From 6692398fca733e61a4b788d800594ef06de19631 Mon Sep 17 00:00:00 2001
From: Stefan Bader <stefan.bader@canonical.com>
Date: Mon, 13 Oct 2014 11:43:26 +0200
Subject: [PATCH 2/2] examples/apparmor: Update profiles with Ubuntu delta

Merge back the delta Ubuntu carries. Rules for features only available
in newer versions of apparmor are wrapped by the new version markers.

Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
---
 examples/apparmor/Makefile.am                      | 15 ++++++++++-
 examples/apparmor/libvirt-lxc.in                   | 17 +++++++++++-
 examples/apparmor/libvirt-qemu.in                  | 31 +++++++++++++++++++++-
 examples/apparmor/local-usr.sbin.libvirtd.in       |  2 ++
 .../apparmor/usr.lib.libvirt.virt-aa-helper.in     | 25 ++++++++++++++---
 examples/apparmor/usr.sbin.libvirtd.in             | 19 ++++++++++++-
 6 files changed, 102 insertions(+), 7 deletions(-)
 create mode 100644 examples/apparmor/local-usr.sbin.libvirtd.in

diff --git a/examples/apparmor/Makefile.am b/examples/apparmor/Makefile.am
index 8d301da..d57e78e 100644
--- a/examples/apparmor/Makefile.am
+++ b/examples/apparmor/Makefile.am
@@ -22,6 +22,7 @@ EXTRA_DIST=				\
 	libvirt-qemu			\
 	libvirt-lxc 			\
 	usr.lib.libvirt.virt-aa-helper	\
+	local-usr.sbin.libvirtd		\
 	usr.sbin.libvirtd
 
 if WITH_APPARMOR_PROFILES
@@ -31,6 +32,15 @@ apparmor_DATA = \
 	usr.sbin.libvirtd \
 	$(NULL)
 
+localdir = $(apparmordir)/local
+local_DATA = \
+	local-usr.sbin.libvirtd \
+	$(NULL)
+
+install-data-hook:
+	mv $(DESTDIR)$(localdir)/local-usr.sbin.libvirtd \
+	   $(DESTDIR)$(localdir)/usr.sbin.libvirtd
+
 abstractionsdir = $(apparmordir)/abstractions
 abstractions_DATA = \
 	libvirt-qemu \
@@ -55,7 +65,10 @@ usr.lib.libvirt.virt-aa-helper:	$(srcdir)/usr.lib.libvirt.virt-aa-helper.in \
 usr.sbin.libvirtd:	$(srcdir)/usr.sbin.libvirtd.in \
 			$(srcdir)/profile-preprocess ../../config.h
 	$(srcdir)/profile-preprocess $< >$@
+local-usr.sbin.libvirtd:	$(srcdir)/local-usr.sbin.libvirtd.in \
+				$(srcdir)/profile-preprocess ../../config.h
+	$(srcdir)/profile-preprocess $< >$@
 
 CLEANFILES += libvirt-lxc libvirt-qemu usr.lib.libvirt.virt-aa-helper
-CLEANFILES += usr.sbin.libvirtd
+CLEANFILES += usr.sbin.libvirtd local-usr.sbin.libvirtd
 endif WITH_APPARMOR_PROFILES
diff --git a/examples/apparmor/libvirt-lxc.in b/examples/apparmor/libvirt-lxc.in
index 4bfb503..ea226e9 100644
--- a/examples/apparmor/libvirt-lxc.in
+++ b/examples/apparmor/libvirt-lxc.in
@@ -1,12 +1,20 @@
-# Last Modified: Fri Feb  7 13:01:36 2014
+# Last Modified: Thu, 18 Sep 2014 13:56:49 +0200
 
   #include <abstractions/base>
 
   umount,
+@@ifge 2009
+  dbus,
+  signal,
+  ptrace,
+@end
 
   # ignore DENIED message on / remount
   deny mount options=(ro, remount) -> /,
 
+  # support use of cgmanager proxy
+  mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
+
   # allow tmpfs mounts everywhere
   mount fstype=tmpfs,
 
