3:53 a.m.
Over the years there have been a bunch of changes to the
apparmor profiles and/or virt-aa-helper which have been
carried in Debian/Ubuntu but never made it upstream.
In an attempt to clean this up and generally improve the
apparmor based environments, we (Christian and I) went
over the changes, cleaned out cruft as much as possible
and would be sending out hunks of changes to this list
for upstream inclusion.
I hope doing multiple but smaller rounds of submissions
will make it simpler to get those reviewed and hopefully
accepted.
For the second version I added acks, merged the patches
related to explicit device denials and local apparmor
profiles, and split the 9p support one (holding back the
part allowing link access for later or to be replaced by
a safer solution).
I also tried to improve the explanation in the description
of patch #1 (virt-aa-helper: Ask for no deny rule for readonly
disk elements).
Thanks,
Stefan
3:53 a.m.
New subject: [libvirt] [PATCH 1/8] virt-aa-helper: Ask for no deny rule for readonly disk elements
From: Serge Hallyn <serge.hallyn(a)ubuntu.com>
Just because a disk element only requests read access doesn't mean
there may not be another readwrite request.
Using 'R' when creating the apparmor rule will prevent an implicit
write-deny rule to be created alongside. This does not mean write
is allowed but it would cause a denial message and probably more
relevant, allows to add write access later.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1554031
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
Signed-off-by: Stefan Bader <stefan.bader(a)canonical.com>
---
src/security/virt-aa-helper.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 5f5d1cd..d976a00 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -888,11 +888,11 @@ add_file_path(virDomainDiskDefPtr disk,
if (depth == 0) {
if (disk->src->readonly)
- ret = vah_add_file(buf, path, "r");
+ ret = vah_add_file(buf, path, "R");
else
ret = vah_add_file(buf, path, "rw");
} else {
- ret = vah_add_file(buf, path, "r");
+ ret = vah_add_file(buf, path, "R");
}
if (ret != 0)
--
2.7.4
3:53 a.m.
New subject: [libvirt] [PATCH 2/8] apparmor, virt-aa-helper: allow /usr/share/OVMF/ too
From: Simon McVittie <smcv(a)debian.org>
The split firmware and variables files introduced by
https://bugs.debian.org/764918 are in a different directory for some reason.
Let the virtual machine read both.
Extended by Christian Ehrhardt to generalize FW test (simplifies
additional testing on firmware files in future).
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
Signed-off-by: Stefan Bader <stefan.bader(a)canonical.com>
Acked-by: Guido Günther <agx(a)sigxcpu.org>
---
examples/apparmor/libvirt-qemu | 1 +
src/security/virt-aa-helper.c | 1 +
tests/virt-aa-helper-test | 24 ++++++++++++++++--------
3 files changed, 18 insertions(+), 8 deletions(-)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index a9020aa..e0988bb 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -70,6 +70,7 @@
/usr/share/vgabios/** r,
/usr/share/seabios/** r,
/usr/share/ovmf/** r,
+ /usr/share/OVMF/** r,
# access PKI infrastructure
/etc/pki/libvirt-vnc/** r,
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index d976a00..dd166c2 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -512,6 +512,7 @@ valid_path(const char *path, const bool readonly)
"/vmlinuz",
"/initrd",
"/initrd.img",
+ "/usr/share/OVMF/", /* for OVMF images */
"/usr/share/ovmf/" /* for OVMF images */
};
/* override the above with these */
diff --git a/tests/virt-aa-helper-test b/tests/virt-aa-helper-test
index 68e9399..73f3080 100755
--- a/tests/virt-aa-helper-test
+++ b/tests/virt-aa-helper-test
@@ -145,6 +145,20 @@ testme() {
fi
}
+testfw() {
+ title="$1"
+ fwpath="$2"
+
+ if [ -f "$fwpath" ]; then
+ sed -e "s,###UUID###,$uuid,g" \
+ -e "s,###DISK###,$disk1,g" \
+ -e "s,</os>,<loader readonly='yes'
type='pflash'>$fwpath</loader></os>,g"
"$template_xml" > "$test_xml"
+ testme "0" "$title" "-r -u $valid_uuid"
"$test_xml"
+ else
+ echo "Skipping FW $title test. Could not find $fwpath"
+ fi
+}
+
# Expected failures
echo "Expected failures:" >$output
testme "1" "invalid arg" "-z"
@@ -291,14 +305,8 @@ sed -e "s,###UUID###,$uuid,g" -e
"s,###DISK###,$disk1,g" -e "s,</os>,<kernel>$tm
touch "$tmpdir/kernel"
testme "0" "kernel" "-r -u $valid_uuid"
"$test_xml"
-if [ -f /usr/share/ovmf/OVMF.fd ]; then
- sed -e "s,###UUID###,$uuid,g" \
- -e "s,###DISK###,$disk1,g" \
- -e "s,</os>,<loader readonly='yes'
type='pflash'>/usr/share/ovmf/OVMF.fd</loader></os>,g"
"$template_xml" > "$test_xml"
- testme "0" "ovmf" "-r -u $valid_uuid"
"$test_xml"
-else
- echo "Skipping OVMF test. Could not find /usr/share/ovmf/OVMF.fd"
-fi
+testfw "ovmf (old path)" "/usr/share/ovmf/OVMF.fd"
+testfw "OVMF (new path)" "/usr/share/OVMF/OVMF_CODE.fd"
sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e
"s,</os>,<initrd>$tmpdir/initrd</initrd></os>,g"
"$template_xml" > "$test_xml"
touch "$tmpdir/initrd"
--
2.7.4
2:46 a.m.
