM:'christian.ehrhardt@canonical.com' RCPT:'' X-RedHat-Spam-Score: -5 (RCVD_IN_DNSWL_HI) 91.189.89.112 youngberry.canonical.com 91.189.89.112 youngberry.canonical.com X-Scanned-By: MIMEDefang 2.84 on 10.5.110.48 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Cc: Christian Ehrhardt Subject: [libvirt] [PATCH v2 2/5] apparmor: add mediation rules for unconfined guests X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk Reply-To: 20180813143946.29346-1-christian.ehrhardt@canonical.com List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.45]); Tue, 14 Aug 2018 06:18:42 +0000 (UTC) X-ZohoMail: RDMRC_1 RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" If a guest runs unconfined , but libvirtd is confined then the peer for signal can only be detected as 'unconfined'. That triggers issues like: apparmor=3D"DENIED" operation=3D"signal" profile=3D"/usr/sbin/libvirtd" pid=3D22395 comm=3D"libvirtd" requested_mask=3D"send" denied_mask=3D"send" signal=3Dterm peer=3D"uncon= fined" To fix this add unconfined as an allowed peer for those operations. I discussed with the apparmor folks, right now there is no better separation to be made in this case. But there might be further down the road with "policy namespaces with scope and view control + stacking" This is more a use-case addition than a fix to the following two changes: - 3b1d19e6 AppArmor: add rules needed with additional mediation features - b482925c apparmor: support ptrace checks Signed-off-by: Christian Ehrhardt Acked-by: Jamie Strandboge Acked-by: intrigeri --- examples/apparmor/usr.sbin.libvirtd | 3 +++ 1 file changed, 3 insertions(+) diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sb= in.libvirtd index dd37866c2a..3ff43c32a2 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -74,6 +74,9 @@ # unconfined also required if guests run without security module unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d), =20 + # required if guests run unconfined seclabel type=3D'none' but libvirtd = is confined + signal (read, send) peer=3Dunconfined, + # Very lenient profile for libvirtd since we want to first focus on conf= ining # the guests. Guests will have a very restricted profile. / r, --=20 2.17.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Tue Apr 23 12:55:33 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1534227523621221.65376679041754; Mon, 13 Aug 2018 23:18:43 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id CFF1F30820D4; Tue, 14 Aug 2018 06:18:41 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9565D18515; Tue, 14 Aug 2018 06:18:41 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 440B918037F5; Tue, 14 Aug 2018 06:18:41 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w7E6IXDR031689 for ; Tue, 14 Aug 2018 02:18:34 -0400 Received: by smtp.corp.redhat.com (Postfix) id EEA8C10694E2; Tue, 14 Aug 2018 06:18:33 +0000 (UTC) Received: from mx1.redhat.com (ext-mx08.extmail.prod.ext.phx2.redhat.com [10.5.110.32]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E736310694D3 for ; Tue, 14 Aug 2018 06:18:31 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 09BCEC057F92 for ; Tue, 14 Aug 2018 06:18:30 +0000 (UTC) Received: from 1.general.paelzer.uk.vpn ([10.172.196.172] helo=lap.fritz.box) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1fpSey-0002Mo-SH; Tue, 14 Aug 2018 06:18:28 +0000 From: Christian Ehrhardt To: libvir-list@redhat.com, =?UTF-8?q?Guido=20G=C3=BCnther?= , intrigeri , Jamie Strandboge Date: Tue, 14 Aug 2018 08:18:20 +0200 Message-Id: <20180814061822.15439-4-christian.ehrhardt@canonical.com> In-Reply-To: <20180814061822.15439-1-christian.ehrhardt@canonical.com> References: <20180814061822.15439-1-christian.ehrhardt@canonical.com> X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 212 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Tue, 14 Aug 2018 06:18:30 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Tue, 14 Aug 2018 06:18:30 +0000 (UTC) for IP:'91.189.89.112' DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com' FROM:'christian.ehrhardt@canonical.com' RCPT:'' X-RedHat-Spam-Score: -5 (RCVD_IN_DNSWL_HI) 91.189.89.112 youngberry.canonical.com 91.189.89.112 youngberry.canonical.com X-Scanned-By: MIMEDefang 2.78 on 10.5.110.32 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-loop: libvir-list@redhat.com Cc: Christian Ehrhardt Subject: [libvirt] [PATCH v2 3/5] apparmor: allow expected /tmp access patterns X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk Reply-To: 20180813143946.29346-1-christian.ehrhardt@canonical.com List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.47]); Tue, 14 Aug 2018 06:18:42 +0000 (UTC) X-ZohoMail: RDMRC_1 RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Several cases were found needing /tmp, for example ceph will try to list /t= mp This is a compromise of security and usability: - we only allow generally enumerating the base dir - enumerating anything deeper in the dir is at least guarded by the "owner" restriction, but while that