Re: [libvirt] Resubmission: [PATCH 5/6] sVirt AppArmor security driver
On Tue, Sep 08, 2009 at 04:22:56PM -0500, Jamie Strandboge wrote:
diff -Nurp ./libvirt.orig/examples/apparmor/usr.sbin.libvirtd
./libvirt/examples/apparmor/usr.sbin.libvirtd
--- ./libvirt.orig/examples/apparmor/usr.sbin.libvirtd 1969-12-31 18:00:00.000000000
-0600
+++ ./libvirt/examples/apparmor/usr.sbin.libvirtd 2009-09-08 15:32:22.000000000 -0500
@@ -0,0 +1,39 @@
+# Last Modified: Mon Jul 6 17:23:58 2009
+#include <tunables/global>
+@{LIBVIRT}="libvirt"
+
+/usr/sbin/libvirtd {
+ #include <abstractions/base>
+
+ capability kill,
+ capability net_admin,
+ capability net_raw,
+ capability setgid,
+ capability sys_admin,
+ capability sys_module,
+ capability sys_ptrace,
I'm fairly sure libvirtd will need more than this set of capabilities.
We tried to limit this in the C code a few months back, but gave up
because we ended up requiring about 2/3s of all capabilities and once
you allow net_admin & sys_admin its game over for security benefits.
You'll certainly have broken functionality without sys_nice, sys_chroot,
setuid, setpcap, mknod, dac_override, dac_read_search, fowner, chown
Regards,
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|