This patch series implements the AppArmor security driver for sVirt.
This implementation was developed for the Ubuntu AppArmorLibvirtProfile
specification[1], but is general enough for any AppArmor deployment
(such as Ubuntu, *SUSE and Mandriva).
This patch has seen quite a bit of real world testing in Ubuntu 9.10
(our development release) in our 0.7.0-1ubuntu3 package. I did make a
few small changes after going through HACKING, but mostly I got the
tests going and added documentation.
DESIGN
------
When a virtual machine is started, determine if a profile is currently
defined for the machine, and use it if available. If not, generate a new
profile for the machine based on a template, which is by default a very
restrictive profile allowing access to disk files, and anything else
needed to run, such as the pid, monitor and log files.
Virtual machines should have a unique profile specific to that machine.
To ensure uniqueness, the profile name will be derived from the UUID of
the virtual machine. These profiles should be configurable, either by
adjusting the profile template for new machines, creating/modifying the
VM profile directly or through the use of AppArmor abstractions. This
will allow for administrators to fine-tune confinement for individual
machines if desired.
If enabled at compile time, the sVirt security model will be activated
if AppArmor is available on the host OS and a profile for the libvirtd
daemon is loaded when libvirtd is started.
libvirtd should not be allowed to create arbitrary profiles or modify
profiles directly, so as to not allow libvirtd to potentially (ie via a
security bug in libvirtd itself) bootstrap out of AppArmor confinement.
Because root privileges are needed to manipulate AppArmor profiles,
qemu:///session will not be supported at this time, but the
implementation must allow for a confined libvirtd with qemu:///session
guests running unconfined. This can be revisited when AppArmor supports
per-user profiles.
Please see the specification[1] for more details.
PATCHES
-------
The patches are all against trunk as of yesterday. Testing was done on
trunk and there seem to be no regressions over the the 0.7.0-1ubuntu3
package in Ubuntu.
[PATCH 1*]
patch_1a_reenable-nonfile-labels.patch:
When James Morris originally submitted his sVirt patches (as seen in
libvirt 0.6.1), he did not require on disk labelling for
virSecurityDomainRestoreImageLabel. A later commit[2] changed this
behavior to assume on disk labelling, which halts implementations for
path-based MAC systems such as AppArmor and TOMOYO where
vm->def->seclabel is required to obtain the label. This patch simply
adds the 'virDomainObjPtr vm' argument back to *RestoreImageLabel.
patch_1b_optional.patch:
Due to the above change, 'make syntax-check' fails because
SELinuxRestoreSecurityImageLabel() does not use the 'virDomainObjPtr
vm'. patch_1b_optional.patch is a simple patch to fix this by checking
if vm->def->seclabel == NULL and returns with error if it does. I
realize this may not be desired in the long term, but it should be
harmless enough to include.
[PATCH 2]
patch_2_security_c.patch:
Updates src/security.c for AppArmor
[PATCH 3]
patch_3_security_apparmor.patch:
Adds security_apparmor.c, security_apparmor.h, virt-aa-helper.c and
updates po/POTFILES.in. virt-aa-helper.c is a new binary which is used
exclusively by the AppArmor security driver to manipulate AppArmor.
These files compile without warning and pass syntax-check.
[PATCH 4]
patch_4_tests.patch:
Adds tests for virt-aa-helper and the security driver. secaatest.c is
identical to seclabeltest.c except it initializes the 'apparmor' driver
instead of 'selinux'. These tests are integrated into 'make check' and
pass.
[PATCH 5]
patch_5_docs.patch:
Updates docs/drvqemu.html.in for AppArmor and adds profile examples to
examples/apparmor.
[PATCH 6]
patch_6_autoconf.patch:
Updates Makefile.am and configure.in for AppArmor. It is based on and
should operate the same as the SELinux configuration.
Caveats and known issues:
1. it does not take advantage of the recent host device labelling
functionality yet
2. it does not properly handle hot-plugging of devices yet
3. qemu:///session runs unconfined (see above)
Thanks!
Jamie (jdstrand on Freenode and OFTC)
[1]
https://wiki.ubuntu.com/SecurityTeam/Specifications/AppArmorLibvirtProfile
[2]
http://libvirt.org/git/?p=libvirt.git;a=commit;h=c86afc85ee0d1ec6d76c2d25...
--
Jamie Strandboge |
http://www.canonical.com