New subject: [libvirt] [PATCH 2/8] apparmor, virt-aa-helper: allow /usr/share/OVMF/ too
Hi Stefan,
On Thu, May 18, 2017 at 10:53:40AM +0200, Stefan Bader wrote:
From: Simon McVittie <smcv(a)debian.org>
The split firmware and variables files introduced by
https://bugs.debian.org/764918 are in a different directory for some reason.
Let the virtual machine read both.
Extended by Christian Ehrhardt to generalize FW test (simplifies
additional testing on firmware files in future).
If you want to credit this separately I suggest to split the ode that
itroduces testfw into one commit (attributed to Christian) and the code
that adds read access to OVMF into another one (attributed to Simon).
Cheers,
-- Guido
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
Signed-off-by: Stefan Bader <stefan.bader(a)canonical.com>
Acked-by: Guido Günther <agx(a)sigxcpu.org>
---
examples/apparmor/libvirt-qemu | 1 +
src/security/virt-aa-helper.c | 1 +
tests/virt-aa-helper-test | 24 ++++++++++++++++--------
3 files changed, 18 insertions(+), 8 deletions(-)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index a9020aa..e0988bb 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -70,6 +70,7 @@
/usr/share/vgabios/** r,
/usr/share/seabios/** r,
/usr/share/ovmf/** r,
+ /usr/share/OVMF/** r,
# access PKI infrastructure
/etc/pki/libvirt-vnc/** r,
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index d976a00..dd166c2 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -512,6 +512,7 @@ valid_path(const char *path, const bool readonly)
"/vmlinuz",
"/initrd",
"/initrd.img",
+ "/usr/share/OVMF/", /* for OVMF images */
"/usr/share/ovmf/" /* for OVMF images */
};
/* override the above with these */
diff --git a/tests/virt-aa-helper-test b/tests/virt-aa-helper-test
index 68e9399..73f3080 100755
--- a/tests/virt-aa-helper-test
+++ b/tests/virt-aa-helper-test
@@ -145,6 +145,20 @@ testme() {
fi
}
+testfw() {
+ title="$1"
+ fwpath="$2"
+
+ if [ -f "$fwpath" ]; then
+ sed -e "s,###UUID###,$uuid,g" \
+ -e "s,###DISK###,$disk1,g" \
+ -e "s,</os>,<loader readonly='yes'
type='pflash'>$fwpath</loader></os>,g"
"$template_xml" > "$test_xml"
+ testme "0" "$title" "-r -u $valid_uuid"
"$test_xml"
+ else
+ echo "Skipping FW $title test. Could not find $fwpath"
+ fi
+}
+
# Expected failures
echo "Expected failures:" >$output
testme "1" "invalid arg" "-z"
@@ -291,14 +305,8 @@ sed -e "s,###UUID###,$uuid,g" -e
"s,###DISK###,$disk1,g" -e "s,</os>,<kernel>$tm
touch "$tmpdir/kernel"
testme "0" "kernel" "-r -u $valid_uuid"
"$test_xml"
-if [ -f /usr/share/ovmf/OVMF.fd ]; then
- sed -e "s,###UUID###,$uuid,g" \
- -e "s,###DISK###,$disk1,g" \
- -e "s,</os>,<loader readonly='yes'
type='pflash'>/usr/share/ovmf/OVMF.fd</loader></os>,g"
"$template_xml" > "$test_xml"
- testme "0" "ovmf" "-r -u $valid_uuid"
"$test_xml"
-else
- echo "Skipping OVMF test. Could not find /usr/share/ovmf/OVMF.fd"
-fi
+testfw "ovmf (old path)" "/usr/share/ovmf/OVMF.fd"
+testfw "OVMF (new path)" "/usr/share/OVMF/OVMF_CODE.fd"
sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e
"s,</os>,<initrd>$tmpdir/initrd</initrd></os>,g"
"$template_xml" > "$test_xml"
touch "$tmpdir/initrd"
--
2.7.4
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
7:48 a.m.
New subject: [libvirt] [PATCH 2/8] apparmor, virt-aa-helper: allow /usr/share/OVMF/ too
On 19.05.2017 09:46, Guido Günther wrote:
Hi Stefan,
On Thu, May 18, 2017 at 10:53:40AM +0200, Stefan Bader wrote:
> From: Simon McVittie <smcv(a)debian.org>
>
> The split firmware and variables files introduced by
> https://bugs.debian.org/764918 are in a different directory for some reason.
> Let the virtual machine read both.
