Re: [libvirt] [PATCH 1/2] AppArmor: add rules needed with additional mediation features brought by Linux 4.14.
On Sun, 2017-11-05 at 15:29 +0000, intrigeri+libvirt(a)boum.org wrote:
From: intrigeri <intrigeri+libvirt(a)boum.org>
---
examples/apparmor/libvirt-qemu | 4 ++++
examples/apparmor/usr.sbin.libvirtd | 6 ++++++
2 files changed, 10 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu
b/examples/apparmor/libvirt-qemu
index 97dd2d45a9..9d487bf92f 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -16,6 +16,10 @@
network inet stream,
network inet6 stream,
+ ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
+
+ signal (receive) peer=/usr/sbin/libvirtd,
+
These LGTM
/dev/net/tun rw,
/dev/kvm rw,
/dev/ptmx rw,
diff --git a/examples/apparmor/usr.sbin.libvirtd
b/examples/apparmor/usr.sbin.libvirtd
index 819068ffc3..d2831aa491 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -30,10 +30,13 @@
# Needed for vfio
capability sys_resource,
+ mount,
+
Yuck, but fixed in 2/2. Better might've been to skip this rule and add
all the mount rules in 2/2.
network inet stream,
network inet dgram,
network inet6 stream,
network inet6 dgram,
+ network netlink raw,
Looks fine. Almost certainly needed for udev.
network packet dgram,
network packet raw,
@@ -42,6 +45,9 @@
ptrace (trace) peer=/usr/sbin/dnsmasq,
ptrace (trace) peer=libvirt-*,
+ signal (send) peer=/usr/sbin/dnsmasq,
+ signal (read, send) peer=libvirt-*,
+
LGTM, thanks!
--
Jamie Strandboge | http://www.canonical.com
Attachments:
- signature.asc (application/pgp-signature — 801 bytes)