@@ -33,8 +41,15 @@
   mount fstype=fusectl -> /sys/fs/fuse/connections/,
   mount fstype=securityfs -> /sys/kernel/security/,
   mount fstype=debugfs -> /sys/kernel/debug/,
+  deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
   mount fstype=proc -> /proc/,
   mount fstype=sysfs -> /sys/,
+
+  mount options=(rw nosuid nodev noexec remount) -> /sys/,
+  mount options=(rw remount) -> /sys/kernel/security/,
+  mount options=(rw remount) -> /sys/fs/pstore/,
+  mount options=(ro remount) -> /sys/fs/pstore/,
+
   deny /sys/firmware/efi/efivars/** rwklx,
   deny /sys/kernel/security/** rwklx,
 
diff --git a/examples/apparmor/libvirt-qemu.in b/examples/apparmor/libvirt-qemu.in
index c6de6dd..b69e64c 100644
--- a/examples/apparmor/libvirt-qemu.in
+++ b/examples/apparmor/libvirt-qemu.in
@@ -1,4 +1,4 @@
-# Last Modified: Wed Sep 3 21:52:03 2014
+# Last Modified: Thu, 18 Sep 2014 16:41:21 +0200
 
   #include <abstractions/base>
   #include <abstractions/consoles>
@@ -13,15 +13,22 @@
   capability setgid,
   capability setuid,
 
+  # this is needed with libcap-ng support, however it breaks a lot of things
+  # atm, so just silence the denial until libcap-ng works right. LP: #522845
+  deny capability setpcap,
+
   network inet stream,
   network inet6 stream,
 
   /dev/net/tun rw,
+  /dev/tap* rw,
   /dev/kvm rw,
   /dev/ptmx rw,
   /dev/kqemu rw,
   @{PROC}/*/status r,
   @{PROC}/sys/kernel/cap_last_cap r,
+  owner @{PROC}/*/auxv r,
+  @{PROC}/sys/vm/overcommit_memory r,
 
   # For hostdev access. The actual devices will be added dynamically
   /sys/bus/usb/devices/ r,
@@ -38,6 +45,9 @@
   /dev/snd/* rw,
   capability ipc_lock,
   # spice
+  /usr/bin/qemu-system-i386-spice rmix,
+  /usr/bin/qemu-system-x86_64-spice rmix,
+  /{dev,run}/shm/ r,
   owner /{dev,run}/shm/spice.* rw,
   # 'kill' is not required for sound and is a security risk. Do not enable
   # unless you absolutely need it.
@@ -73,6 +83,7 @@
   # the various binaries
   /usr/bin/kvm rmix,
   /usr/bin/qemu rmix,
+  /usr/bin/qemu-system-aarch64 rmix,
   /usr/bin/qemu-system-arm rmix,
   /usr/bin/qemu-system-cris rmix,
   /usr/bin/qemu-system-i386 rmix,
@@ -91,6 +102,7 @@
   /usr/bin/qemu-system-sparc rmix,
   /usr/bin/qemu-system-sparc64 rmix,
   /usr/bin/qemu-system-x86_64 rmix,
+  /usr/bin/qemu-system-x86_64-spice rmix,
   /usr/bin/qemu-alpha rmix,
   /usr/bin/qemu-arm rmix,
   /usr/bin/qemu-armeb rmix,
@@ -117,6 +129,16 @@
   /bin/dash rmix,
   /bin/dd rmix,
   /bin/cat rmix,
+  /etc/pki/CA/ r,
+  /etc/pki/CA/* r,
+  /etc/pki/libvirt/ r,
+  /etc/pki/libvirt/** r,
+
+  # for rbd
+  /etc/ceph/ceph.conf r,
+
+  # for access to hugepages
+  owner "/run/hugepages/kvm/libvirt/qemu/**" rw,
 
   # for usb access
   /dev/bus/usb/ r,
@@ -124,6 +146,13 @@
   /sys/bus/ r,
   /sys/class/ r,
 
+  signal (receive) peer=/usr/sbin/libvirtd,
+  ptrace (tracedby) peer=/usr/sbin/libvirtd,
+
+  # for ppc device-tree access
+  @{PROC}/device-tree/ r,
+  @{PROC}/device-tree/** r,
+
   /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
   # child profile for bridge helper process
   profile qemu_bridge_helper {
diff --git a/examples/apparmor/local-usr.sbin.libvirtd.in b/examples/apparmor/local-usr.sbin.libvirtd.in
new file mode 100644
index 0000000..6e19f20
--- /dev/null
+++ b/examples/apparmor/local-usr.sbin.libvirtd.in
@@ -0,0 +1,2 @@
+# Site-specific additions and overrides for usr.sbin.libvirtd.
+# For more details, please see /etc/apparmor.d/local/README.
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in b/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
index bceaaff..4df86b0 100644
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -1,8 +1,9 @@
-# Last Modified: Mon Apr  5 15:10:27 2010
+# Last Modified: Thu, 18 Sep 2014 14:05:36 +0200
 #include <tunables/global>
 
