[libvirt] [PATCH 0/3] Update example apparmor profile

The apparmor profile example for libvirtd is rather outdated. The changes in this patch series are intended to bring this sample up to date with the latest working configuration. This series addresses issues applicable to general libvirt, Xen and libvirt-TCK operations - each in their own patch. Mike Latimer (3): Fix apparmor issues for Xen Grant access to helpers Fix apparmor issues for tck examples/apparmor/usr.sbin.libvirtd | 6 ++++++ 1 file changed, 6 insertions(+) -- 1.8.4.5

In order for apparmor to work properly in Xen environments, the following access rights need to be allowed: - Allow CAP_SYS_PACCT, which is required when resetting some multi-port Broadcom cards by writting to the PCI config space - Allow CAP_IPC_LOCK, which is required to lock/unlock memory. Without this setting, an error 'Resource temporarily unavailable' can be seen while attempting to mmap memory. At the same time, the following apparmor message is seen: apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/libvirtd" pid=2097 comm="libvirtd" pid=2097 comm="libvirtd" capability=14 capname="ipc_lock" - Allow access to distribution specific directories: /usr/{lib,lib64}/xen/bin --- examples/apparmor/usr.sbin.libvirtd | 3 +++ 1 file changed, 3 insertions(+) diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 7151052..9917836 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -13,6 +13,7 @@ capability sys_admin, capability sys_module, capability sys_ptrace, + capability sys_pacct, capability sys_nice, capability sys_chroot, capability setuid, @@ -24,6 +25,7 @@ capability mknod, capability fsetid, capability audit_write, + capability ipc_lock, # Needed for vfio capability sys_resource, @@ -45,6 +47,7 @@ /usr/sbin/* PUx, /lib/udev/scsi_id PUx, /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, + /usr/{lib,lib64}/xen/bin/* Ux, # force the use of virt-aa-helper audit deny /sbin/apparmor_parser rwxl, -- 1.8.4.5

On Mon, 2015-01-19 at 18:25 -0700, Mike Latimer wrote:
In order for apparmor to work properly in Xen environments, the following access rights need to be allowed:
- Allow CAP_SYS_PACCT, which is required when resetting some multi-port Broadcom cards by writting to the PCI config space
- Allow CAP_IPC_LOCK, which is required to lock/unlock memory. Without this setting, an error 'Resource temporarily unavailable' can be seen while attempting to mmap memory. At the same time, the following apparmor message is seen:
apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/libvirtd" pid=2097 comm="libvirtd" pid=2097 comm="libvirtd" capability=14 capname="ipc_lock"
- Allow access to distribution specific directories: /usr/{lib,lib64}/xen/bin
--- examples/apparmor/usr.sbin.libvirtd | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 7151052..9917836 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -13,6 +13,7 @@ capability sys_admin, capability sys_module, capability sys_ptrace, + capability sys_pacct, capability sys_nice, capability sys_chroot, capability setuid, @@ -24,6 +25,7 @@ capability mknod, capability fsetid, capability audit_write, + capability ipc_lock,
# Needed for vfio capability sys_resource, @@ -45,6 +47,7 @@ /usr/sbin/* PUx, /lib/udev/scsi_id PUx, /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, + /usr/{lib,lib64}/xen/bin/* Ux,
# force the use of virt-aa-helper audit deny /sbin/apparmor_parser rwxl,
ACK

Apparmor must not prevent access to required helper programs. The following helpers should be allowed to run in unconfined execution mode: - libvirt_parthelper - libvirt_iohelper --- examples/apparmor/usr.sbin.libvirtd | 2 ++ 1 file changed, 2 insertions(+) diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 9917836..ab6572a 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -57,6 +57,8 @@ audit deny /sys/kernel/security/apparmor/.* rwxl, /sys/kernel/security/apparmor/profiles r, /usr/{lib,lib64}/libvirt/* PUxr, + /usr/{lib,lib64}/libvirt/libvirt_parthelper Ux, + /usr/{lib,lib64}/libvirt/libvirt_iohelper Ux, /etc/libvirt/hooks/** rmix, /etc/xen/scripts/** rmix, -- 1.8.4.5

On Mon, 2015-01-19 at 18:25 -0700, Mike Latimer wrote:
Apparmor must not prevent access to required helper programs. The following helpers should be allowed to run in unconfined execution mode:
- libvirt_parthelper - libvirt_iohelper
--- examples/apparmor/usr.sbin.libvirtd | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 9917836..ab6572a 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -57,6 +57,8 @@ audit deny /sys/kernel/security/apparmor/.* rwxl, /sys/kernel/security/apparmor/profiles r, /usr/{lib,lib64}/libvirt/* PUxr, + /usr/{lib,lib64}/libvirt/libvirt_parthelper Ux, + /usr/{lib,lib64}/libvirt/libvirt_iohelper Ux, /etc/libvirt/hooks/** rmix, /etc/xen/scripts/** rmix,
Can't we find a way to have them run with inherited profile (ix)? Letting them run completely unprofiled may not be the best solution. -- Cedric

