A new apparmor profile initially derived from the libvirtd profile.
All rules were prefixed with the 'audit' qualifier to verify they
are actually used by virtxend. It turns out that several, beyond
the obvious ones, can be dropped in the resulting virtxend profile.
Signed-off-by: Jim Fehlig <jfehlig(a)suse.com>
---
V3:
Added back a few more capabilities to the virtxend profile after
checking git history.
src/security/apparmor/meson.build | 1 +
src/security/apparmor/usr.sbin.virtxend.in | 55 ++++++++++++++++++++++
2 files changed, 56 insertions(+)
diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meson.build
index 56f308bf3a..990f00b4f3 100644
--- a/src/security/apparmor/meson.build
+++ b/src/security/apparmor/meson.build
@@ -2,6 +2,7 @@ apparmor_gen_profiles = [
'usr.lib.libvirt.virt-aa-helper',
'usr.sbin.libvirtd',
'usr.sbin.virtqemud',
+ 'usr.sbin.virtxend',
]
apparmor_gen_profiles_conf = configuration_data()
diff --git a/src/security/apparmor/usr.sbin.virtxend.in
b/src/security/apparmor/usr.sbin.virtxend.in
new file mode 100644
index 0000000000..0f6b825f47
--- /dev/null
+++ b/src/security/apparmor/usr.sbin.virtxend.in
@@ -0,0 +1,55 @@
+#include <tunables/global>
+
+profile virtxend @sbindir@/virtxend flags=(attach_disconnected) {
+ #include <abstractions/base>
+ #include <abstractions/dbus>
+
+ capability kill,
+ capability setgid,
+ capability setuid,
+ capability sys_pacct,
+ capability ipc_lock,
+
+ network inet stream,
+ network inet dgram,
+ network inet6 stream,
+ network inet6 dgram,
+ network netlink raw,
+ network packet dgram,
+ network packet raw,
+
+ # for --p2p migrations
+ unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
+
+ ptrace (read,trace) peer=unconfined,
+
+ signal (send) set=("kill", "term", "hup")
peer=unconfined,
+
+ # Very lenient profile for virtxend
+ / r,
+ /** rwmkl,
+
+ /bin/* PUx,
+ /sbin/* PUx,
+ /usr/bin/* PUx,
+ @sbindir@/virtlogd pix,
+ @sbindir@/* PUx,
+ /{usr/,}lib/udev/scsi_id PUx,
+ /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
+ /usr/{lib,lib64}/xen/bin/* Ux,
+ /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx,
+ /usr/{lib,libexec}/xen-*/bin/pygrub PUx,
+
+ # force the use of virt-aa-helper
+ audit deny /{usr/,}sbin/apparmor_parser rwxl,
+ audit deny /etc/apparmor.d/libvirt/** wxl,
+ audit deny /sys/kernel/security/apparmor/features rwxl,
+ audit deny /sys/kernel/security/apparmor/matching rwxl,
+ audit deny /sys/kernel/security/apparmor/.* rwxl,
+ /sys/kernel/security/apparmor/profiles r,
+ @libexecdir@/* PUxr,
+ @libexecdir@/libvirt_parthelper ix,
+ @libexecdir@/libvirt_iohelper ix,
+ /etc/libvirt/hooks/** rmix,
+ /etc/xen/scripts/** rmix,
+}
--
2.31.1