Re: [PATCH 1/3] Apparmor: Add profile for virtqemud

Hello, [I'm not subscribed to the libvirt list, please CC me in replies] Am Mittwoch, 16. Juni 2021, 05:41:02 CEST schrieb Jim Fehlig: > diff --git a/src/security/apparmor/libvirt-qemu > b/src/security/apparmor/libvirt-qemu index 85c9e61d6c..990bb0b2ba > 100644 > --- a/src/security/apparmor/libvirt-qemu > +++ b/src/security/apparmor/libvirt-qemu [...] You only need to add > + ptrace (readby, tracedby) peer=virtqemud, The following rule > + ptrace (readby, tracedby) peer=/usr/sbin/virtqemud, is superfluous and can be removed. Technical background: the reason why there are rules for libvirtd and /usr/sbin/libvirtd is backwards compability to the old /usr/sbin/libvirtd { profile before it became profile libvirtd /usr/sbin/libvirtd { You don't need that for a new profile that is profile virtqumud /usr/sbin/virtquemud { from the beginning.

This also applies to your 2/3 and 3/3 patches.

> signal (receive) peer=libvirtd, > signal (receive) peer=/usr/sbin/libvirtd, > + signal (receive) peer=virtqemud, > + signal (receive) peer=/usr/sbin/virtqemud, Same here - the rule with peer=/usr/sbin/virtquemud is superfluous. [...] > + unix (send, receive) type=stream addr=none peer=(label=virtqemud), > + unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/ virtqemud), And again ;-) [...] > diff --git a/src/security/apparmor/usr.sbin.virtqemud.in > b/src/security/apparmor/usr.sbin.virtqemud.in new file mode 100644 > index 0000000000..b986241c74 > --- /dev/null > +++ b/src/security/apparmor/usr.sbin.virtqemud.in > @@ -0,0 +1,135 @@ > +#include <tunables/global> > +@{LIBVIRT}="libvirt" > + > +profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) { > + #include <abstractions/base> > + #include <abstractions/dbus> > + > + capability kill, > + capability net_admin, > + capability net_raw, > + capability setgid, > + capability sys_admin, > + capability sys_module, > + capability sys_ptrace, > + capability sys_pacct, > + capability sys_nice, > + capability sys_chroot, > + capability setuid, > + capability dac_override, > + capability dac_read_search, > + capability fowner, > + capability chown, > + capability setpcap, > + capability mknod, > + capability fsetid, > + capability audit_write, > + capability ipc_lock, > + capability sys_rawio, > + capability bpf, > + capability perfmon, > + > + # Needed for vfio > + capability sys_resource, [...] Just wondering - do the new profiles (in all 3 patches) reallly need all the capabilities and the other broad rules?

(See my 0/3 reply how to find out ;-)