On Thu, 2017-10-26 at 10:22 +0000, intrigeri+libvirt@boum.org wrote:
From: intrigeri <intrigeri+libvirt@boum.org>
--- examples/apparmor/libvirt-qemu | 2 ++ examples/apparmor/usr.sbin.libvirtd | 6 ++++++ 2 files changed, 8 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index b341e31f42..5994a35042 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -16,6 +16,8 @@ network inet stream, network inet6 stream,
+ signal (receive) set=("term") peer=/usr/sbin/libvirtd,
I suggest this rule instead: signal (receive) peer=/usr/sbin/libvirtd, ie, let libvirtd send any signals it wants to its VMs.
/dev/net/tun rw, /dev/kvm rw, /dev/ptmx rw, diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 819068ffc3..eb24726e08 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -30,10 +30,13 @@ # Needed for vfio capability sys_resource,
+ mount, +
This is interesting since the Ubuntu profile is missing mount rules. What specific denials/libvirt actions prompted this rule?
network inet stream, network inet dgram, network inet6 stream, network inet6 dgram, + network netlink raw,
This is fine.
network packet dgram, network packet raw,
@@ -42,6 +45,9 @@ ptrace (trace) peer=/usr/sbin/dnsmasq, ptrace (trace) peer=libvirt-*,
+ signal (send) set=("hup") peer=/usr/sbin/dnsmasq,
I suspect you are missing 'term' to support net-destroy. I suggest this instead: signal (send) peer=/usr/sbin/dnsmasq, Ie, let libvirtd send any signals to fully manage its dnsmasq.
+ signal (send) set=("term") peer=libvirt-*,
I suggest this instead: signal (send) peer=libvirt-*, Ie, let libvirtd send any signals to its VMs. I think you are missing this in libvirt-qemu: ptrace (readby, tracedby) peer=/usr/sbin/libvirtd, and this in usr.sbin.libvirtd: ptrace (read, trace) peer=libvirt-*, -- Jamie Strandboge | http://www.canonical.com