Re: [libvirt] [PATCH 1/2] AppArmor: add rules needed with additional mediation features brought by Linux 4.14.

9 Nov 2017

On 11/05/2017 08:29 AM, intrigeri+libvirt@boum.org wrote:
...
From: intrigeri <intrigeri+libvirt@boum.org>
---
  examples/apparmor/libvirt-qemu      | 4 ++++
  examples/apparmor/usr.sbin.libvirtd | 6 ++++++
  2 files changed, 10 insertions(+)

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 97dd2d45a9..9d487bf92f 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -16,6 +16,10 @@
    network inet stream,
    network inet6 stream,
+  ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
+
+  signal (receive) peer=/usr/sbin/libvirtd,
+
    /dev/net/tun rw,
    /dev/kvm rw,
    /dev/ptmx rw,
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index 819068ffc3..d2831aa491 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -30,10 +30,13 @@
    # Needed for vfio
    capability sys_resource,
+  mount,
+
I suppose this isn't needed here since it is removed in 2/2?

Regards,
Jim
...
network inet stream,
    network inet dgram,
    network inet6 stream,
    network inet6 dgram,
+  network netlink raw,
    network packet dgram,
    network packet raw,
@@ -42,6 +45,9 @@
    ptrace (trace) peer=/usr/sbin/dnsmasq,
    ptrace (trace) peer=libvirt-*,
+  signal (send) peer=/usr/sbin/dnsmasq,
+  signal (read, send) peer=libvirt-*,
+
    # Very lenient profile for libvirtd since we want to first focus on confining
    # the guests. Guests will have a very restricted profile.
    / r,


    

Re: [libvirt] [PATCH 1/2] AppArmor: add rules needed with additional mediation features brought by Linux 4.14.

Jim Fehlig