[libvirt] [PATCH 0/2] apparmor: support named profiles
Upstream apparmor is switching to named profiles. Many profiles have already made the switch. Patch 1 changes the libvirtd profile to account for dnsmasq's switch to a named profile. Patch 2 is optional and changes the libvirtd profile to a named profile. It will need a bit of coorindation with upstream apparmor since the dnsmasq profile currently has 'peer=/usr/sbin/libvirtd'. Jim Fehlig (2): apparmor: Add support for named profiles apparmor: convert libvirtd profile to a named profile src/security/apparmor/usr.sbin.libvirtd | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) -- 2.19.2
Upstream apparmor is switching to named profiles. In short, /usr/sbin/dnsmasq { becomes profile dnsmasq /usr/sbin/dnsmasq { Consequently, any profiles that reference profiles in a peer= condition need to be updated if the referenced profile switches to a named profile. Apparmor commit 9ab45d81 switched dnsmasq to a named profile. ATM it is the only named profile switch that has affected libvirt. Add rules to the libvirtd profile to reference dnsmasq in peer= conditions by profile name. Signed-off-by: Jim Fehlig <jfehlig@suse.com> --- src/security/apparmor/usr.sbin.libvirtd | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd index f0ffc53008..0db52c524c 100644 --- a/src/security/apparmor/usr.sbin.libvirtd +++ b/src/security/apparmor/usr.sbin.libvirtd @@ -52,9 +52,11 @@ ptrace (read,trace) peer=unconfined, ptrace (read,trace) peer=/usr/sbin/libvirtd, + ptrace (read,trace) peer=dnsmasq, ptrace (read,trace) peer=/usr/sbin/dnsmasq, ptrace (read,trace) peer=libvirt-*, + signal (send) peer=dnsmasq, signal (send) peer=/usr/sbin/dnsmasq, signal (read, send) peer=libvirt-*, signal (send) set=("kill", "term") peer=unconfined, -- 2.19.2
On Mon, 14 Jan 2019, Jim Fehlig wrote:
Upstream apparmor is switching to named profiles. In short,
/usr/sbin/dnsmasq {
becomes
profile dnsmasq /usr/sbin/dnsmasq {
Consequently, any profiles that reference profiles in a peer= condition need to be updated if the referenced profile switches to a named profile. Apparmor commit 9ab45d81 switched dnsmasq to a named profile. ATM it is the only named profile switch that has affected libvirt. Add rules to the libvirtd profile to reference dnsmasq in peer= conditions by profile name.
Signed-off-by: Jim Fehlig <jfehlig@suse.com> --- src/security/apparmor/usr.sbin.libvirtd | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd index f0ffc53008..0db52c524c 100644 --- a/src/security/apparmor/usr.sbin.libvirtd +++ b/src/security/apparmor/usr.sbin.libvirtd @@ -52,9 +52,11 @@
ptrace (read,trace) peer=unconfined, ptrace (read,trace) peer=/usr/sbin/libvirtd, + ptrace (read,trace) peer=dnsmasq, ptrace (read,trace) peer=/usr/sbin/dnsmasq, ptrace (read,trace) peer=libvirt-*,
+ signal (send) peer=dnsmasq, signal (send) peer=/usr/sbin/dnsmasq, signal (read, send) peer=libvirt-*, signal (send) set=("kill", "term") peer=unconfined,
This LGTM. -- Jamie Strandboge | http://www.canonical.com
Signed-off-by: Jim Fehlig <jfehlig@suse.com> --- Optional patch that may need a bit of coorindation with upstream apparmor since the dnsmasq profile currently has 'peer=/usr/sbin/libvirtd'. src/security/apparmor/usr.sbin.libvirtd | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd index 0db52c524c..29f9936ad9 100644 --- a/src/security/apparmor/usr.sbin.libvirtd +++ b/src/security/apparmor/usr.sbin.libvirtd @@ -2,7 +2,7 @@ #include <tunables/global> @{LIBVIRT}="libvirt" -/usr/sbin/libvirtd flags=(attach_disconnected) { +profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { #include <abstractions/base> #include <abstractions/dbus> @@ -51,7 +51,7 @@ unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none), ptrace (read,trace) peer=unconfined, - ptrace (read,trace) peer=/usr/sbin/libvirtd, + ptrace (read,trace) peer=@{profile_name}, ptrace (read,trace) peer=dnsmasq, ptrace (read,trace) peer=/usr/sbin/dnsmasq, ptrace (read,trace) peer=libvirt-*, @@ -123,6 +123,7 @@ # For communication/control from libvirtd unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), signal (receive) set=("term") peer=/usr/sbin/libvirtd, + signal (receive) set=("term") peer=libvirtd, /dev/net/tun rw, /etc/qemu/** r, -- 2.19.2
On Mon, 14 Jan 2019, Jim Fehlig wrote:
Signed-off-by: Jim Fehlig <jfehlig@suse.com> ---
Optional patch that may need a bit of coorindation with upstream apparmor since the dnsmasq profile currently has 'peer=/usr/sbin/libvirtd'.
