[PATCH V2 0/3] apparmor: Add support for local profile customizations
This is a stab at a V2 of https://listman.redhat.com/archives/libvir-list/2023-June/240219.html That patch was ACKed and committed, but reverted before the 9.5.0 release since it could be problematic with older apparmor 2.x versions still supported by libvirt. Andrea suggested copies of the profiles for apparmor 2.x and 3.x. This series takes that approach, with patch 1 making an identical copy of the src/security/apparmor directory. Patches 2 and 3 then adjust the profiles accordingly. My approach to copying the existing directory does introduce some duplicate files in the tree, but otherwise it's minimally disruptive and will be easy to rip out when upstream libvirt no longer needs to support apparmor 2.x. FYI, so far I've only tested with apparmor 3.x, but I did push the changes to my fork with CI enabled https://gitlab.com/jfehlig/libvirt/-/pipelines/915347878 Thanks for comments/suggestions! Jim Fehlig (3): apparmor: Create version specific apparmor profiles apparmor: Remove support for passt from apparmor 2.x apparmor: Add support for local profile customizations meson.build | 6 +- src/security/apparmor-2/TEMPLATE.lxc | 15 + src/security/apparmor-2/TEMPLATE.qemu | 9 + src/security/apparmor-2/libvirt-lxc | 118 ++++++++ src/security/apparmor-2/libvirt-qemu | 256 ++++++++++++++++++ src/security/apparmor-2/meson.build | 41 +++ .../usr.lib.libvirt.virt-aa-helper.in | 75 +++++ .../usr.lib.libvirt.virt-aa-helper.local | 1 + src/security/apparmor-2/usr.sbin.libvirtd.in | 142 ++++++++++ src/security/apparmor-2/usr.sbin.virtqemud.in | 135 +++++++++ src/security/apparmor-2/usr.sbin.virtxend.in | 55 ++++ src/security/apparmor/libvirt-lxc | 3 + src/security/apparmor/libvirt-qemu | 3 + src/security/apparmor/usr.sbin.libvirtd.in | 5 +- src/security/apparmor/usr.sbin.virtqemud.in | 3 + src/security/apparmor/usr.sbin.virtxend.in | 3 + src/security/meson.build | 3 + 17 files changed, 871 insertions(+), 2 deletions(-) create mode 100644 src/security/apparmor-2/TEMPLATE.lxc create mode 100644 src/security/apparmor-2/TEMPLATE.qemu create mode 100644 src/security/apparmor-2/libvirt-lxc create mode 100644 src/security/apparmor-2/libvirt-qemu create mode 100644 src/security/apparmor-2/meson.build create mode 100644 src/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.in create mode 100644 src/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.local create mode 100644 src/security/apparmor-2/usr.sbin.libvirtd.in create mode 100644 src/security/apparmor-2/usr.sbin.virtqemud.in create mode 100644 src/security/apparmor-2/usr.sbin.virtxend.in -- 2.41.0