protects files of other services it won't protect qemu instances against each other as they usually run with the same user. - even with the owner restriction we only allow read for the wildcard path Signed-off-by: Christian Ehrhardt --- examples/apparmor/libvirt-qemu | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 5caf14e418..6971d3db03 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -180,6 +180,18 @@ # for rbd /etc/ceph/ceph.conf r, =20 + # Various functions will need to enumerate /tmp (e.g. ceph), allow the b= ase + # dir and a few known functions like samba support. + # We want to avoid to give blanket rw permission to everything under /tm= p, + # users are expected to add site specific addons for more uncommon cases. + # Qemu processes usually all run as the same users, so the "owner" restr= iction + # prevents access to other services files, but not across different inst= ances. + # This is a tradeoff between usability and security - if paths would be = more + # predictable that would be preferred - at least for write rules we would + # want more unique paths per rule. + /{,var/}tmp/ r, + owner /{,var/}tmp/**/ r, + # for file-posix getting limits since 9103f1ce /sys/devices/**/block/*/queue/max_segments r, =20 --=20 2.17.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Tue Apr 23 12:55:33 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1534227518598508.1630588374072; Mon, 13 Aug 2018 23:18:38 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3840FC057F92; Tue, 14 Aug 2018 06:18:36 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 056C6AD029; Tue, 14 Aug 2018 06:18:36 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id A2B1818037EF; Tue, 14 Aug 2018 06:18:35 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w7E6IXog031688 for ; Tue, 14 Aug 2018 02:18:34 -0400 Received: by smtp.corp.redhat.com (Postfix) id EF0EE1001F44; Tue, 14 Aug 2018 06:18:33 +0000 (UTC) Received: from mx1.redhat.com (ext-mx10.extmail.prod.ext.phx2.redhat.com [10.5.110.39]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E6BB81001F49 for ; Tue, 14 Aug 2018 06:18:33 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 40CE45D5E6 for ; Tue, 14 Aug 2018 06:18:31 +0000 (UTC) Received: from 1.general.paelzer.uk.vpn ([10.172.196.172] helo=lap.fritz.box) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1fpSf0-0002Mo-1r; Tue, 14 Aug 2018 06:18:30 +0000 From: Christian Ehrhardt To: libvir-list@redhat.com, =?UTF-8?q?Guido=20G=C3=BCnther?= , intrigeri , Jamie Strandboge Date: Tue, 14 Aug 2018 08:18:21 +0200 Message-Id: <20180814061822.15439-5-christian.ehrhardt@canonical.com> In-Reply-To: <20180814061822.15439-1-christian.ehrhardt@canonical.com> References: <20180814061822.15439-1-christian.ehrhardt@canonical.com> X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 212 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Tue, 14 Aug 2018 06:18:31 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Tue, 14 Aug 2018 06:18:31 +0000 (UTC) for IP:'91.189.89.112' DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com' FROM:'christian.ehrhardt@canonical.com' RCPT:'' X-RedHat-Spam-Score: -5 (RCVD_IN_DNSWL_HI) 91.189.89.112 youngberry.canonical.com 91.189.89.112 youngberry.canonical.com X-Scanned-By: MIMEDefang 2.78 on 10.5.110.39 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-loop: libvir-list@redhat.com Cc: Christian Ehrhardt Subject: [libvirt] [PATCH v2 4/5] apparmor: allow qemu-smb access in /tmp X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk Reply-To: 20180813143946.29346-1-christian.ehrhardt@canonical.com List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.27 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Tue, 14 Aug 2018 06:18:36 +0000 (UTC) X-ZohoMail: RDMRC_1 RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" The samba feature of qemu will place the samba config file in /tmp/qemu-smb.. But at least it has a predictable path identifying qemu-smb feature itself by an infix in the path. This is a compromise of security and usability as the "owner" restriction will not protect guests among each other. Therefore the rule added makes the feature usable, but does not allow cross guest protection. Core issue is, that it is currently impossible to predict the PID which wou= ld follow "qemu-smb-", but long term, once the samba feature would be exposed = in guest XML we'd prefer a virt-aa-helper based solution that can render the samba rule on demand and with a custom PID into the per guest profile. But the same is true for manual user overrides for this feature as well, they can neither predict the PID, nor have a local include per-guest. There= by punting this to the user to add the rule later will not make it safer, but only less usable. Signed-off-by: Christian Ehrhardt --- examples/apparmor/libvirt-qemu | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 6971d3db03..350b13b824 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -191,6 +191,11 @@ # want more unique paths per rule. /{,var/}tmp/ r, owner /{,var/}tmp/**/ r, + # allow qemu smb feature specific path with write access + # TODO: This is a compromise between security and usability - once e.g. = samba + # would be expressed in libvirt XML it should be added on demand via + # virt-aa-helper instead. + owner /tmp/qemu-smb.