This is a continuation of
https://www.redhat.com/archives/libvir-list/2020-August/msg00804.html
https://www.redhat.com/archives/libvir-list/2020-August/msg00922.html
It still has too many weak points left, but should be great as an RFC
already. virtiofsd works for me using that profile, but we need to:
- agree on common paths to expect for virtiofsd
- get the post pivot_root rules under control
---
virtiofsd runs as root and is reachable from the guest, to limit
the exploit potential this adds a apparmor subprofile to virtiofsd
as spawned by libvirt to limit it.
Known TODOs:
- rules after pivot_root need not to allow everything
- settle on common paths with the community
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
---
src/security/apparmor/libvirt-qemu | 3 ++
src/security/apparmor/usr.sbin.libvirtd.in | 46 ++++++++++++++++++++++
2 files changed, 49 insertions(+)
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index a03e9e2c94..668fc72f27 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -221,6 +221,9 @@
unix (send, receive) type=stream addr=none peer=(label=libvirtd),
unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
+ # allow to connect to virtiofsd
+ unix (send, receive) type=stream addr=none peer=(label=libvirtd//virtiofsd),
+
# for gathering information about available host resources
/sys/devices/system/cpu/ r,
/sys/devices/system/node/ r,
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in
b/src/security/apparmor/usr.sbin.libvirtd.in
index 4518e8f865..f878398b4b 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -133,4 +133,50 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
}
+
+ # child profile for virtiofsd helper process
+ /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd Cx -> virtiofsd,
+ profile virtiofsd flags=(attach_disconnected) {
+ #include <abstractions/base>
+ #include <abstractions/libvirt-qemu>
+
+ capability sys_admin,
+ capability sys_resource,
+
+ # init phase
+ / r,
+ mount options=(rw, rslave) -> /,
+ umount /,
+ mount options=(rw, nosuid, nodev, noexec, relatime) -> @{PROC},
+ owner /proc/sys/fs/file-max r,
+
+ # For communication/control from libvirtd
+ unix (send, receive) type=stream addr=none peer=(label=libvirtd),
+ signal (receive) set=("term") peer=/usr/sbin/libvirtd,
+ signal (receive) set=("term") peer=libvirtd,
+ owner /var/lib/libvirt/qemu/domain-*/fs[0-9]{[0-9],}-fs.pid w,
+ /var/lib/libvirt/qemu/domain-*/fs[0-9]{[0-9],}-fs.sock rw,
+ /var/lib/libvirt/qemu/ram/*/ram-node[0-9]{[0-9],} rw,
+
+ # For communication with confined and unconfined guests
+ unix (send, receive) type=stream addr=none
peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
+ unix (send, receive) type=stream addr=none peer=(label=unconfined),
+
+ /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd rmix,
+
+ # Common host paths to share from are allowed by default
+ # Further paths should be added as local override
+ # TODO - community to settle on a list of common paths to allow
+ owner /var/lib/libvirt/virtiofsd/*/ r,
+ mount options=(rw, bind) -> /var/lib/libvirt/virtiofsd/*/,
+ pivot_root /var/lib/libvirt/virtiofsd/*/,
+
+ # TODO - after pivot_root the rules for the actual file access by the guest
+ # through virtiofsd would need to start with / which is too open
+ /** rw,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.qemu.virtiofsd>
+ }
+
}
--
2.28.0