>
> Extended by Christian Ehrhardt to generalize FW test (simplifies
> additional testing on firmware files in future).
If you want to credit this separately I suggest to split the ode that
itroduces testfw into one commit (attributed to Christian) and the code
that adds read access to OVMF into another one (attributed to Simon).
Though Simon already added some testing (just limited to the one addition made
then). I guess I could re-submit Simon's patch as it was and create one
additionally which only changes the testing (for future use). Which then the
next (3/8) uses.
Cheers,
-- Guido
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
> Signed-off-by: Stefan Bader <stefan.bader(a)canonical.com>
> Acked-by: Guido Günther <agx(a)sigxcpu.org>
> ---
> examples/apparmor/libvirt-qemu | 1 +
> src/security/virt-aa-helper.c | 1 +
> tests/virt-aa-helper-test | 24 ++++++++++++++++--------
> 3 files changed, 18 insertions(+), 8 deletions(-)
>
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index a9020aa..e0988bb 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -70,6 +70,7 @@
> /usr/share/vgabios/** r,
> /usr/share/seabios/** r,
> /usr/share/ovmf/** r,
> + /usr/share/OVMF/** r,
>
> # access PKI infrastructure
> /etc/pki/libvirt-vnc/** r,
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index d976a00..dd166c2 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -512,6 +512,7 @@ valid_path(const char *path, const bool readonly)
> "/vmlinuz",
> "/initrd",
> "/initrd.img",
> + "/usr/share/OVMF/", /* for OVMF images */
> "/usr/share/ovmf/" /* for OVMF images */
> };
> /* override the above with these */
> diff --git a/tests/virt-aa-helper-test b/tests/virt-aa-helper-test
> index 68e9399..73f3080 100755
> --- a/tests/virt-aa-helper-test
> +++ b/tests/virt-aa-helper-test
> @@ -145,6 +145,20 @@ testme() {
> fi
> }
>
> +testfw() {
> + title="$1"
> + fwpath="$2"
> +
> + if [ -f "$fwpath" ]; then
> + sed -e "s,###UUID###,$uuid,g" \
> + -e "s,###DISK###,$disk1,g" \
> + -e "s,</os>,<loader readonly='yes'
type='pflash'>$fwpath</loader></os>,g"
"$template_xml" > "$test_xml"
> + testme "0" "$title" "-r -u $valid_uuid"
"$test_xml"
> + else
> + echo "Skipping FW $title test. Could not find $fwpath"
> + fi
> +}
> +
> # Expected failures
> echo "Expected failures:" >$output
> testme "1" "invalid arg" "-z"
> @@ -291,14 +305,8 @@ sed -e "s,###UUID###,$uuid,g" -e
"s,###DISK###,$disk1,g" -e "s,</os>,<kernel>$tm
> touch "$tmpdir/kernel"
> testme "0" "kernel" "-r -u $valid_uuid"
"$test_xml"
>
> -if [ -f /usr/share/ovmf/OVMF.fd ]; then
> - sed -e "s,###UUID###,$uuid,g" \
> - -e "s,###DISK###,$disk1,g" \
> - -e "s,</os>,<loader readonly='yes'
type='pflash'>/usr/share/ovmf/OVMF.fd</loader></os>,g"
"$template_xml" > "$test_xml"
> - testme "0" "ovmf" "-r -u $valid_uuid"
"$test_xml"
> -else
> - echo "Skipping OVMF test. Could not find /usr/share/ovmf/OVMF.fd"
> -fi
> +testfw "ovmf (old path)" "/usr/share/ovmf/OVMF.fd"
> +testfw "OVMF (new path)" "/usr/share/OVMF/OVMF_CODE.fd"
>
> sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e
"s,</os>,<initrd>$tmpdir/initrd</initrd></os>,g"
"$template_xml" > "$test_xml"
> touch "$tmpdir/initrd"
> --
> 2.7.4
>
> --
> libvir-list mailing list
> libvir-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
3:53 a.m.
New subject: [libvirt] [PATCH 3/8] apparmor, virt-aa-helper: Allow aarch64 UEFI.