On Tuesday, January 20, 2015 09:08:04 AM Cedric Bosdonnat wrote:
On Mon, 2015-01-19 at 18:25 -0700, Mike Latimer wrote:
Apparmor must not prevent access to required helper programs. The following
helpers should be allowed to run in unconfined execution mode: - libvirt_parthelper - libvirt_iohelper
---
examples/apparmor/usr.sbin.libvirtd | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 9917836..ab6572a 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -57,6 +57,8 @@
audit deny /sys/kernel/security/apparmor/.* rwxl, /sys/kernel/security/apparmor/profiles r, /usr/{lib,lib64}/libvirt/* PUxr,
+ /usr/{lib,lib64}/libvirt/libvirt_parthelper Ux, + /usr/{lib,lib64}/libvirt/libvirt_iohelper Ux,
/etc/libvirt/hooks/** rmix, /etc/xen/scripts/** rmix,
Can't we find a way to have them run with inherited profile (ix)? Letting them run completely unprofiled may not be the best solution.
Seems like the apparmor profile for libvirtd is pretty wide open, so I'm not sure if there will be much of a difference between those two settings. I'm also not sure how best to test the functionality of those helpers to find out... I don't mind if the patch is committed with ix. We can always change it later if we find a definitive reason to use Ux. ;) Thanks, Mike

On Wed, 2015-01-21 at 22:32 -0700, Mike Latimer wrote:
On Tuesday, January 20, 2015 09:08:04 AM Cedric Bosdonnat wrote:
On Mon, 2015-01-19 at 18:25 -0700, Mike Latimer wrote:
Apparmor must not prevent access to required helper programs. The following
helpers should be allowed to run in unconfined execution mode: - libvirt_parthelper - libvirt_iohelper
---
examples/apparmor/usr.sbin.libvirtd | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 9917836..ab6572a 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -57,6 +57,8 @@
audit deny /sys/kernel/security/apparmor/.* rwxl, /sys/kernel/security/apparmor/profiles r, /usr/{lib,lib64}/libvirt/* PUxr,
+ /usr/{lib,lib64}/libvirt/libvirt_parthelper Ux, + /usr/{lib,lib64}/libvirt/libvirt_iohelper Ux,
/etc/libvirt/hooks/** rmix, /etc/xen/scripts/** rmix,
Can't we find a way to have them run with inherited profile (ix)? Letting them run completely unprofiled may not be the best solution.
Seems like the apparmor profile for libvirtd is pretty wide open, so I'm not sure if there will be much of a difference between those two settings. I'm also not sure how best to test the functionality of those helpers to find out...
I don't mind if the patch is committed with ix. We can always change it later if we find a definitive reason to use Ux. ;)
Jamie, as apparmor expert, do you have any opinion on this? -- Cedric

On Thursday, January 22, 2015 08:55:07 AM Cedric Bosdonnat wrote:
Seems like the apparmor profile for libvirtd is pretty wide open, so I'm not sure if there will be much of a difference between those two settings. I'm also not sure how best to test the functionality of those helpers to find out...
Jim Fehlig and I just tested this and were able to show that 'ix' is sufficient for the helpers to work properly. Thanks for pointing this out Cedric. Can you just change the patch when you commit?
Jamie, as apparmor expert, do you have any opinion on this?
Still would be great to hear Jamie's opinion on this. -Mike

On Thu, 2015-01-22 at 09:17 -0700, Mike Latimer wrote:
On Thursday, January 22, 2015 08:55:07 AM Cedric Bosdonnat wrote:
Seems like the apparmor profile for libvirtd is pretty wide open, so I'm not sure if there will be much of a difference between those two settings. I'm also not sure how best to test the functionality of those helpers to find out...
Jim Fehlig and I just tested this and were able to show that 'ix' is sufficient for the helpers to work properly. Thanks for pointing this out Cedric. Can you just change the patch when you commit?
Changed and pushed this and the 2 others. Thanks for the patches. -- Cedric
Jamie, as apparmor expert, do you have any opinion on this?
Still would be great to hear Jamie's opinion on this.
-Mike
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

The network and nwfilter tests contained in the libvirt-TCK testkit can fail unless access to raw network packets is granted. Without this access, the following apparmor error can be seen while running the tests: apparmor="DENIED" operation="create" parent=1 profile="/usr/sbin/libvirtd" pid=94731 comm="libvirtd" family="packet" sock_type="raw" protocol=768 --- examples/apparmor/usr.sbin.libvirtd | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index ab6572a..3cd6b58 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -35,6 +35,7 @@ network inet6 stream, network inet6 dgram, network packet dgram, + network packet raw, # Very lenient profile for libvirtd since we want to first focus on confining # the guests. Guests will have a very restricted profile. -- 1.8.4.5

On Mon, 2015-01-19 at 18:25 -0700, Mike Latimer wrote:
The network and nwfilter tests contained in the libvirt-TCK testkit can fail unless access to raw network packets is granted. Without this access, the following apparmor error can be seen while running the tests:
apparmor="DENIED" operation="create" parent=1 profile="/usr/sbin/libvirtd" pid=94731 comm="libvirtd" family="packet" sock_type="raw" protocol=768
--- examples/apparmor/usr.sbin.libvirtd | 1 + 1 file changed, 1 insertion(+)
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index ab6572a..3cd6b58 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -35,6 +35,7 @@ network inet6 stream, network inet6 dgram, network packet dgram, + network packet raw,
# Very lenient profile for libvirtd since we want to first focus on confining # the guests. Guests will have a very restricted profile.
ACK
participants (2)
-
Cedric Bosdonnat
-
Mike Latimer