Re: AppArmor confinement for qemu:///session VMs
On 2/5/25 10:22, Andrea Bolognani wrote:
An issue was recently reported[1] with running unprivileged VMs
configured to use passt on Debian with AppArmor confinement enabled.
A long thread that's hard to read 'flat' or 'nested' via the
referenced link
:-). But yes, SUSE and openSUSE distros would be similarly affected if
confinement of VMs is enabled.
FYI, future SUSE and openSUSE distros will default to using selinux. E.g. here's
a somewhat recent update on the progress in Tumbleweed
https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/threa...
After looking into the situation, I am convinced that AppArmor
confinement never really worked for unprivileged VMs. The whole
mechanism is built around the concept of per-VM profiles that are
dynamically generated and registered, but doing so requires write
access to /etc/apparmor.d/ and in general permissions that
unprivileged libvirt will by design not have.
Likely it has never worked. I suspect the session daemon wasn't considered when
per-VM confinement was developed.
Of course it's unfortunate that unprivileged VMs would be forced to
miss out on the potential benefits of AppArmor isolation, and even
more unfortunate that passt won't work out of the box for
unprivileged VMs, since those are the ones where it makes the most
sense to use passt in the first place.
Stefano suggested introducing a generic "libvirt-user" profile that
would be attached to unprivileged VMs and would be more liberal than
the one used for privileged VMs, since we wouldn't be able to tailor
it to the specifics of the VM, but would at least prevent the worst
of the abuse; specifically, it would only allow R/W access to files
in the current user's home directory.
Does that sound like a reasonable direction? Any other ideas?
Sounds good to me. But like you, my apparmor knowledge is limited to bits and
pieces gained through helping maintain the libvirt integration.
Regards,
Jim