Re: [libvirt PATCH] apparmor: Allow running /usr/libexec/qemu-kvm

On Fri, Nov 04, 2022 at 02:56:51PM -0400, Andrea Bolognani wrote: > IIUC a specific profile (cri-containerd.apparmor.d) is used for > unprivileged containers such as virt-launcher, but a privileged one > such as virt-handler falls under the same profile as the host. > > This makes some amount of sense to me: unprivileged containers are > already limited in what they can do by the usual restrictions on user > processes. Privileged containers, on the other hand, are effectively > root processes, so it's advisable to be significantly more cautious > with them. I still consider that situation to be broken by design. If the privileged container is running a completely differnt software stack from the host OS, using the host OS apparmour profile to confined the container binary is never going to be a reliable setup. Either the privileged container has to run without confinement, or it needs to be confined using policy provided by the container (which is likely not viable anyway). > Note that this is just my current understanding of the situation, and > I'm far from an expert when it comes to containers in general and > their interactions with AppArmor in particular. I recommend taking a > look at > > https://github.com/kubevirt/kubevirt/pull/8692 > > and the issues linked therein, which will provide more context coming > from people who actually know what they're talking about :) I did read that and it didn't give me any more confidence that this setup is sensible.