From: William Grant <wgrant(a)ubuntu.com>
Allow access to aarch64 UEFI images.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
Signed-off-by: Stefan Bader <stefan.bader(a)canonical.com>
Acked-by: Guido Günther <agx(a)sigxcpu.org>
---
examples/apparmor/libvirt-qemu | 2 ++
src/security/virt-aa-helper.c | 4 +++-
tests/virt-aa-helper-test | 2 ++
3 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index e0988bb..89466c9 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -71,6 +71,8 @@
/usr/share/seabios/** r,
/usr/share/ovmf/** r,
/usr/share/OVMF/** r,
+ /usr/share/AAVMF/** r,
+ /usr/share/qemu-efi/** r,
# access PKI infrastructure
/etc/pki/libvirt-vnc/** r,
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index dd166c2..a2d5c21 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -513,7 +513,9 @@ valid_path(const char *path, const bool readonly)
"/initrd",
"/initrd.img",
"/usr/share/OVMF/", /* for OVMF images */
- "/usr/share/ovmf/" /* for OVMF images */
+ "/usr/share/ovmf/", /* for OVMF images */
+ "/usr/share/AAVMF/", /* for AAVMF images */
+ "/usr/share/qemu-efi/" /* for AAVMF images */
};
/* override the above with these */
const char * const override[] = {
diff --git a/tests/virt-aa-helper-test b/tests/virt-aa-helper-test
index 73f3080..51072f6 100755
--- a/tests/virt-aa-helper-test
+++ b/tests/virt-aa-helper-test
@@ -307,6 +307,8 @@ testme "0" "kernel" "-r -u $valid_uuid"
"$test_xml"
testfw "ovmf (old path)" "/usr/share/ovmf/OVMF.fd"
testfw "OVMF (new path)" "/usr/share/OVMF/OVMF_CODE.fd"
+testfw "AAVMF" "/usr/share/AAVMF/AAVMF_CODE.fd"
+testfw "qemu-efi" "/usr/share/qemu-efi/QEMU_EFI.fd"
sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e
"s,</os>,<initrd>$tmpdir/initrd</initrd></os>,g"
"$template_xml" > "$test_xml"
touch "$tmpdir/initrd"
--
2.7.4
3:53 a.m.
New subject: [libvirt] [PATCH 4/8] apparmor, virt-aa-helper: Allow access to libnl-3 config files
From: Felix Geyer <fgeyer(a)debian.org>
Allow access to libnl-3 config files
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
Signed-off-by: Stefan Bader <stefan.bader(a)canonical.com>
Acked-by: Guido Günther <agx(a)sigxcpu.org>
---
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 2 ++
1 file changed, 2 insertions(+)
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
index 4a8f197..ee53c2c 100644
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -16,6 +16,8 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
owner @{PROC}/[0-9]*/status r,
@{PROC}/filesystems r,
+ /etc/libnl-3/classid r,
+
# for hostdev
/sys/devices/ r,
/sys/devices/** r,
--
2.7.4
2:50 a.m.
New subject: [libvirt] [PATCH 4/8] apparmor, virt-aa-helper: Allow access to libnl-3 config files
On Thu, May 18, 2017 at 10:53:42AM +0200, Stefan Bader wrote:
From: Felix Geyer <fgeyer(a)debian.org>
Allow access to libnl-3 config files
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
Signed-off-by: Stefan Bader <stefan.bader(a)canonical.com>
Acked-by: Guido Günther <agx(a)sigxcpu.org>
---
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 2 ++
1 file changed, 2 insertions(+)
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
index 4a8f197..ee53c2c 100644
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -16,6 +16,8 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
owner @{PROC}/[0-9]*/status r,
@{PROC}/filesystems r,
+ /etc/libnl-3/classid r,
+
# for hostdev
/sys/devices/ r,
/sys/devices/** r,
--
Pushed. Thanks!
-- Guido
3:53 a.m.
New subject: [libvirt] [PATCH 5/8] apparmor, virt-aa-helper: Explicit denies for host devices
From: Felix Geyer <fgeyer(a)debian.org>
Add explicit denies for disk devices to avoid cluttering dmesg with
(acceptable) denials (merged with a second patch which added more
disk device names).
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
Signed-off-by: Stefan Bader <stefan.bader(a)canonical.com>
Acked-by: Guido Günther <agx(a)sigxcpu.org>
---
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
index ee53c2c..012080c 100644
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -21,6 +21,15 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
# for hostdev
/sys/devices/ r,
/sys/devices/** r,
+ deny /dev/sd* r,
+ deny /dev/vd* r,
+ deny /dev/dm-* r,
+ deny /dev/drbd[0-9]* r,
+ deny /dev/dasd* r,
+ deny /dev/nvme* r,
+ deny /dev/zd[0-9]* r,
+ deny /dev/mapper/ r,
+ deny /dev/mapper/* r,
/usr/{lib,lib64}/libvirt/virt-aa-helper mr,
/{usr/,}sbin/apparmor_parser Ux,
--
2.7.4
2:50 a.m.
New subject: [libvirt] [PATCH 5/8] apparmor, virt-aa-helper: Explicit denies for host devices
On Thu, May 18, 2017 at 10:53:43AM +0200, Stefan Bader wrote:
From: Felix Geyer <fgeyer(a)debian.org>
Add explicit denies for disk devices to avoid cluttering dmesg with
(acceptable) denials (merged with a second patch which added more
disk device names).
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
Signed-off-by: Stefan Bader <stefan.bader(a)canonical.com>
Acked-by: Guido Günther <agx(a)sigxcpu.org>
---
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
index ee53c2c..012080c 100644
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -21,6 +21,15 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
# for hostdev
/sys/devices/ r,
/sys/devices/** r,
+ deny /dev/sd* r,
+ deny /dev/vd* r,
+ deny /dev/dm-* r,
+ deny /dev/drbd[0-9]* r,
+ deny /dev/dasd* r,
+ deny /dev/nvme* r,
+ deny /dev/zd[0-9]* r,
+ deny /dev/mapper/ r,
+ deny /dev/mapper/* r,
/usr/{lib,lib64}/libvirt/virt-aa-helper mr,
/{usr/,}sbin/apparmor_parser Ux,
Pushed. Thanks!
