8:13 a.m.
This patch provides AppArmor policy updates for the QEMU bridge helper.
The QEMU bridge helper is a SUID executable exec'd by QEMU that drops
capabilities to CAP_NET_ADMIN and adds a tap device to a network
bridge. For more details on the helper, please refer to:
http://lists.gnu.org/archive/html/qemu-devel/2012-01/msg03562.html
Signed-off-by: Corey Bryant <coreyb(a)linux.vnet.ibm.com>
---
examples/apparmor/libvirt-qemu | 22 +++++++++++++++++++++-
1 files changed, 21 insertions(+), 1 deletions(-)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 10cdd36..ee9ba5d 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -1,4 +1,4 @@
-# Last Modified: Mon Apr 5 15:11:27 2010
+# Last Modified: Fri Mar 9 14:43:22 2012
#include <abstractions/base>
#include <abstractions/consoles>
@@ -108,3 +108,23 @@
/bin/dash rmix,
/bin/dd rmix,
/bin/cat rmix,
+
+ /usr/libexec/qemu-bridge-helper Cx,
+
+ # child profile for bridge helper process
+ profile /usr/libexec/qemu-bridge-helper {
+ #include <abstractions/base>
+
+ capability setuid,
+ capability setgid,
+ capability setpcap,
+ capability net_admin,
+
+ network inet stream,
+
+ /dev/net/tun rw,
+ /etc/qemu/** r,
+ @{PROC}/*/status r,
+
+ /usr/libexec/qemu-bridge-helper rmix,
+ }
--
1.7.7
1:36 p.m.
On Mon, 2012-03-12 at 09:13 -0400, Corey Bryant wrote:
This patch provides AppArmor policy updates for the QEMU bridge
helper.
The QEMU bridge helper is a SUID executable exec'd by QEMU that drops
capabilities to CAP_NET_ADMIN and adds a tap device to a network
bridge. For more details on the helper, please refer to:
http://lists.gnu.org/archive/html/qemu-devel/2012-01/msg03562.html
Signed-off-by: Corey Bryant <coreyb(a)linux.vnet.ibm.com>
I've not used the helper personally, but the policy makes sense overall
though. I do have a few questions:
+ capability setuid,
+ capability setgid,
I'm assuming these are needed because qemu-bridge-helper drops
privileges?
+ capability setpcap,
Can you explain why this capability is needed by qemu-bridge-helper?
+ network inet stream,
I understood why net_admin was needed, but this one is less clear. Why
does qemu-bridge-helper need this?
+ /etc/qemu/** r,
I'm not familiar with this directory. What does qemu-bridge-helper need
from this directory?
+ @{PROC}/*/status r,
Is it possible to use this instead:
owner @{PROC}/*/status r,
Thanks!
--
Jamie Strandboge | http://www.canonical.com
4:07 p.m.
Thanks for your comments.
One thing I should have pointed out before is that libvirt doesn't have
support for the bridge helper yet. I hard coded the qemu options in the
domain XML to test this. I'm not sure if that would prevent this patch
from getting in or not.
On 03/12/2012 02:36 PM, Jamie Strandboge wrote:
On Mon, 2012-03-12 at 09:13 -0400, Corey Bryant wrote:
> This patch provides AppArmor policy updates for the QEMU bridge helper.
> The QEMU bridge helper is a SUID executable exec'd by QEMU that drops
> capabilities to CAP_NET_ADMIN and adds a tap device to a network
> bridge. For more details on the helper, please refer to:
>
> http://lists.gnu.org/archive/html/qemu-devel/2012-01/msg03562.html
>
> Signed-off-by: Corey Bryant<coreyb(a)linux.vnet.ibm.com>
I've not used the helper personally, but the policy makes sense overall
though. I do have a few questions:
> + capability setuid,
> + capability setgid,
I'm assuming these are needed because qemu-bridge-helper drops
privileges?
Yes, exactly.
> + capability setpcap,
Can you explain why this capability is needed by qemu-bridge-helper?
This is required to modify the bounding capability set. Here are the
calls the helper uses to modify capabilities:
capng_clear(CAPNG_SELECT_BOTH);
capng_update(CAPNG_ADD,
CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_NET_ADMIN);
capng_change_id(getuid(), getgid(), CAPNG_CLEAR_BOUNDING);
> + network inet stream,
I understood why net_admin was needed, but this one is less clear. Why
does qemu-bridge-helper need this?
Good question. I'm going to test without this and see if it's
necessary. I'm wondering if it's a subset of net_admin, and I may have
added this before I added net_admin.
> + /etc/qemu/** r,
I'm not familiar with this directory. What does qemu-bridge-helper need
from this directory?
ACL config files can be configured to allow/disallow bridge access to
specific users. These files are read from /etc/qemu/.
> + @{PROC}/*/status r,
Is it possible to use this instead:
owner @{PROC}/*/status r,
I would imagine this is ok to update with owner. I'll test it out and
submit a v2 if there aren't any issues.
Thanks!
Thank you!
--
Regards,
Corey
7:47 a.m.
On 03/12/2012 05:07 PM, Corey Bryant wrote:
...
>> + network inet stream,
>
> I understood why net_admin was needed, but this one is less clear. Why
> does qemu-bridge-helper need this?
>
Good question. I'm going to test without this and see if it's necessary.
I'm wondering if it's a subset of net_admin, and I may have added this
before I added net_admin.
I just submitted patch v2. The only change is addition of the owner
keyword (see below).
I tested without 'network inet stream' and got an AVC denial so I kept
it in the policy. We open an AF_INET/SOCK_STREAM socket in the helper,
which I believe this maps to.
...
>> + @{PROC}/*/status r,
>
> Is it possible to use this instead:
> owner @{PROC}/*/status r,
>
I would imagine this is ok to update with owner. I'll test it out and
submit a v2 if there aren't any issues.
--
Regards,
Corey
4637
days inactive
4638
days old
3 comments
2 participants
participants (2)
-
Corey Bryant -
Jamie Strandboge