[PATCH v3 0/3] Couple of apparmor fixes

v3 of: https://www.redhat.com/archives/libvir-list/2020-January/msg01321.html diff to v2: - Instead of hard coding libexec path, generate it according to configure arguments *** BLURB HERE *** Michal Prívozník (3): apparmor: Reflect paths from configure in profiles apparmor: Allow libvirt to spawn virt-aa-helper and libvirt_lxc docs: Fix virt-aa-helper location docs/drvqemu.html.in | 3 +- src/security/Makefile.inc.am | 29 +++++++++++++++---- ...lper => usr.lib.libvirt.virt-aa-helper.in} | 10 +++---- ...usr.sbin.libvirtd => usr.sbin.libvirtd.in} | 14 +++++---- 4 files changed, 39 insertions(+), 17 deletions(-) rename src/security/apparmor/{usr.lib.libvirt.virt-aa-helper => usr.lib.libvirt.virt-aa-helper.in} (85%) rename src/security/apparmor/{usr.sbin.libvirtd => usr.sbin.libvirtd.in} (93%) -- 2.24.1

The configure script allows users to specify different paths for /etc/, /usr/sbin/, /var/run/ and /usr/libexec/. Instead of assuming user will pass expected value, generate the apparmor profiles using the actual values. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/security/Makefile.inc.am | 29 +++++++++++++++---- ...lper => usr.lib.libvirt.virt-aa-helper.in} | 10 +++---- ...usr.sbin.libvirtd => usr.sbin.libvirtd.in} | 12 ++++---- 3 files changed, 35 insertions(+), 16 deletions(-) rename src/security/apparmor/{usr.lib.libvirt.virt-aa-helper => usr.lib.libvirt.virt-aa-helper.in} (85%) rename src/security/apparmor/{usr.sbin.libvirtd => usr.sbin.libvirtd.in} (94%) diff --git a/src/security/Makefile.inc.am b/src/security/Makefile.inc.am index 6fe9d50f29..3d669275d4 100644 --- a/src/security/Makefile.inc.am +++ b/src/security/Makefile.inc.am @@ -30,16 +30,36 @@ SECURITY_DRIVER_APPARMOR_SOURCES = \ security/security_apparmor.c \ $(NULL) +SECURITY_DRIVER_APPARMOR_GENERATED_PROFILES_IN = \ + security/apparmor/usr.lib.libvirt.virt-aa-helper.in \ + security/apparmor/usr.sbin.libvirtd.in \ + $(NULL) + +SECURITY_DRIVER_APPARMOR_GENERATED_PROFILES = \ + $(SECURITY_DRIVER_APPARMOR_GENERATED_PROFILES_IN:%.in=%) + $(NULL) + +security/apparmor/%: $(srcdir)/security/apparmor/%.in + $(AM_V_GEN)$(MKDIR_P) `dirname $@` && \ + $(SED) \ + -e 's|[@]sysconfdir[@]|@sysconfdir@|' \ + -e 's|[@]sbindir[@]|@sbindir@|' \ + -e 's|[@]runstatedir[@]|@runstatedir@|' \ + -e 's|[@]libexecdir[@]|@libexecdir@|' \ + $< > $@ + +BUILT_SOURCES += $(SECURITY_DRIVER_APPARMOR_GENERATED_PROFILES) +CLEANFILES += $(SECURITY_DRIVER_APPARMOR_GENERATED_PROFILES) + EXTRA_DIST += \ $(SECURITY_DRIVER_SELINUX_SOURCES) \ $(SECURITY_DRIVER_APPARMOR_SOURCES) \ $(SECURITY_DRIVER_APPARMOR_HELPER_SOURCES) \ + $(SECURITY_DRIVER_APPARMOR_GENERATED_PROFILES_IN) \ security/apparmor/TEMPLATE.qemu \ security/apparmor/TEMPLATE.lxc \ security/apparmor/libvirt-qemu \ security/apparmor/libvirt-lxc \ - security/apparmor/usr.lib.libvirt.virt-aa-helper \ - security/apparmor/usr.sbin.libvirtd \ $(NULL) libvirt_security_manager_la_SOURCES = $(SECURITY_DRIVER_SOURCES) @@ -91,8 +111,7 @@ endif WITH_SECDRIVER_APPARMOR if WITH_APPARMOR_PROFILES apparmordir = $(sysconfdir)/apparmor.d/ apparmor_DATA = \ - security/apparmor/usr.lib.libvirt.virt-aa-helper \ - security/apparmor/usr.sbin.libvirtd \ + $(SECURITY_DRIVER_APPARMOR_GENERATED_PROFILES) $(NULL) abstractionsdir = $(apparmordir)/abstractions @@ -108,7 +127,7 @@ templates_DATA = \ $(NULL) APPARMOR_LOCAL_DIR = "$(DESTDIR)$(apparmordir)/local" -install-apparmor-local: +install-apparmor-local: $(SECURITY_DRIVER_APPARMOR_GENERATED_PROFILES) $(MKDIR_P) "$(APPARMOR_LOCAL_DIR)" echo "# Site-specific additions and overrides for \ 'usr.lib.libvirt.virt-aa-helper'" \ diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in similarity index 85% rename from src/security/apparmor/usr.lib.libvirt.virt-aa-helper rename to src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in index af434ab539..dd18c8ab89 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -1,6 +1,6 @@ #include <tunables/global> -profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { +profile virt-aa-helper @libexecdir@/virt-aa-helper { #include <abstractions/base> # needed for searching directories @@ -19,7 +19,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { # Used when internally running another command (namely apparmor_parser) @{PROC}/@{pid}/fd/ r, - /etc/libnl-3/classid r, + @sysconfdir@/libnl-3/classid r, # for gl enabled graphics /dev/dri/{,*} r, @@ -38,11 +38,11 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { deny /dev/mapper/ r, deny /dev/mapper/* r, - /usr/{lib,lib64}/libvirt/virt-aa-helper mr, + @libexecdir@/virt-aa-helper mr, /{usr/,}sbin/apparmor_parser Ux, - /etc/apparmor.d/libvirt/* r, - /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + @sysconfdir@/apparmor.d/libvirt/* r, + @sysconfdir@/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, # for backingstore -- allow access to non-hidden files in @{HOME} as well # as storage pools diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd.in similarity index 94% rename from src/security/apparmor/usr.sbin.libvirtd rename to src/security/apparmor/usr.sbin.libvirtd.in index b21f31b2e1..f4fc51d705 100644 --- a/src/security/apparmor/usr.sbin.libvirtd +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -1,7 +1,7 @@ #include <tunables/global> @{LIBVIRT}="libvirt" -profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { +profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { #include <abstractions/base> #include <abstractions/dbus> @@ -80,8 +80,8 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { /bin/* PUx, /sbin/* PUx, /usr/bin/* PUx, - /usr/sbin/virtlogd pix, - /usr/sbin/* PUx, + @sbindir@/virtlogd pix, + @sbindir@/* PUx, /{usr/,}lib/udev/scsi_id PUx, /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, /usr/{lib,lib64}/xen/bin/* Ux, @@ -98,9 +98,9 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { audit deny /sys/kernel/security/apparmor/matching rwxl, audit deny /sys/kernel/security/apparmor/.* rwxl, /sys/kernel/security/apparmor/profiles r, - /usr/{lib,lib64}/libvirt/* PUxr, - /usr/{lib,lib64}/libvirt/libvirt_parthelper ix, - /usr/{lib,lib64}/libvirt/libvirt_iohelper ix, + @libexecdir@/* puxr, + @libexecdir@/libvirt_parthelper ix, + @libexecdir@/libvirt_iohelper ix, /etc/libvirt/hooks/** rmix, /etc/xen/scripts/** rmix, -- 2.24.1

On Thu, Jan 30, 2020 at 03:12:30PM +0100, Michal Privoznik wrote:
The configure script allows users to specify different paths for /etc/, /usr/sbin/, /var/run/ and /usr/libexec/. Instead of assuming user will pass expected value, generate the apparmor profiles using the actual values.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/security/Makefile.inc.am | 29 +++++++++++++++---- ...lper => usr.lib.libvirt.virt-aa-helper.in} | 10 +++---- ...usr.sbin.libvirtd => usr.sbin.libvirtd.in} | 12 ++++---- 3 files changed, 35 insertions(+), 16 deletions(-) rename src/security/apparmor/{usr.lib.libvirt.virt-aa-helper => usr.lib.libvirt.virt-aa-helper.in} (85%) rename src/security/apparmor/{usr.sbin.libvirtd => usr.sbin.libvirtd.in} (94%)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

On 1/30/20 7:12 AM, Michal Privoznik wrote:
The configure script allows users to specify different paths for /etc/, /usr/sbin/, /var/run/ and /usr/libexec/. Instead of assuming user will pass expected value, generate the apparmor profiles using the actual values.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/security/Makefile.inc.am | 29 +++++++++++++++---- ...lper => usr.lib.libvirt.virt-aa-helper.in} | 10 +++---- ...usr.sbin.libvirtd => usr.sbin.libvirtd.in} | 12 ++++---- 3 files changed, 35 insertions(+), 16 deletions(-) rename src/security/apparmor/{usr.lib.libvirt.virt-aa-helper => usr.lib.libvirt.virt-aa-helper.in} (85%) rename src/security/apparmor/{usr.sbin.libvirtd => usr.sbin.libvirtd.in} (94%)
diff --git a/src/security/Makefile.inc.am b/src/security/Makefile.inc.am index 6fe9d50f29..3d669275d4 100644 --- a/src/security/Makefile.inc.am +++ b/src/security/Makefile.inc.am @@ -30,16 +30,36 @@ SECURITY_DRIVER_APPARMOR_SOURCES = \ security/security_apparmor.c \ $(NULL)
+SECURITY_DRIVER_APPARMOR_GENERATED_PROFILES_IN = \ + security/apparmor/usr.lib.libvirt.virt-aa-helper.in \ + security/apparmor/usr.sbin.libvirtd.in \ + $(NULL) + +SECURITY_DRIVER_APPARMOR_GENERATED_PROFILES = \ + $(SECURITY_DRIVER_APPARMOR_GENERATED_PROFILES_IN:%.in=%) + $(NULL) + +security/apparmor/%: $(srcdir)/security/apparmor/%.in + $(AM_V_GEN)$(MKDIR_P) `dirname $@` && \ + $(SED) \ + -e 's|[@]sysconfdir[@]|@sysconfdir@|' \ + -e 's|[@]sbindir[@]|@sbindir@|' \ + -e 's|[@]runstatedir[@]|@runstatedir@|' \ + -e 's|[@]libexecdir[@]|@libexecdir@|' \ + $< > $@ + +BUILT_SOURCES += $(SECURITY_DRIVER_APPARMOR_GENERATED_PROFILES) +CLEANFILES += $(SECURITY_DRIVER_APPARMOR_GENERATED_PROFILES) + EXTRA_DIST += \ $(SECURITY_DRIVER_SELINUX_SOURCES) \ $(SECURITY_DRIVER_APPARMOR_SOURCES) \ $(SECURITY_DRIVER_APPARMOR_HELPER_SOURCES) \ + $(SECURITY_DRIVER_APPARMOR_GENERATED_PROFILES_IN) \ security/apparmor/TEMPLATE.qemu \ security/apparmor/TEMPLATE.lxc \ security/apparmor/libvirt-qemu \ security/apparmor/libvirt-lxc \ - security/apparmor/usr.lib.libvirt.virt-aa-helper \ - security/apparmor/usr.sbin.libvirtd \ $(NULL)
libvirt_security_manager_la_SOURCES = $(SECURITY_DRIVER_SOURCES) @@ -91,8 +111,7 @@ endif WITH_SECDRIVER_APPARMOR if WITH_APPARMOR_PROFILES apparmordir = $(sysconfdir)/apparmor.d/ apparmor_DATA = \ - security/apparmor/usr.lib.libvirt.virt-aa-helper \ - security/apparmor/usr.sbin.libvirtd \ + $(SECURITY_DRIVER_APPARMOR_GENERATED_PROFILES) $(NULL)
abstractionsdir = $(apparmordir)/abstractions @@ -108,7 +127,7 @@ templates_DATA = \ $(NULL)
APPARMOR_LOCAL_DIR = "$(DESTDIR)$(apparmordir)/local" -install-apparmor-local: +install-apparmor-local: $(SECURITY_DRIVER_APPARMOR_GENERATED_PROFILES) $(MKDIR_P) "$(APPARMOR_LOCAL_DIR)" echo "# Site-specific additions and overrides for \ 'usr.lib.libvirt.virt-aa-helper'" \ diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in similarity index 85% rename from src/security/apparmor/usr.lib.libvirt.virt-aa-helper rename to src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in index af434ab539..dd18c8ab89 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -1,6 +1,6 @@ #include <tunables/global>
-profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { +profile virt-aa-helper @libexecdir@/virt-aa-helper { #include <abstractions/base>
# needed for searching directories @@ -19,7 +19,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { # Used when internally running another command (namely apparmor_parser) @{PROC}/@{pid}/fd/ r,
- /etc/libnl-3/classid r, + @sysconfdir@/libnl-3/classid r,
# for gl enabled graphics /dev/dri/{,*} r, @@ -38,11 +38,11 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { deny /dev/mapper/ r, deny /dev/mapper/* r,
- /usr/{lib,lib64}/libvirt/virt-aa-helper mr, + @libexecdir@/virt-aa-helper mr, /{usr/,}sbin/apparmor_parser Ux,
- /etc/apparmor.d/libvirt/* r, - /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + @sysconfdir@/apparmor.d/libvirt/* r, + @sysconfdir@/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
# for backingstore -- allow access to non-hidden files in @{HOME} as well # as storage pools diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd.in similarity index 94% rename from src/security/apparmor/usr.sbin.libvirtd rename to src/security/apparmor/usr.sbin.libvirtd.in index b21f31b2e1..f4fc51d705 100644 --- a/src/security/apparmor/usr.sbin.libvirtd +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -1,7 +1,7 @@ #include <tunables/global> @{LIBVIRT}="libvirt"
-profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { +profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { #include <abstractions/base> #include <abstractions/dbus>
@@ -80,8 +80,8 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { /bin/* PUx, /sbin/* PUx, /usr/bin/* PUx, - /usr/sbin/virtlogd pix, - /usr/sbin/* PUx, + @sbindir@/virtlogd pix, + @sbindir@/* PUx, /{usr/,}lib/udev/scsi_id PUx, /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, /usr/{lib,lib64}/xen/bin/* Ux, @@ -98,9 +98,9 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { audit deny /sys/kernel/security/apparmor/matching rwxl, audit deny /sys/kernel/security/apparmor/.* rwxl, /sys/kernel/security/apparmor/profiles r, - /usr/{lib,lib64}/libvirt/* PUxr, - /usr/{lib,lib64}/libvirt/libvirt_parthelper ix, - /usr/{lib,lib64}/libvirt/libvirt_iohelper ix, + @libexecdir@/* puxr,
s/puxr/PUxr/ to match the existing access modes. Regards, Jim
+ @libexecdir@/libvirt_parthelper ix, + @libexecdir@/libvirt_iohelper ix, /etc/libvirt/hooks/** rmix, /etc/xen/scripts/** rmix,