The tools in apparmor 2.x releases have problems with profile constructs commonly used with modern apparmor >= 3.0.0. Make a copy of the profiles for use with apparmor 2.x. Subsequent commits will modify the copies to be apparmor 2.x compliant. Signed-off-by: Jim Fehlig <jfehlig@suse.com> --- meson.build | 6 +- src/security/apparmor-2/TEMPLATE.lxc | 15 + src/security/apparmor-2/TEMPLATE.qemu | 9 + src/security/apparmor-2/libvirt-lxc | 118 ++++++++ src/security/apparmor-2/libvirt-qemu | 271 ++++++++++++++++++ src/security/apparmor-2/meson.build | 41 +++ .../usr.lib.libvirt.virt-aa-helper.in | 75 +++++ .../usr.lib.libvirt.virt-aa-helper.local | 1 + src/security/apparmor-2/usr.sbin.libvirtd.in | 142 +++++++++ src/security/apparmor-2/usr.sbin.virtqemud.in | 135 +++++++++ src/security/apparmor-2/usr.sbin.virtxend.in | 55 ++++ src/security/meson.build | 3 + 12 files changed, 870 insertions(+), 1 deletion(-) diff --git a/meson.build b/meson.build index aa391e7178..4a1e32eeaf 100644 --- a/meson.build +++ b/meson.build @@ -894,7 +894,11 @@ if not get_option('apparmor_profiles').disabled() endif if apparmor_profiles_enable - conf.set('WITH_APPARMOR_PROFILES', 1) + if apparmor_dep.version().version_compare('>=3.0.0') + conf.set('WITH_APPARMOR_PROFILES', 1) + else + conf.set('WITH_APPARMOR_PROFILES_2', 1) + endif endif endif diff --git a/src/security/apparmor-2/TEMPLATE.lxc b/src/security/apparmor-2/TEMPLATE.lxc new file mode 100644 index 0000000000..f1005dc575 --- /dev/null +++ b/src/security/apparmor-2/TEMPLATE.lxc @@ -0,0 +1,15 @@ +# +# This profile is for the domain whose UUID matches this file. +# + +#include <tunables/global> + +profile LIBVIRT_TEMPLATE flags=(attach_disconnected) { + #include <abstractions/libvirt-lxc> + + # Globally allows everything to run under this profile + # These can be narrowed depending on the container's use. + file, + capability, + network, +} diff --git a/src/security/apparmor-2/TEMPLATE.qemu b/src/security/apparmor-2/TEMPLATE.qemu new file mode 100644 index 0000000000..a327315d92 --- /dev/null +++ b/src/security/apparmor-2/TEMPLATE.qemu @@ -0,0 +1,9 @@ +# +# This profile is for the domain whose UUID matches this file. +# + +#include <tunables/global> + +profile LIBVIRT_TEMPLATE flags=(attach_disconnected) { + #include <abstractions/libvirt-qemu> +} diff --git a/src/security/apparmor-2/libvirt-lxc b/src/security/apparmor-2/libvirt-lxc new file mode 100644 index 0000000000..0c8b812743 --- /dev/null +++ b/src/security/apparmor-2/libvirt-lxc @@ -0,0 +1,118 @@ + #include <abstractions/base> + + # Allow receiving signals from libvirtd + signal (receive) peer=libvirtd, + signal (receive) peer=/usr/sbin/libvirtd, + + umount, + + # ignore DENIED message on / remount + deny mount options=(ro, remount) -> /, + + # allow tmpfs mounts everywhere + mount fstype=tmpfs, + + # allow mqueue mounts everywhere + mount fstype=mqueue, + + # allow fuse mounts everywhere + mount fstype=fuse.*, + + # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted + mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/, + deny @{PROC}/sys/fs/** wklx, + + # allow efivars to be mounted, writing to it will be blocked though + mount fstype=efivarfs -> /sys/firmware/efi/efivars/, + + # block some other dangerous paths + deny @{PROC}/sysrq-trigger rwklx, + deny @{PROC}/mem rwklx, + deny @{PROC}/kmem rwklx, + + # deny writes in /sys except for /sys/fs/cgroup, also allow + # fusectl, securityfs and debugfs to be mounted there (read-only) + mount fstype=fusectl -> /sys/fs/fuse/connections/, + mount fstype=securityfs -> /sys/kernel/security/, + mount fstype=debugfs -> /sys/kernel/debug/, + mount fstype=proc -> /proc/, + mount fstype=sysfs -> /sys/, + deny /sys/firmware/efi/efivars/** rwklx, + deny /sys/kernel/security/** rwklx, + + # generated by: lxc-generate-aa-rules.py container-rules.base + deny /proc/sys/[^kn]*{,/**} wklx, + deny /proc/sys/k[^e]*{,/**} wklx, + deny /proc/sys/ke[^r]*{,/**} wklx, + deny /proc/sys/ker[^n]*{,/**} wklx, + deny /proc/sys/kern[^e]*{,/**} wklx, + deny /proc/sys/kerne[^l]*{,/**} wklx, + deny /proc/sys/kernel/[^smhd]*{,/**} wklx, + deny /proc/sys/kernel/d[^o]*{,/**} wklx, + deny /proc/sys/kernel/do[^m]*{,/**} wklx, + deny /proc/sys/kernel/dom[^a]*{,/**} wklx, + deny /proc/sys/kernel/doma[^i]*{,/**} wklx, + deny /proc/sys/kernel/domai[^n]*{,/**} wklx, + deny /proc/sys/kernel/domain[^n]*{,/**} wklx, + deny /proc/sys/kernel/domainn[^a]*{,/**} wklx, + deny /proc/sys/kernel/domainna[^m]*{,/**} wklx, + deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx, + deny /proc/sys/kernel/domainname?*{,/**} wklx, + deny /proc/sys/kernel/h[^o]*{,/**} wklx, + deny /proc/sys/kernel/ho[^s]*{,/**} wklx, + deny /proc/sys/kernel/hos[^t]*{,/**} wklx, + deny /proc/sys/kernel/host[^n]*{,/**} wklx, + deny /proc/sys/kernel/hostn[^a]*{,/**} wklx, + deny /proc/sys/kernel/hostna[^m]*{,/**} wklx, + deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx, + deny /proc/sys/kernel/hostname?*{,/**} wklx, + deny /proc/sys/kernel/m[^s]*{,/**} wklx, + deny /proc/sys/kernel/ms[^g]*{,/**} wklx, + deny /proc/sys/kernel/msg*/** wklx, + deny /proc/sys/kernel/s[^he]*{,/**} wklx, + deny /proc/sys/kernel/se[^m]*{,/**} wklx, + deny /proc/sys/kernel/sem*/** wklx, + deny /proc/sys/kernel/sh[^m]*{,/**} wklx, + deny /proc/sys/kernel/shm*/** wklx, + deny /proc/sys/kernel?*{,/**} wklx, + deny /proc/sys/n[^e]*{,/**} wklx, + deny /proc/sys/ne[^t]*{,/**} wklx, + deny /proc/sys/net?*{,/**} wklx, + deny /sys/[^fdc]*{,/**} wklx, + deny /sys/c[^l]*{,/**} wklx, + deny /sys/cl[^a]*{,/**} wklx, + deny /sys/cla[^s]*{,/**} wklx, + deny /sys/clas[^s]*{,/**} wklx, + deny /sys/class/[^n]*{,/**} wklx, + deny /sys/class/n[^e]*{,/**} wklx, + deny /sys/class/ne[^t]*{,/**} wklx, + deny /sys/class/net?*{,/**} wklx, + deny /sys/class?*{,/**} wklx, + deny /sys/d[^e]*{,/**} wklx, + deny /sys/de[^v]*{,/**} wklx, + deny /sys/dev[^i]*{,/**} wklx, + deny /sys/devi[^c]*{,/**} wklx, + deny /sys/devic[^e]*{,/**} wklx, + deny /sys/device[^s]*{,/**} wklx, + deny /sys/devices/[^v]*{,/**} wklx, + deny /sys/devices/v[^i]*{,/**} wklx, + deny /sys/devices/vi[^r]*{,/**} wklx, + deny /sys/devices/vir[^t]*{,/**} wklx, + deny /sys/devices/virt[^u]*{,/**} wklx, + deny /sys/devices/virtu[^a]*{,/**} wklx, + deny /sys/devices/virtua[^l]*{,/**} wklx, + deny /sys/devices/virtual/[^n]*{,/**} wklx, + deny /sys/devices/virtual/n[^e]*{,/**} wklx, + deny /sys/devices/virtual/ne[^t]*{,/**} wklx, + deny /sys/devices/virtual/net?