Re: [libvirt] [PATCH] AppArmor: add rules needed with additional mediation features brought by Linux 4.14.
On Thu, 2017-10-26 at 10:22 +0000, intrigeri+libvirt(a)boum.org wrote:
From: intrigeri <intrigeri+libvirt(a)boum.org>
---
examples/apparmor/libvirt-qemu | 2 ++
examples/apparmor/usr.sbin.libvirtd | 6 ++++++
2 files changed, 8 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu
b/examples/apparmor/libvirt-qemu
index b341e31f42..5994a35042 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -16,6 +16,8 @@
network inet stream,
network inet6 stream,
+ signal (receive) set=("term") peer=/usr/sbin/libvirtd,
I suggest this rule instead:
signal (receive) peer=/usr/sbin/libvirtd,
ie, let libvirtd send any signals it wants to its VMs.
/dev/net/tun rw,
/dev/kvm rw,
/dev/ptmx rw,
diff --git a/examples/apparmor/usr.sbin.libvirtd
b/examples/apparmor/usr.sbin.libvirtd
index 819068ffc3..eb24726e08 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -30,10 +30,13 @@
# Needed for vfio
capability sys_resource,
+ mount,
+
This is interesting since the Ubuntu profile is missing mount rules.
What specific denials/libvirt actions prompted this rule?
network inet stream,
network inet dgram,
network inet6 stream,
network inet6 dgram,
+ network netlink raw,
This is fine.
network packet dgram,
network packet raw,
@@ -42,6 +45,9 @@
ptrace (trace) peer=/usr/sbin/dnsmasq,
ptrace (trace) peer=libvirt-*,
+ signal (send) set=("hup") peer=/usr/sbin/dnsmasq,
I suspect you are missing 'term' to support net-destroy. I suggest this
instead:
signal (send) peer=/usr/sbin/dnsmasq,
Ie, let libvirtd send any signals to fully manage its dnsmasq.
+ signal (send) set=("term") peer=libvirt-*,
I suggest this instead:
signal (send) peer=libvirt-*,
Ie, let libvirtd send any signals to its VMs.
I think you are missing this in libvirt-qemu:
ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
and this in usr.sbin.libvirtd:
ptrace (read, trace) peer=libvirt-*,
--
Jamie Strandboge | http://www.canonical.com
Attachments:
- signature.asc (application/pgp-signature — 801 bytes)