Both of these binaries are spawn by libvirt. Add a rule to the default profile to allow that. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/security/apparmor/usr.sbin.libvirtd.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in index f4fc51d705..c950a83db8 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -99,6 +99,8 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { audit deny /sys/kernel/security/apparmor/.* rwxl, /sys/kernel/security/apparmor/profiles r, @libexecdir@/* puxr, + @libexecdir@/virt-aa-helper PUxr, + @libexecdir@/libvirt_lxc PUxr, @libexecdir@/libvirt_parthelper ix, @libexecdir@/libvirt_iohelper ix, /etc/libvirt/hooks/** rmix, -- 2.24.1

On Thu, Jan 30, 2020 at 03:12:31PM +0100, Michal Privoznik wrote:
Both of these binaries are spawn by libvirt. Add a rule to the default profile to allow that.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/security/apparmor/usr.sbin.libvirtd.in | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in index f4fc51d705..c950a83db8 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -99,6 +99,8 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { audit deny /sys/kernel/security/apparmor/.* rwxl, /sys/kernel/security/apparmor/profiles r, @libexecdir@/* puxr, + @libexecdir@/virt-aa-helper PUxr,
I'm really puzzelled about this one. If this was required, then surely apparmor has been broken since day 1 this was introduced to libvirt ? Can anyone explain why we've been able todo with this rule forever ?
+ @libexecdir@/libvirt_lxc PUxr,
I can understand a little more why this might be missing, as it is not so common as QEMU usage.
@libexecdir@/libvirt_parthelper ix, @libexecdir@/libvirt_iohelper ix, /etc/libvirt/hooks/** rmix, -- 2.24.1
Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