*{,/**} wklx, + deny /sys/devices/virtual?*{,/**} wklx, + deny /sys/devices?*{,/**} wklx, + deny /sys/f[^s]*{,/**} wklx, + deny /sys/fs/[^c]*{,/**} wklx, + deny /sys/fs/c[^g]*{,/**} wklx, + deny /sys/fs/cg[^r]*{,/**} wklx, + deny /sys/fs/cgr[^o]*{,/**} wklx, + deny /sys/fs/cgro[^u]*{,/**} wklx, + deny /sys/fs/cgrou[^p]*{,/**} wklx, + deny /sys/fs/cgroup?*{,/**} wklx, + deny /sys/fs?*{,/**} wklx, diff --git a/src/security/apparmor-2/libvirt-qemu b/src/security/apparmor-2/libvirt-qemu new file mode 100644 index 0000000000..44056b5f14 --- /dev/null +++ b/src/security/apparmor-2/libvirt-qemu @@ -0,0 +1,271 @@ + #include <abstractions/base> + #include <abstractions/consoles> + #include <abstractions/nameservice> + + # required for reading disk images + capability dac_override, + capability dac_read_search, + capability chown, + + # needed to drop privileges + capability setgid, + capability setuid, + + network inet stream, + network inet6 stream, + + ptrace (readby, tracedby) peer=libvirtd, + ptrace (readby, tracedby) peer=/usr/sbin/libvirtd, + ptrace (readby, tracedby) peer=virtqemud, + + signal (receive) peer=libvirtd, + signal (receive) peer=/usr/sbin/libvirtd, + signal (receive) peer=virtqemud, + + /dev/kvm rw, + /dev/net/tun rw, + /dev/ptmx rw, + @{PROC}/*/status r, + # When qemu is signaled to terminate, it will read cmdline of signaling + # process for reporting purposes. Allowing read access to a process + # cmdline may leak sensitive information embedded in the cmdline. + @{PROC}/@{pid}/cmdline r, + # Per man(5) proc, the kernel enforces that a thread may + # only modify its comm value or those in its thread group. + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/sys/kernel/cap_last_cap r, + @{PROC}/sys/vm/overcommit_memory r, + # detect hardware capabilities via qemu_getauxval + owner @{PROC}/*/auxv r, + # allow reading libnl's classid file + /etc/libnl{,-3}/classid r, + + # For hostdev access. The actual devices will be added dynamically + /sys/bus/usb/devices/ r, + /sys/bus/usb/devices/* r, + /sys/devices/**/usb[0-9]*/** r, + # libusb needs udev data about usb devices (~equal to content of lsusb -v) + /run/udev/data/+usb* r, + /run/udev/data/c16[6,7]* r, + /run/udev/data/c18[0,8,9]* r, + + # WARNING: this gives the guest direct access to host hardware and specific + # portions of shared memory. This is required for sound using ALSA with kvm, + # but may constitute a security risk. If your environment does not require + # the use of sound in your VMs, feel free to comment out or prepend 'deny' to + # the rules for files in /dev. + /dev/snd/* rw, + /{dev,run}/shm r, + /{dev,run}/shmpulse-shm* r, + /{dev,run}/shmpulse-shm* rwk, + capability ipc_lock, + # spice + owner /{dev,run}/shm/spice.