From nobody Thu May 15 17:57:02 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=fail(p=none dis=none)  header.from=canonical.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1534227523645296.3553706614084;
 Mon, 13 Aug 2018 23:18:43 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
 [10.5.11.15])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id C88D73082A3A;
	Tue, 14 Aug 2018 06:18:41 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 929445D6B4;
	Tue, 14 Aug 2018 06:18:41 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 42B084A469;
	Tue, 14 Aug 2018 06:18:41 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com
	[10.5.11.16])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id w7E6IWeq031675 for <libvir-list@listman.util.phx.redhat.com>;
	Tue, 14 Aug 2018 02:18:32 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 660CD4D9E0; Tue, 14 Aug 2018 06:18:32 +0000 (UTC)
Received: from mx1.redhat.com (ext-mx19.extmail.prod.ext.phx2.redhat.com
	[10.5.110.48])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 5FDA8177D4
	for <libvir-list@redhat.com>; Tue, 14 Aug 2018 06:18:29 +0000 (UTC)
Received: from youngberry.canonical.com (youngberry.canonical.com
	[91.189.89.112]) (using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id C162A307D853
	for <libvir-list@redhat.com>; Tue, 14 Aug 2018 06:18:28 +0000 (UTC)
Received: from 1.general.paelzer.uk.vpn ([10.172.196.172] helo=lap.fritz.box)
	by youngberry.canonical.com with esmtpsa
	(TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76)
	(envelope-from <christian.ehrhardt@canonical.com>)
	id 1fpSex-0002Mo-KB; Tue, 14 Aug 2018 06:18:27 +0000
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
To: libvir-list@redhat.com,
 =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>,
	intrigeri <intrigeri+libvirt@boum.org>,
	Jamie Strandboge <jamie@canonical.com>
Date: Tue, 14 Aug 2018 08:18:19 +0200
Message-Id: <20180814061822.15439-3-christian.ehrhardt@canonical.com>
In-Reply-To: <20180814061822.15439-1-christian.ehrhardt@canonical.com>
References: <20180814061822.15439-1-christian.ehrhardt@canonical.com>
X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 212
	matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com
	[10.5.110.48]); Tue, 14 Aug 2018 06:18:28 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com
 [10.5.110.48]);
	Tue, 14 Aug 2018 06:18:28 +0000 (UTC) for IP:'91.189.89.112'
	DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com'
	FROM:'christian.ehrhardt@canonical.com' RCPT:''
X-RedHat-Spam-Score: -5 (RCVD_IN_DNSWL_HI) 91.189.89.112
	youngberry.canonical.com 91.189.89.112 youngberry.canonical.com
	<christian.ehrhardt@canonical.com>
X-Scanned-By: MIMEDefang 2.84 on 10.5.110.48
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
X-loop: libvir-list@redhat.com
Cc: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Subject: [libvirt] [PATCH v2 2/5] apparmor: add mediation rules for
	unconfined guests
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
Reply-To: 20180813143946.29346-1-christian.ehrhardt@canonical.com
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.45]);
 Tue, 14 Aug 2018 06:18:42 +0000 (UTC)
X-ZohoMail: RDMRC_1  RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

If a guest runs unconfined <seclabel type=3D'none'>, but libvirtd is
confined then the peer for signal can only be detected as
'unconfined'. That triggers issues like:
   apparmor=3D"DENIED" operation=3D"signal"
   profile=3D"/usr/sbin/libvirtd" pid=3D22395 comm=3D"libvirtd"
   requested_mask=3D"send" denied_mask=3D"send" signal=3Dterm peer=3D"uncon=
fined"

To fix this add unconfined as an allowed peer for those operations.

I discussed with the apparmor folks, right now there is no better
separation to be made in this case. But there might be further down the
road with "policy namespaces with scope and view control + stacking"

This is more a use-case addition than a fix to the following two changes:
- 3b1d19e6 AppArmor: add rules needed with additional mediation features
- b482925c apparmor: support ptrace checks

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-by: intrigeri <intrigeri+libvirt@boum.org>
---
 examples/apparmor/usr.sbin.libvirtd | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sb=
in.libvirtd
index dd37866c2a..3ff43c32a2 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -74,6 +74,9 @@
   # unconfined also required if guests run without security module
   unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine=
d),
=20
+  # required if guests run unconfined seclabel type=3D'none' but libvirtd =
is confined
+  signal (read, send) peer=3Dunconfined,
+
   # Very lenient profile for libvirtd since we want to first focus on conf=
ining
   # the guests. Guests will have a very restricted profile.
   / r,
--=20
2.17.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list