Re: [libvirt] [PATCH 1/2] AppArmor: add rules needed with additional mediation features brought by Linux 4.14.

Thursday, 9 November 2017

On 11/05/2017 08:29 AM, intrigeri+libvirt(a)boum.org wrote:
...
 From: intrigeri <intrigeri+libvirt(a)boum.org&gt;

 ---
   examples/apparmor/libvirt-qemu      | 4 ++++
   examples/apparmor/usr.sbin.libvirtd | 6 ++++++
   2 files changed, 10 insertions(+)

 diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
 index 97dd2d45a9..9d487bf92f 100644
 --- a/examples/apparmor/libvirt-qemu
 +++ b/examples/apparmor/libvirt-qemu
 @@ -16,6 +16,10 @@
     network inet stream,
     network inet6 stream,

 +  ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
 +
 +  signal (receive) peer=/usr/sbin/libvirtd,
 +
     /dev/net/tun rw,
     /dev/kvm rw,
     /dev/ptmx rw,
 diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
 index 819068ffc3..d2831aa491 100644
 --- a/examples/apparmor/usr.sbin.libvirtd
 +++ b/examples/apparmor/usr.sbin.libvirtd
 @@ -30,10 +30,13 @@
     # Needed for vfio
     capability sys_resource,

 +  mount,
 + 
I suppose this isn't needed here since it is removed in 2/2?

Regards,
Jim

...
     network inet stream,
     network inet dgram,
     network inet6 stream,
     network inet6 dgram,
 +  network netlink raw,
     network packet dgram,
     network packet raw,

 @@ -42,6 +45,9 @@
     ptrace (trace) peer=/usr/sbin/dnsmasq,
     ptrace (trace) peer=libvirt-*,

 +  signal (send) peer=/usr/sbin/dnsmasq,
 +  signal (read, send) peer=libvirt-*,
 +
     # Very lenient profile for libvirtd since we want to first focus on confining
     # the guests. Guests will have a very restricted profile.
     / r,

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [libvirt] [PATCH 1/2] AppArmor: add rules needed with additional mediation features brought by Linux 4.14.