Re: [libvirt] [PATCH v2] apparmor: QEMU bridge helper policy updates
On Tue, 2012-03-13 at 08:42 -0400, Corey Bryant wrote:
This patch provides AppArmor policy updates for the QEMU bridge
helper.
The QEMU bridge helper is a SUID executable exec'd by QEMU that drops
capabilities to CAP_NET_ADMIN and adds a tap device to a network
bridge. For more details on the helper, please refer to:
http://lists.gnu.org/archive/html/qemu-devel/2012-01/msg03562.html
Signed-off-by: Corey Bryant <coreyb(a)linux.vnet.ibm.com>
---
examples/apparmor/libvirt-qemu | 22 +++++++++++++++++++++-
1 files changed, 21 insertions(+), 1 deletions(-)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 10cdd36..c5a11b6 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -1,4 +1,4 @@
-# Last Modified: Mon Apr 5 15:11:27 2010
+# Last Modified: Fri Mar 9 14:43:22 2012
#include <abstractions/base>
#include <abstractions/consoles>
@@ -108,3 +108,23 @@
/bin/dash rmix,
/bin/dd rmix,
/bin/cat rmix,
+
+ /usr/libexec/qemu-bridge-helper Cx,
+
+ # child profile for bridge helper process
+ profile /usr/libexec/qemu-bridge-helper {
+ #include <abstractions/base>
+
+ capability setuid,
+ capability setgid,
+ capability setpcap,
+ capability net_admin,
+
+ network inet stream,
+
+ /dev/net/tun rw,
+ /etc/qemu/** r,
+ owner @{PROC}/*/status r,
+
+ /usr/libexec/qemu-bridge-helper rmix,
+ }
The policy looks good to me. Thanks! It might make more sense to have
this committed when libvirt has qemu-bridge-helper, but others can
decide on that.
Acked-By: Jamie Strandboge <jamie(a)canonical.com>
--
Jamie Strandboge | http://www.canonical.com
Attachments:
- signature.asc (application/pgp-signature — 836 bytes)