*/{,**} rw, =20 # for file-posix getting limits since 9103f1ce /sys/devices/**/block/*/queue/max_segments r, --=20 2.17.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Tue Apr 23 12:55:33 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1534227527662978.4273960701499; Mon, 13 Aug 2018 23:18:47 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C2683C057F82; Tue, 14 Aug 2018 06:18:45 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 825ABABDFA; Tue, 14 Aug 2018 06:18:45 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 2F7D74A46D; Tue, 14 Aug 2018 06:18:45 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w7E6Ibh6031717 for ; Tue, 14 Aug 2018 02:18:37 -0400 Received: by smtp.corp.redhat.com (Postfix) id 4E02D60921; Tue, 14 Aug 2018 06:18:37 +0000 (UTC) Received: from mx1.redhat.com (ext-mx16.extmail.prod.ext.phx2.redhat.com [10.5.110.45]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4339E6E518 for ; Tue, 14 Aug 2018 06:18:32 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 130223082A3D for ; Tue, 14 Aug 2018 06:18:32 +0000 (UTC) Received: from 1.general.paelzer.uk.vpn ([10.172.196.172] helo=lap.fritz.box) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1fpSf0-0002Mo-Sw; Tue, 14 Aug 2018 06:18:30 +0000 From: Christian Ehrhardt To: libvir-list@redhat.com, =?UTF-8?q?Guido=20G=C3=BCnther?= , intrigeri , Jamie Strandboge Date: Tue, 14 Aug 2018 08:18:22 +0200 Message-Id: <20180814061822.15439-6-christian.ehrhardt@canonical.com> In-Reply-To: <20180814061822.15439-1-christian.ehrhardt@canonical.com> References: <20180814061822.15439-1-christian.ehrhardt@canonical.com> X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 212 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.45]); Tue, 14 Aug 2018 06:18:32 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.45]); Tue, 14 Aug 2018 06:18:32 +0000 (UTC) for IP:'91.189.89.112' DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com' FROM:'christian.ehrhardt@canonical.com' RCPT:'' X-RedHat-Spam-Score: -5 (RCVD_IN_DNSWL_HI) 91.189.89.112 youngberry.canonical.com 91.189.89.112 youngberry.canonical.com X-Scanned-By: MIMEDefang 2.84 on 10.5.110.45 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com Cc: Christian Ehrhardt Subject: [libvirt] [PATCH v2 5/5] apparmor: allow to preserve /dev mountpoints into qemu namespaces X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk Reply-To: 20180813143946.29346-1-christian.ehrhardt@canonical.com List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.27 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Tue, 14 Aug 2018 06:18:46 +0000 (UTC) X-ZohoMail: RDMRC_1 RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Libvirt now tries to preserve all mounts under /dev in qemu namespaces. The old rules only listed a set of known paths but those are no more enough. I found some due to containers like /dev/.lxc/* and such but also /dev/cons= ole and /dev/net/tun. Libvirt is correct to do so, but we can no more predict the names properly,= so we modify the rule to allow a wildcard based pattern matching what libvirt = does. Signed-off-by: Christian Ehrhardt --- examples/apparmor/usr.sbin.libvirtd | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sb= in.libvirtd index 3ff43c32a2..8625862ced 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -33,17 +33,11 @@ mount options=3D(rw,rslave) -> /, mount options=3D(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/, =20 - mount options=3D(rw, move) /dev/ -> /{var/,}run/libvirt/qemu/*= .dev/, - mount options=3D(rw, move) /dev/hugepages/ -> /{var/,}run/libvirt/qemu/*= .hugepages/, - mount options=3D(rw, move) /dev/mqueue/ -> /{var/,}run/libvirt/qemu/*= .mqueue/, - mount options=3D(rw, move) /dev/pts/ -> /{var/,}run/libvirt/qemu/*= .pts/, - mount options=3D(rw, move) /dev/shm/ -> /{var/,}run/libvirt/qemu/*= .shm/, - - mount options=3D(rw, move) /{var/,}run/libvirt/qemu/*.dev/ -> /dev= /, - mount options=3D(rw, move) /{var/,}run/libvirt/qemu/*.hugepages/ -> /dev= /hugepages/, - mount options=3D(rw, move) /{var/,}run/libvirt/qemu/*.mqueue/ -> /dev= /mqueue/, - mount options=3D(rw, move) /{var/,}run/libvirt/qemu/*.pts/ -> /dev= /pts/, - mount options=3D(rw, move) /{var/,}run/libvirt/qemu/*.shm/ -> /dev= /shm/, + # libvirt provides any mounts under /dev to qemu namespaces + mount options=3D(rw, move) /dev/ -> /{var/,}run/libvirt/qemu/*.dev/, + mount options=3D(rw, move) /dev/** -> /{var/,}run/libvirt/qemu/*{/,}, + mount options=3D(rw, move) /{var/,}run/libvirt/qemu/*.dev/ -> /dev/, + mount options=3D(rw, move) /{var/,}run/libvirt/qemu/*{/,} -> /dev/**, =20 network inet stream, network inet dgram, --=20 2.17.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list