src/security/apparmor/usr.sbin.libvirtd | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd index 0db52c524c..29f9936ad9 100644 --- a/src/security/apparmor/usr.sbin.libvirtd +++ b/src/security/apparmor/usr.sbin.libvirtd @@ -2,7 +2,7 @@ #include <tunables/global> @{LIBVIRT}="libvirt"
-/usr/sbin/libvirtd flags=(attach_disconnected) { +profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { #include <abstractions/base> #include <abstractions/dbus>
@@ -51,7 +51,7 @@ unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
ptrace (read,trace) peer=unconfined, - ptrace (read,trace) peer=/usr/sbin/libvirtd, + ptrace (read,trace) peer=@{profile_name}, ptrace (read,trace) peer=dnsmasq, ptrace (read,trace) peer=/usr/sbin/dnsmasq, ptrace (read,trace) peer=libvirt-*, @@ -123,6 +123,7 @@ # For communication/control from libvirtd unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), signal (receive) set=("term") peer=/usr/sbin/libvirtd, + signal (receive) set=("term") peer=libvirtd,
/dev/net/tun rw, /etc/qemu/** r,
This also LGTM. It'd be nice if there was a mechanism to specify the parent profile like we can the current profile, but we can't now and this is fine. -- Jamie Strandboge | http://www.canonical.com
On 1/22/19 1:01 PM, Jamie Strandboge wrote:
On Mon, 14 Jan 2019, Jim Fehlig wrote:
Signed-off-by: Jim Fehlig <jfehlig@suse.com> ---
Optional patch that may need a bit of coorindation with upstream apparmor since the dnsmasq profile currently has 'peer=/usr/sbin/libvirtd'.
src/security/apparmor/usr.sbin.libvirtd | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd index 0db52c524c..29f9936ad9 100644 --- a/src/security/apparmor/usr.sbin.libvirtd +++ b/src/security/apparmor/usr.sbin.libvirtd @@ -2,7 +2,7 @@ #include <tunables/global> @{LIBVIRT}="libvirt"
-/usr/sbin/libvirtd flags=(attach_disconnected) { +profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { #include <abstractions/base> #include <abstractions/dbus>
@@ -51,7 +51,7 @@ unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
ptrace (read,trace) peer=unconfined, - ptrace (read,trace) peer=/usr/sbin/libvirtd, + ptrace (read,trace) peer=@{profile_name}, ptrace (read,trace) peer=dnsmasq, ptrace (read,trace) peer=/usr/sbin/dnsmasq, ptrace (read,trace) peer=libvirt-*, @@ -123,6 +123,7 @@ # For communication/control from libvirtd unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), signal (receive) set=("term") peer=/usr/sbin/libvirtd, + signal (receive) set=("term") peer=libvirtd,
/dev/net/tun rw, /etc/qemu/** r,
This also LGTM. It'd be nice if there was a mechanism to specify the parent profile like we can the current profile, but we can't now and this is fine.
Thanks for reviewing these patches! I've pushed them now. Regards, Jim
participants (2)
-
Jamie Strandboge -
Jim Fehlig