* rw, + # 'kill' is not required for sound and is a security risk. Do not enable + # unless you absolutely need it. + deny capability kill, + + # Uncomment the following if you need access to /dev/fb* + #/dev/fb* rw, + + /etc/pulse/client.conf r, + @{HOME}/.pulse-cookie rwk, + owner /root/.pulse-cookie rwk, + owner /root/.pulse/ rw, + owner /root/.pulse/* rw, + /usr/share/alsa/** r, + owner /tmp/pulse-*/ rw, + owner /tmp/pulse-*/* rw, + /var/lib/dbus/machine-id r, + + # access to firmware's etc + /usr/share/AAVMF/** rk, + /usr/share/bochs/** r, + /usr/share/edk2-ovmf/** rk, + /usr/share/kvm/** r, + /usr/share/misc/sgabios.bin r, + /usr/share/openbios/** r, + /usr/share/openhackware/** r, + /usr/share/OVMF/** rk, + /usr/share/ovmf/** rk, + /usr/share/proll/** r, + /usr/share/qemu-efi/** r, + /usr/share/qemu-kvm/** r, + /usr/share/qemu/** rk, + /usr/share/seabios/** r, + /usr/share/sgabios/** r, + /usr/share/slof/** r, + /usr/share/vgabios/** r, + + # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140) + /etc/pki/CA/ r, + /etc/pki/CA/* r, + /etc/pki/libvirt{,-spice,-vnc}/ r, + /etc/pki/libvirt{,-spice,-vnc}/** r, + /etc/pki/qemu/ r, + /etc/pki/qemu/** r, + + # the various binaries + /usr/bin/kvm rmix, + /usr/bin/kvm-spice rmix, + /usr/bin/qemu rmix, + /usr/bin/qemu-aarch64 rmix, + /usr/bin/qemu-alpha rmix, + /usr/bin/qemu-arm rmix, + /usr/bin/qemu-armeb rmix, + /usr/bin/qemu-cris rmix, + /usr/bin/qemu-i386 rmix, + /usr/bin/qemu-kvm rmix, + /usr/bin/qemu-m68k rmix, + /usr/bin/qemu-microblaze rmix, + /usr/bin/qemu-microblazeel rmix, + /usr/bin/qemu-mips rmix, + /usr/bin/qemu-mips64 rmix, + /usr/bin/qemu-mips64el rmix, + /usr/bin/qemu-mipsel rmix, + /usr/bin/qemu-mipsn32 rmix, + /usr/bin/qemu-mipsn32el rmix, + /usr/bin/qemu-or32 rmix, + /usr/bin/qemu-ppc rmix, + /usr/bin/qemu-ppc64 rmix, + /usr/bin/qemu-ppc64abi32 rmix, + /usr/bin/qemu-ppc64le rmix, + /usr/bin/qemu-s390x rmix, + /usr/bin/qemu-sh4 rmix, + /usr/bin/qemu-sh4eb rmix, + /usr/bin/qemu-sparc rmix, + /usr/bin/qemu-sparc32plus rmix, + /usr/bin/qemu-sparc64 rmix, + /usr/bin/qemu-system-aarch64 rmix, + /usr/bin/qemu-system-alpha rmix, + /usr/bin/qemu-system-arm rmix, + /usr/bin/qemu-system-cris rmix, + /usr/bin/qemu-system-hppa rmix, + /usr/bin/qemu-system-i386 rmix, + /usr/bin/qemu-system-lm32 rmix, + /usr/bin/qemu-system-m68k rmix, + /usr/bin/qemu-system-microblaze rmix, + /usr/bin/qemu-system-microblazeel rmix, + /usr/bin/qemu-system-mips rmix, + /usr/bin/qemu-system-mips64 rmix, + /usr/bin/qemu-system-mips64el rmix, + /usr/bin/qemu-system-mipsel rmix, + /usr/bin/qemu-system-moxie rmix, + /usr/bin/qemu-system-nios2 rmix, + /usr/bin/qemu-system-or1k rmix, + /usr/bin/qemu-system-or32 rmix, + /usr/bin/qemu-system-ppc rmix, + /usr/bin/qemu-system-ppc64 rmix, + /usr/bin/qemu-system-ppcemb rmix, + /usr/bin/qemu-system-riscv32 rmix, + /usr/bin/qemu-system-riscv64 rmix, + /usr/bin/qemu-system-s390x rmix, + /usr/bin/qemu-system-sh4 rmix, + /usr/bin/qemu-system-sh4eb rmix, + /usr/bin/qemu-system-sparc rmix, + /usr/bin/qemu-system-sparc64 rmix, + /usr/bin/qemu-system-tricore rmix, + /usr/bin/qemu-system-unicore32 rmix, + /usr/bin/qemu-system-x86_64 rmix, + /usr/bin/qemu-system-xtensa rmix, + /usr/bin/qemu-system-xtensaeb rmix, + /usr/bin/qemu-unicore32 