On Mon, Jan 10, 2022 at 03:58:55PM -0700, Jim Fehlig wrote:
On 1/10/22 11:21, Andrea Bolognani wrote:
> On Mon, Jan 10, 2022 at 04:41:25PM +0100, Tim Wiederhake wrote:
> > + ("/src/security/apparmor/libvirt-lxc", "devic"),
>
> Looking at the context where this appears:
>
> deny /sys/d[^e]*{,/**} wklx,
> deny /sys/de[^v]*{,/**} wklx,
> deny /sys/dev[^i]*{,/**} wklx,
> deny /sys/devi[^c]*{,/**} wklx,
> deny /sys/devic[^e]*{,/**} wklx,
> deny /sys/device[^s]*{,/**} wklx,
> deny /sys/devices/[^v]*{,/**} wklx,
> deny /sys/devices/v[^i]*{,/**} wklx,
> deny /sys/devices/vi[^r]*{,/**} wklx,
> deny /sys/devices/vir[^t]*{,/**} wklx,
> deny /sys/devices/virt[^u]*{,/**} wklx,
> deny /sys/devices/virtu[^a]*{,/**} wklx,
> deny /sys/devices/virtua[^l]*{,/**} wklx,
> deny /sys/devices/virtual/[^n]*{,/**} wklx,
> deny /sys/devices/virtual/n[^e]*{,/**} wklx,
> deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
> deny /sys/devices/virtual/net?*{,/**} wklx,
> deny /sys/devices/virtual?*{,/**} wklx,
> deny /sys/devices?*{,/**} wklx,
>
> I mean, I don't speak AppArmor but this can't be right, can it? :D
It's valid apparmor. At least the apparmor parser doesn't complain :-). ISTM
the last rule should cover the others.
I was not really suggesting that it was not a valid configuration,
it's just that looking at it immediately triggered a "that can't be
the best way to do it" reaction in me ;)
> Jim, do you think we actually need such a slippery slope of
deny
> rules, or can we simplify things a bit?
I don't know why all of these deny rules are defined in this manner.
/sys/class, /proc/sys/kernel, and others are defined similarly. They were
added by Cedric in commit 9265f8ab67d. Cedric, do you recall the purpose of
defining the rules in this way?
The script that generated those rules is
https://github.com/lxc/lxc/blob/master/config/apparmor/lxc-generate-aa-ru...
and that's apparently its intended behavior. So there has to be a
reason why it's done this way, right? I just have no idea what it
could possibly be.
--
Andrea Bolognani / Red Hat / Virtualization