-- Guido
--
2.7.4
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
3:53 a.m.
New subject: [libvirt] [PATCH 6/8] apparmor: include local apparmor profiles
From: Felix Geyer <fgeyer(a)debian.org>
Local overrides is a feature Debian/Ubuntu libvirt provided for a while.
This allows the user to have a non-conffile that he can use to extend the
package delivered rules with extra content matching his special case.
This change adds the include directives to the apparmor profiles
for virt-aa-helper and libvirtd.
Additionally extended the build environment to carry template local
profiles and install them into the correct places. Without that the
include directives would prevent the profile from loading.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
Signed-off-by: Stefan Bader <stefan.bader(a)canonical.com>
Acked-by: Jamie Strandboge <jamie(a)canonical.com>
---
examples/Makefile.am | 14 ++++++++++++++
examples/apparmor/local-usr.lib.libvirt.virt-aa-helper | 2 ++
examples/apparmor/local-usr.sbin.libvirtd | 2 ++
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 3 +++
examples/apparmor/usr.sbin.libvirtd | 3 +++
5 files changed, 24 insertions(+)
create mode 100644 examples/apparmor/local-usr.lib.libvirt.virt-aa-helper
create mode 100644 examples/apparmor/local-usr.sbin.libvirtd
diff --git a/examples/Makefile.am b/examples/Makefile.am
index 2956e14..16c7bf6 100644
--- a/examples/Makefile.am
+++ b/examples/Makefile.am
@@ -25,6 +25,8 @@ EXTRA_DIST = \
apparmor/libvirt-lxc \
apparmor/usr.lib.libvirt.virt-aa-helper \
apparmor/usr.sbin.libvirtd \
+ apparmor/local-usr.sbin.libvirtd \
+ apparmor/local-usr.lib.libvirt.virt-aa-helper \
lxcconvert/virt-lxc-convert \
polkit/libvirt-acl.rules \
$(wildcard $(srcdir)/systemtap/*.stp) \
@@ -74,6 +76,18 @@ apparmor_DATA = \
apparmor/usr.sbin.libvirtd \
$(NULL)
+localdir = $(apparmordir)/local
+local_DATA = \
+ apparmor/local-usr.sbin.libvirtd \
+ apparmor/local-usr.lib.libvirt.virt-aa-helper \
+ $(NULL)
+
+install-data-hook:
+ mv $(DESTDIR)$(localdir)/local-usr.sbin.libvirtd \
+ $(DESTDIR)$(localdir)/usr.sbin.libvirtd
+ mv $(DESTDIR)$(localdir)/local-usr.lib.libvirt.virt-aa-helper \
+ $(DESTDIR)$(localdir)/usr.lib.libvirt.virt-aa-helper
+
abstractionsdir = $(apparmordir)/abstractions
abstractions_DATA = \
apparmor/libvirt-qemu \
diff --git a/examples/apparmor/local-usr.lib.libvirt.virt-aa-helper
b/examples/apparmor/local-usr.lib.libvirt.virt-aa-helper
new file mode 100644
index 0000000..82c9c39
--- /dev/null
+++ b/examples/apparmor/local-usr.lib.libvirt.virt-aa-helper
@@ -0,0 +1,2 @@
+# Site-specific additions and overrides for usr.lib.libvirt.virt-aa-helper.
+# For more details, please see /etc/apparmor.d/local/README.
diff --git a/examples/apparmor/local-usr.sbin.libvirtd
b/examples/apparmor/local-usr.sbin.libvirtd
new file mode 100644
index 0000000..6e19f20
--- /dev/null
+++ b/examples/apparmor/local-usr.sbin.libvirtd
@@ -0,0 +1,2 @@
+# Site-specific additions and overrides for usr.sbin.libvirtd.
+# For more details, please see /etc/apparmor.d/local/README.
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
index 012080c..93ba74e 100644
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -56,4 +56,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
/**.vmdk r,
/**.[iI][sS][oO] r,
/**/disk{,.*} r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.libvirt.virt-aa-helper>
}
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index 353b039..c37d5ee 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -85,4 +85,7 @@
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
}
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.libvirtd>
}
--
2.7.4
3:53 a.m.
New subject: [libvirt] [PATCH 7/8] appmor, libvirt-qemu: Add 9p support
From: Serge Hallyn <serge.hallyn(a)ubuntu.com>
Add fowner and fsetid to libvirt-qemu profile.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1378434
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
Signed-off-by: Stefan Bader <stefan.bader(a)canonical.com>
---
examples/apparmor/libvirt-qemu | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 89466c9..f04ce04 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -13,6 +13,10 @@
capability setgid,
capability setuid,
+ # for 9p
+ capability fsetid,
+ capability fowner,
+
network inet stream,
network inet6 stream,
--
2.7.4
11:21 a.m.
