On Thu, Jan 30, 2020 at 8:06 AM Michal Privoznik <mprivozn(a)redhat.com>
wrote:
Even though we construct a domain specific profile for each
domain we start (which should cover domain specific paths), there
is also another file that is included from the profile and which
contains domain agnostic paths (e.g. to cover libraries that qemu
links with). The paths in the file are split into blocks divided
by comments. Sort the paths in each block individually (ignoring
case sensitivity).
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
Acked-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
---
src/security/apparmor/libvirt-qemu | 76 +++++++++++++++---------------
1 file changed, 38 insertions(+), 38 deletions(-)
diff --git a/src/security/apparmor/libvirt-qemu
b/src/security/apparmor/libvirt-qemu
index d33348aa05..2291829270 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -22,8 +22,8 @@
signal (receive) peer=libvirtd,
signal (receive) peer=/usr/sbin/libvirtd,
- /dev/net/tun rw,
/dev/kvm rw,
+ /dev/net/tun rw,
/dev/ptmx rw,
@{PROC}/*/status r,
# When qemu is signaled to terminate, it will read cmdline of signaling
@@ -39,19 +39,19 @@
/sys/bus/usb/devices/ r,
/sys/devices/**/usb[0-9]*/** r,
# libusb needs udev data about usb devices (~equal to content of lsusb
-v)
+ /run/udev/data/+usb* r,
/run/udev/data/c16[6,7]* r,
/run/udev/data/c18[0,8,9]* r,
- /run/udev/data/+usb* r,
# WARNING: this gives the guest direct access to host hardware and
specific
# portions of shared memory. This is required for sound using ALSA with
kvm,
# but may constitute a security risk. If your environment does not
require
# the use of sound in your VMs, feel free to comment out or prepend
'deny' to
# the rules for files in /dev.
+ /dev/snd/* rw,
/{dev,run}/shm r,
/{dev,run}/shmpulse-shm* r,
/{dev,run}/shmpulse-shm* rwk,
- /dev/snd/* rw,
capability ipc_lock,
# spice
owner /{dev,run}/shm/spice.* rw,
@@ -73,21 +73,21 @@
/var/lib/dbus/machine-id r,
# access to firmware's etc
- /usr/share/kvm/** r,
- /usr/share/qemu/** r,
- /usr/share/qemu-kvm/** r,
+ /usr/share/AAVMF/** r,
/usr/share/bochs/** r,
+ /usr/share/kvm/** r,
+ /usr/share/misc/sgabios.bin r,
/usr/share/openbios/** r,
/usr/share/openhackware/** r,
- /usr/share/proll/** r,
- /usr/share/vgabios/** r,
- /usr/share/seabios/** r,
- /usr/share/misc/sgabios.bin r,
- /usr/share/ovmf/** r,
/usr/share/OVMF/** r,
- /usr/share/AAVMF/** r,
+ /usr/share/ovmf/** r,
+ /usr/share/proll/** r,
/usr/share/qemu-efi/** r,
+ /usr/share/qemu-kvm/** r,
+ /usr/share/qemu/** r,
+ /usr/share/seabios/** r,
/usr/share/slof/** r,
+ /usr/share/vgabios/** r,
# pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140)
/etc/pki/CA/ r,
@@ -98,7 +98,33 @@
# the various binaries
/usr/bin/kvm rmix,
/usr/bin/qemu rmix,
+ /usr/bin/qemu-aarch64 rmix,
+ /usr/bin/qemu-alpha rmix,
+ /usr/bin/qemu-arm rmix,
+ /usr/bin/qemu-armeb rmix,
+ /usr/bin/qemu-cris rmix,
+ /usr/bin/qemu-i386 rmix,
/usr/bin/qemu-kvm rmix,
+ /usr/bin/qemu-m68k rmix,
+ /usr/bin/qemu-microblaze rmix,
+ /usr/bin/qemu-microblazeel rmix,
+ /usr/bin/qemu-mips rmix,
+ /usr/bin/qemu-mips64 rmix,
+ /usr/bin/qemu-mips64el rmix,
+ /usr/bin/qemu-mipsel rmix,
+ /usr/bin/qemu-mipsn32 rmix,
+ /usr/bin/qemu-mipsn32el rmix,
+ /usr/bin/qemu-or32 rmix,
+ /usr/bin/qemu-ppc rmix,
+ /usr/bin/qemu-ppc64 rmix,
+ /usr/bin/qemu-ppc64abi32 rmix,
+ /usr/bin/qemu-ppc64le rmix,
+ /usr/bin/qemu-s390x rmix,
+ /usr/bin/qemu-sh4 rmix,
+ /usr/bin/qemu-sh4eb rmix,
+ /usr/bin/qemu-sparc rmix,
+ /usr/bin/qemu-sparc32plus rmix,
+ /usr/bin/qemu-sparc64 rmix,
/usr/bin/qemu-system-aarch64 rmix,
/usr/bin/qemu-system-alpha rmix,
/usr/bin/qemu-system-arm rmix,
@@ -132,32 +158,6 @@
/usr/bin/qemu-system-x86_64 rmix,
/usr/bin/qemu-system-xtensa rmix,
/usr/bin/qemu-system-xtensaeb rmix,
- /usr/bin/qemu-aarch64 rmix,
- /usr/bin/qemu-alpha rmix,
- /usr/bin/qemu-arm rmix,
- /usr/bin/qemu-armeb rmix,
- /usr/bin/qemu-cris rmix,
- /usr/bin/qemu-i386 rmix,
- /usr/bin/qemu-m68k rmix,
- /usr/bin/qemu-microblaze rmix,
- /usr/bin/qemu-microblazeel rmix,
- /usr/bin/qemu-mips rmix,
- /usr/bin/qemu-mips64 rmix,
- /usr/bin/qemu-mips64el rmix,
- /usr/bin/qemu-mipsel rmix,
- /usr/bin/qemu-mipsn32 rmix,
- /usr/bin/qemu-mipsn32el rmix,
- /usr/bin/qemu-or32 rmix,
- /usr/bin/qemu-ppc rmix,
- /usr/bin/qemu-ppc64 rmix,
- /usr/bin/qemu-ppc64abi32 rmix,
- /usr/bin/qemu-ppc64le rmix,
- /usr/bin/qemu-s390x rmix,
- /usr/bin/qemu-sh4 rmix,
- /usr/bin/qemu-sh4eb rmix,
- /usr/bin/qemu-sparc rmix,
- /usr/bin/qemu-sparc32plus rmix,
- /usr/bin/qemu-sparc64 rmix,
/usr/bin/qemu-unicore32 rmix,
/usr/bin/qemu-x86_64 rmix,
# for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761)
--
2.24.1
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd