Re: [libvirt] [PATCH] apparmor: QEMU bridge helper policy updates
On Mon, 2012-03-12 at 09:13 -0400, Corey Bryant wrote:
This patch provides AppArmor policy updates for the QEMU bridge
helper.
The QEMU bridge helper is a SUID executable exec'd by QEMU that drops
capabilities to CAP_NET_ADMIN and adds a tap device to a network
bridge. For more details on the helper, please refer to:
http://lists.gnu.org/archive/html/qemu-devel/2012-01/msg03562.html
Signed-off-by: Corey Bryant <coreyb(a)linux.vnet.ibm.com>
I've not used the helper personally, but the policy makes sense overall
though. I do have a few questions:
+ capability setuid,
+ capability setgid,
I'm assuming these are needed because qemu-bridge-helper drops
privileges?
+ capability setpcap,
Can you explain why this capability is needed by qemu-bridge-helper?
+ network inet stream,
I understood why net_admin was needed, but this one is less clear. Why
does qemu-bridge-helper need this?
+ /etc/qemu/** r,
I'm not familiar with this directory. What does qemu-bridge-helper need
from this directory?
+ @{PROC}/*/status r,
Is it possible to use this instead:
owner @{PROC}/*/status r,
Thanks!
--
Jamie Strandboge | http://www.canonical.com
Attachments:
- signature.asc (application/pgp-signature — 836 bytes)