New subject: [libvirt] [PATCH 7/8] appmor, libvirt-qemu: Add 9p support
Mind you I'm not crazy about this. If this could be toggled with a
default-off config option that would seem better than always giving
these caps to libvirt-qemu.
Quoting Stefan Bader (stefan.bader(a)canonical.com):
From: Serge Hallyn <serge.hallyn(a)ubuntu.com>
Add fowner and fsetid to libvirt-qemu profile.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1378434
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
Signed-off-by: Stefan Bader <stefan.bader(a)canonical.com>
---
examples/apparmor/libvirt-qemu | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 89466c9..f04ce04 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -13,6 +13,10 @@
capability setgid,
capability setuid,
+ # for 9p
+ capability fsetid,
+ capability fowner,
+
network inet stream,
network inet6 stream,
--
2.7.4
2:37 p.m.
New subject: [libvirt] [PATCH 7/8] appmor, libvirt-qemu: Add 9p support
On Thu, May 18, 2017 at 11:21:54AM -0500, Serge E. Hallyn wrote:
Mind you I'm not crazy about this. If this could be toggled with
a
default-off config option that would seem better than always giving
these caps to libvirt-qemu.
virt-aa-helper could add these if it detects a 9pfs file system. That
would be better than always adding it.
Cheers,
-- Guido
Quoting Stefan Bader (stefan.bader(a)canonical.com):
> From: Serge Hallyn <serge.hallyn(a)ubuntu.com>
>
> Add fowner and fsetid to libvirt-qemu profile.
>
> Bug-Ubuntu: https://bugs.launchpad.net/bugs/1378434
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
> Signed-off-by: Stefan Bader <stefan.bader(a)canonical.com>
> ---
> examples/apparmor/libvirt-qemu | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index 89466c9..f04ce04 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -13,6 +13,10 @@
> capability setgid,
> capability setuid,
>
> + # for 9p
> + capability fsetid,
> + capability fowner,
> +
> network inet stream,
> network inet6 stream,
>
> --
> 2.7.4
2:40 p.m.
New subject: [libvirt] [PATCH 7/8] appmor, libvirt-qemu: Add 9p support
Quoting Guido Günther (agx(a)sigxcpu.org):
On Thu, May 18, 2017 at 11:21:54AM -0500, Serge E. Hallyn wrote:
> Mind you I'm not crazy about this. If this could be toggled with a
> default-off config option that would seem better than always giving
> these caps to libvirt-qemu.
virt-aa-helper could add these if it detects a 9pfs file system. That
would be better than always adding it.
Agreed
Cheers,
-- Guido
>
> Quoting Stefan Bader (stefan.bader(a)canonical.com):
> > From: Serge Hallyn <serge.hallyn(a)ubuntu.com>
> >
> > Add fowner and fsetid to libvirt-qemu profile.
> >
> > Bug-Ubuntu: https://bugs.launchpad.net/bugs/1378434
> >
> > Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
> > Signed-off-by: Stefan Bader <stefan.bader(a)canonical.com>
> > ---
> > examples/apparmor/libvirt-qemu | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> > index 89466c9..f04ce04 100644
> > --- a/examples/apparmor/libvirt-qemu
> > +++ b/examples/apparmor/libvirt-qemu
> > @@ -13,6 +13,10 @@
> > capability setgid,
> > capability setuid,
> >
> > + # for 9p
> > + capability fsetid,
> > + capability fowner,
> > +
> > network inet stream,
> > network inet6 stream,
> >
> > --
> > 2.7.4
>
1:56 a.m.
New subject: [libvirt] [PATCH 7/8] appmor, libvirt-qemu: Add 9p support
On 18.05.2017 21:40, Serge E. Hallyn wrote:
Quoting Guido Günther (agx(a)sigxcpu.org):
> On Thu, May 18, 2017 at 11:21:54AM -0500, Serge E. Hallyn wrote:
>> Mind you I'm not crazy about this. If this could be toggled with a
>> default-off config option that would seem better than always giving
>> these caps to libvirt-qemu.
>
> virt-aa-helper could add these if it detects a 9pfs file system. That
> would be better than always adding it.
Agreed
Ok, so at least for now, actually all 9p related changes should not be
considered. Does the rest look ok (in particular 1/8 with the additional
explanation)?
-Stefan
> Cheers,
> -- Guido
>
>>
>> Quoting Stefan Bader (stefan.bader(a)canonical.com):
>>> From: Serge Hallyn <serge.hallyn(a)ubuntu.com>
>>>
>>> Add fowner and fsetid to libvirt-qemu profile.
>>>
>>> Bug-Ubuntu: https://bugs.launchpad.net/bugs/1378434
>>>
>>> Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
>>> Signed-off-by: Stefan Bader <stefan.bader(a)canonical.com>
>>> ---
>>> examples/apparmor/libvirt-qemu | 4 ++++
>>> 1 file changed, 4 insertions(+)
>>>
>>> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
>>> index 89466c9..f04ce04 100644
>>> --- a/examples/apparmor/libvirt-qemu
>>> +++ b/examples/apparmor/libvirt-qemu
>>> @@ -13,6 +13,10 @@
>>> capability setgid,
>>> capability setuid,
>>>
>>> + # for 9p
>>> + capability fsetid,
>>> + capability fowner,
>>> +
>>> network inet stream,
>>> network inet6 stream,
>>>
>>> --
>>> 2.7.4
>>
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
3:53 a.m.