On 2/3/20 9:50 AM, Daniel P. Berrangé wrote:
On Thu, Jan 30, 2020 at 03:12:31PM +0100, Michal Privoznik wrote:
Both of these binaries are spawn by libvirt. Add a rule to the default profile to allow that.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/security/apparmor/usr.sbin.libvirtd.in | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in index f4fc51d705..c950a83db8 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -99,6 +99,8 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { audit deny /sys/kernel/security/apparmor/.* rwxl, /sys/kernel/security/apparmor/profiles r, @libexecdir@/* puxr, + @libexecdir@/virt-aa-helper PUxr,
I'm really puzzelled about this one. If this was required, then surely apparmor has been broken since day 1 this was introduced to libvirt ?
Can anyone explain why we've been able todo with this rule forever ?
Doesn't the rule directly above (which should have PUxr access modes) allow spawning virt-aa-helper? Perhaps the explicit rule is only needed if changing the access modes from the "default"? Regards, Jim

On 2/3/20 5:50 PM, Daniel P. Berrangé wrote:
On Thu, Jan 30, 2020 at 03:12:31PM +0100, Michal Privoznik wrote:
Both of these binaries are spawn by libvirt. Add a rule to the default profile to allow that.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/security/apparmor/usr.sbin.libvirtd.in | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in index f4fc51d705..c950a83db8 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -99,6 +99,8 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { audit deny /sys/kernel/security/apparmor/.* rwxl, /sys/kernel/security/apparmor/profiles r, @libexecdir@/* puxr, + @libexecdir@/virt-aa-helper PUxr,
I'm really puzzelled about this one. If this was required, then surely apparmor has been broken since day 1 this was introduced to libvirt ?
Can anyone explain why we've been able todo with this rule forever ?
+ @libexecdir@/libvirt_lxc PUxr,
I can understand a little more why this might be missing, as it is not so common as QEMU usage.
Frankly, I don't understand that too. I just copied what was in the gentoo patch. But I can drop this one. The @libexecdir@/* rule should allow what is needed anyway. Michal

On Tue, Feb 04, 2020 at 10:24:07AM +0100, Michal Privoznik wrote:
On 2/3/20 5:50 PM, Daniel P. Berrangé wrote:
On Thu, Jan 30, 2020 at 03:12:31PM +0100, Michal Privoznik wrote:
Both of these binaries are spawn by libvirt. Add a rule to the default profile to allow that.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/security/apparmor/usr.sbin.libvirtd.in | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in index f4fc51d705..c950a83db8 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -99,6 +99,8 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { audit deny /sys/kernel/security/apparmor/.* rwxl, /sys/kernel/security/apparmor/profiles r, @libexecdir@/* puxr, + @libexecdir@/virt-aa-helper PUxr,
I'm really puzzelled about this one. If this was required, then surely apparmor has been broken since day 1 this was introduced to libvirt ?
Can anyone explain why we've been able todo with this rule forever ?
+ @libexecdir@/libvirt_lxc PUxr,
I can understand a little more why this might be missing, as it is not so common as QEMU usage.
Frankly, I don't understand that too. I just copied what was in the gentoo patch. But I can drop this one. The @libexecdir@/* rule should allow what is needed anyway.
Actually, if anything, it probably makes more sense to drop the generic @libexecdir@ rule, as it allows libvirtd to run anything under /usr/libexec which makes the policy pretty useless IMHO. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

The location of virt-aa-helper shown in the docs is incorrect. The helper binary is installed under libexec dir. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- docs/drvqemu.html.in | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/drvqemu.html.in b/docs/drvqemu.html.in index 87542afd27..5f412ba376 100644 --- a/docs/drvqemu.html.in +++ b/docs/drvqemu.html.in @@ -439,7 +439,8 @@ chmod o+x /path/to/directory <p> While users can define their own AppArmor profile scheme, a typical configuration will include a profile for <code>/usr/sbin/libvirtd</code>, - <code>/usr/lib/libvirt/virt-aa-helper</code> (a helper program which the + <code>/usr/lib/libvirt/virt-aa-helper</code> or + <code>/usr/libexec/virt-aa-helper</code>(a helper program which the libvirtd daemon uses instead of manipulating AppArmor directly), and an abstraction to be included by <code>/etc/apparmor.d/libvirt/TEMPLATE</code> (typically <code>/etc/apparmor.d/abstractions/libvirt-qemu</code>). -- 2.24.1

On Thu, Jan 30, 2020 at 03:12:32PM +0100, Michal Privoznik wrote:
The location of virt-aa-helper shown in the docs is incorrect. The helper binary is installed under libexec dir.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- docs/drvqemu.html.in | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
participants (3)
-
Daniel P. Berrangé
-
Jim Fehlig
-
Michal Privoznik