 /usr/lib/libvirt/virt-aa-helper {
   #include <abstractions/base>
+  #include <abstractions/user-tmp>
 
   # needed for searching directories
   capability dac_override,
@@ -19,6 +20,12 @@
   # for hostdev
   /sys/devices/ r,
   /sys/devices/** r,
+  /sys/bus/usb/devices/ r,
+  /sys/bus/usb/devices/** r,
+  deny /dev/sd* r,
+  deny /dev/dm-* r,
+  deny /dev/mapper/ r,
+  deny /dev/mapper/* r,
 
   /usr/lib/libvirt/virt-aa-helper mr,
   /sbin/apparmor_parser Ux,
@@ -26,8 +33,11 @@
   /etc/apparmor.d/libvirt/* r,
   /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
 
-  # for backingstore -- allow access to non-hidden files in @{HOME} as well
-  # as storage pools
+  # For backingstore, virt-aa-helper needs to peek inside the disk image, so
+  # allow access to non-hidden files in @{HOME} as well as storage pools, and
+  # removable media and filesystems, and certain file extentions. A
+  # virt-aa-helper failure when checking a disk for backinsgstore is non-fatal
+  # (but obviously the backingstore won't be added).
   audit deny @{HOME}/.* mrwkl,
   audit deny @{HOME}/.*/ rw,
   audit deny @{HOME}/.*/** mrwkl,
@@ -35,8 +45,17 @@
   audit deny @{HOME}/bin/** mrwkl,
   @{HOME}/ r,
   @{HOME}/** r,
+  @{HOME}/.Private/** mrwlk,
+  @{HOMEDIRS}/.ecryptfs/*/.Private/** mrwlk,
+
   /var/lib/libvirt/images/ r,
   /var/lib/libvirt/images/** r,
+  /var/lib/nova/images/** r,
+  /var/lib/nova/instances/_base/** r,
+  /var/lib/nova/instances/snapshots/** r,
+  /var/lib/eucalyptus/instances/**/disk* r,
+  /var/lib/eucalyptus/instances/**/loader* r,
+  /var/lib/uvtool/libvirt/images/** r,
   /{media,mnt,opt,srv}/** r,
 
   /**.img r,
diff --git a/examples/apparmor/usr.sbin.libvirtd.in b/examples/apparmor/usr.sbin.libvirtd.in
index 3011eff..a489760 100644
--- a/examples/apparmor/usr.sbin.libvirtd.in
+++ b/examples/apparmor/usr.sbin.libvirtd.in
@@ -1,10 +1,12 @@
-# Last Modified: Mon Apr  5 15:03:58 2010
+# Last Modified: Tue, 23 Sep 2014 09:28:07 +0200
 #include <tunables/global>
 @{LIBVIRT}="libvirt"
 
 /usr/sbin/libvirtd {
   #include <abstractions/base>
   #include <abstractions/dbus>
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.libvirtd>
 
   capability kill,
   capability net_admin,
@@ -23,6 +25,7 @@
   capability setpcap,
   capability mknod,
   capability fsetid,
+  capability ipc_lock,
   capability audit_write,
 
   # Needed for vfio
@@ -33,6 +36,14 @@
   network inet6 stream,
   network inet6 dgram,
   network packet dgram,
+  network netlink,
+
+@@ifge 2009
+  dbus bus=system,
+  signal,
+  ptrace,
+  unix,
+@@end
 
   # Very lenient profile for libvirtd since we want to first focus on confining
   # the guests. Guests will have a very restricted profile.
@@ -45,6 +56,12 @@
   /usr/sbin/* PUx,
   /lib/udev/scsi_id PUx,
   /usr/lib/xen-common/bin/xen-toolstack PUx,
+  /usr/lib/xen-*/bin/pygrub PUx,
+  /usr/lib/xen-*/bin/libxl-save-helper PUx,
+
+  # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
+  # write and run an ebtables script.
+  /var/lib/libvirt/virtd* ixr,
 
   # force the use of virt-aa-helper
   audit deny /sbin/apparmor_parser rwxl,
-- 
1.9.1