New subject: [libvirt] [PATCH 8/8] apparmor, libvirt-qemu: Add ppc64el related changes
From: Serge Hallyn <serge.hallyn(a)ubuntu.com>
Updates profile to allow running on ppc64el.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1374554
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
Signed-off-by: Stefan Bader <stefan.bader(a)canonical.com>
---
examples/apparmor/libvirt-qemu | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index f04ce04..2791dfc 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -77,6 +77,7 @@
/usr/share/OVMF/** r,
/usr/share/AAVMF/** r,
/usr/share/qemu-efi/** r,
+ /usr/share/slof/** r,
# access PKI infrastructure
/etc/pki/libvirt-vnc/** r,
@@ -102,6 +103,7 @@
/usr/bin/qemu-system-or32 rmix,
/usr/bin/qemu-system-ppc rmix,
/usr/bin/qemu-system-ppc64 rmix,
+ /usr/bin/qemu-system-ppc64le rmix,
/usr/bin/qemu-system-ppcemb rmix,
/usr/bin/qemu-system-s390x rmix,
/usr/bin/qemu-system-sh4 rmix,
@@ -158,3 +160,8 @@
/etc/udev/udev.conf r,
/sys/bus/ r,
/sys/class/ r,
+
+ # for ppc device-tree access
+ @{PROC}/device-tree/ r,
+ @{PROC}/device-tree/** r,
+ /sys/firmware/devicetree/** r,
--
2.7.4
2:55 a.m.
New subject: [libvirt] [PATCH 8/8] apparmor, libvirt-qemu: Add ppc64el related changes
On Thu, May 18, 2017 at 10:53:46AM +0200, Stefan Bader wrote:
From: Serge Hallyn <serge.hallyn(a)ubuntu.com>
Updates profile to allow running on ppc64el.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1374554
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
Signed-off-by: Stefan Bader <stefan.bader(a)canonical.com>
---
examples/apparmor/libvirt-qemu | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index f04ce04..2791dfc 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -77,6 +77,7 @@
/usr/share/OVMF/** r,
/usr/share/AAVMF/** r,
/usr/share/qemu-efi/** r,
+ /usr/share/slof/** r,
# access PKI infrastructure
/etc/pki/libvirt-vnc/** r,
@@ -102,6 +103,7 @@
/usr/bin/qemu-system-or32 rmix,
/usr/bin/qemu-system-ppc rmix,
/usr/bin/qemu-system-ppc64 rmix,
+ /usr/bin/qemu-system-ppc64le rmix,
/usr/bin/qemu-system-ppcemb rmix,
/usr/bin/qemu-system-s390x rmix,
/usr/bin/qemu-system-sh4 rmix,
@@ -158,3 +160,8 @@
/etc/udev/udev.conf r,
/sys/bus/ r,
/sys/class/ r,
+
+ # for ppc device-tree access
+ @{PROC}/device-tree/ r,
+ @{PROC}/device-tree/** r,
+ /sys/firmware/devicetree/** r,
--
2.7.4
LGTM but I don't know much about PPC64, it's SLOF and where the device
tree should be located.
Cheers,
-- Guido
4:03 a.m.
New subject: [libvirt] [PATCH 8/8] apparmor, libvirt-qemu: Add ppc64el related changes
On Fri, May 19, 2017 at 9:55 AM, Guido Günther <agx(a)sigxcpu.org> wrote:
LGTM but I don't know much about PPC64, it's SLOF and where
the device
tree should be located.
Hi those paths for SLOF are the default one for Debian/Ubuntu at least.
$ dpkg -L qemu-slof
/.
/usr
/usr/share
/usr/share/doc
/usr/share/doc/qemu-slof
/usr/share/doc/qemu-slof/copyright
/usr/share/doc/qemu-slof/changelog.Debian.gz
/usr/share/slof
/usr/share/slof/spapr-rtas.bin
/usr/share/slof/slof.bin
The other paths are kernel owned and match the current state:
(the proc path is a symlink today, not sure if it was a real path back in
history)
$ ll /proc/device-tree
lrwxrwxrwx 1 root root 29 Mai 19 08:59 /proc/device-tree ->
/sys/firmware/devicetree/base/
$ ll /sys/firmware/devicetree/
total 0
drwxr-xr-x 3 root root 0 Mai 19 08:57 ./
drwxr-xr-x 4 root root 0 Mai 19 08:57 ../
drwxr-xr-x 51 root root 0 Mai 19 08:57 base/
(there is much more under this path, but the rule is ** for a reason)
Hope that helps,
Christian
7:51 a.m.
New subject: [libvirt] [PATCH 8/8] apparmor, libvirt-qemu: Add ppc64el related changes
On 19.05.2017 11:03, Christian Ehrhardt wrote:
On Fri, May 19, 2017 at 9:55 AM, Guido Günther <agx(a)sigxcpu.org
<mailto:agx@sigxcpu.org>> wrote:
LGTM but I don't know much about PPC64, it's SLOF and where the device
tree should be located.
Hi those paths for SLOF are the default one for Debian/Ubuntu at least.
$ dpkg -L qemu-slof
/.
/usr
/usr/share
/usr/share/doc
/usr/share/doc/qemu-slof
/usr/share/doc/qemu-slof/copyright
/usr/share/doc/qemu-slof/changelog.Debian.gz
/usr/share/slof
/usr/share/slof/spapr-rtas.bin
/usr/share/slof/slof.bin
The other paths are kernel owned and match the current state:
(the proc path is a symlink today, not sure if it was a real path back in history)
$ ll /proc/device-tree
lrwxrwxrwx 1 root root 29 Mai 19 08:59 /proc/device-tree ->
/sys/firmware/devicetree/base/
$ ll /sys/firmware/devicetree/
total 0
drwxr-xr-x 3 root root 0 Mai 19 08:57 ./
drwxr-xr-x 4 root root 0 Mai 19 08:57 ../
drwxr-xr-x 51 root root 0 Mai 19 08:57 base/
(there is much more under this path, but the rule is ** for a reason)
Hope that helps,
Was that explanation sufficient?
-Stefan
Christian
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
8:12 a.m.
New subject: [libvirt] [PATCH 8/8] apparmor, libvirt-qemu: Add ppc64el related changes
On Thu, 2017-05-18 at 10:53 +0200, Stefan Bader wrote:
@@ -102,6 +103,7 @@
/usr/bin/qemu-system-or32 rmix,
/usr/bin/qemu-system-ppc rmix,
/usr/bin/qemu-system-ppc64 rmix,
+ /usr/bin/qemu-system-ppc64le rmix,
Why does Ubuntu have qemu-system-ppc64le at all?
qemu-system-ppc64 can run both ppc64 and ppc64le guests just
fine, it's emulating the same hardware and the endianness is
decided at runtime AFAIK.
Upstream QEMU doesn't seem to know anything about this:
$ ./configure --target-list=ppc64le-softmmu
ERROR: Unknown target name 'ppc64le-softmmu'
and it's not in the Debian package, so it must have been
added specifically for Ubuntu.
--
Andrea Bolognani / Red Hat / Virtualization
11:07 a.m.
New subject: [libvirt] [PATCH 8/8] apparmor, libvirt-qemu: Add ppc64el related changes
On 22.05.2017 15:12, Andrea Bolognani wrote:
On Thu, 2017-05-18 at 10:53 +0200, Stefan Bader wrote:
> @@ -102,6 +103,7 @@
> /usr/bin/qemu-system-or32 rmix,
> /usr/bin/qemu-system-ppc rmix,
> /usr/bin/qemu-system-ppc64 rmix,
> + /usr/bin/qemu-system-ppc64le rmix,
Why does Ubuntu have qemu-system-ppc64le at all?
Hm, apparently it is not really there. It is a soft-link to qemu-system-ppc64.
So that hunk really makes no sense because apparmor is following the link before
checking permissions.
I will refresh that one to drop the ppc64le path.
-Stefan
qemu-system-ppc64 can run both ppc64 and ppc64le guests just
fine, it's emulating the same hardware and the endianness is
decided at runtime AFAIK.
Upstream QEMU doesn't seem to know anything about this:
$ ./configure --target-list=ppc64le-softmmu
ERROR: Unknown target name 'ppc64le-softmmu'
and it's not in the Debian package, so it must have been
added specifically for Ubuntu.
--
Andrea Bolognani / Red Hat / Virtualization
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
11:29 a.m.
Quoting Stefan Bader (stefan.bader(a)canonical.com):
> Over the years there have been a bunch of changes to the
> apparmor profiles and/or virt-aa-helper which have been
> carried in Debian/Ubuntu but never made it upstream.
>
> In an attempt to clean this up and generally improve the
> apparmor based environments, we (Christian and I) went
> over the changes, cleaned out cruft as much as possible
> and would be sending out hunks of changes to this list
> for upstream inclusion.
>
> I hope doing multiple but smaller rounds of submissions
> will make it simpler to get those reviewed and hopefully
> accepted.
For the second version I added acks, merged the patches
related to explicit device denials and local apparmor
profiles, and split the 9p support one (holding back the
part allowing link access for later or to be replaced by
a safer solution).
I also tried to improve the explanation in the description
of patch #1 (virt-aa-helper: Ask for no deny rule for readonly
disk elements).
Thanks,
Stefan
Thanks,
Acked-by: Serge Hallyn <serge(a)hallyn.com>
I don't like the added capabilities in the one patch, but I'm not
nacking it on that account. Still a toggle would be comforting.
Make people who want 9p consciously sign in to the added privs.
2742
days inactive
2746
days old
22 comments
5 participants
participants (5)
-
Andrea Bolognani -
Christian Ehrhardt -
Guido Günther -
Serge E. Hallyn -
Stefan Bader