rmix, + /usr/bin/qemu-x86_64 rmix, + # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761) + /usr/{lib,lib64}/qemu/*.so mr, + /usr/lib/@{multiarch}/qemu/*.so mr, + + # let qemu load old shared objects after upgrades (LP: #1847361) + /{var/,}run/qemu/*/*.so mr, + # but explicitly deny writing to these files + audit deny /{var/,}run/qemu/*/*.so w, + + # swtpm + /{usr/,}bin/swtpm rmpix, + /usr/{lib,lib64}/libswtpm_libtpms.so mr, + /usr/lib/@{multiarch}/libswtpm_libtpms.so mr, + + # support for passt network back-end + /usr/bin/passt Cx -> passt, + + profile passt { + /usr/bin/passt r, + + signal (receive) set=("term") peer=/usr/sbin/libvirtd, + signal (receive) set=("term") peer=libvirtd, + signal (receive) set=("term") peer=virtqemud, + + owner /{,var/}run/libvirt/qemu/passt/* rw, + + include if exists <abstractions/passt> + } + + # for save and resume + /{usr/,}bin/dash rmix, + /{usr/,}bin/dd rmix, + /{usr/,}bin/cat rmix, + + # for restore + /{usr/,}bin/bash rmix, + + # for usb access + /dev/bus/usb/ r, + /etc/udev/udev.conf r, + /sys/bus/ r, + /sys/class/ r, + + # for rbd + /etc/ceph/*.conf r, + + # Various functions will need to enumerate /tmp (e.g. ceph), allow the base + # dir and a few known functions like samba support. + # We want to avoid to give blanket rw permission to everything under /tmp, + # users are expected to add site specific addons for more uncommon cases. + # Qemu processes usually all run as the same users, so the "owner" + # restriction prevents access to other services files, but not across + # different instances. + # This is a tradeoff between usability and security - if paths would be more + # predictable that would be preferred - at least for write rules we would + # want more unique paths per rule. + /{,var/}tmp/ r, + owner /{,var/}tmp/**/ r, + + # for file-posix getting limits since 9103f1ce + /sys/devices/**/block/*/queue/max_segments r, + + # for ppc device-tree access + @{PROC}/device-tree/ r, + @{PROC}/device-tree/** r, + /sys/firmware/devicetree/** r, + + # allow connect with openGraphicsFD to work + unix (send, receive) type=stream addr=none peer=(label=libvirtd), + unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), + unix (send, receive) type=stream addr=none peer=(label=virtqemud), + unix (send, receive) type=stream addr=none peer=(label=swtpm), + + # for gathering information about available host resources + /sys/devices/system/cpu/ r, + /sys/devices/system/node/ r, + /sys/devices/system/node/node[0-9]*/meminfo r, + /sys/module/vhost/parameters/max_mem_regions r, + + # silence refusals to open lttng files (see LP: #1432644) + deny /dev/shm/lttng-ust-wait-* r, + deny /run/shm/lttng-ust-wait-* r, + + # for vfio hotplug on systems without static vfio (LP: #1775777) + /dev/vfio/vfio rw, + + # required for sasl GSSAPI plugin + /etc/gss/mech.d/ r, + /etc/gss/mech.d/* r, + + # required by libpmem init to fts_open()/fts_read() the symlinks in + # /sys/bus/nd/devices + / r, # harmless on any lsb compliant system + /sys/bus/nd/devices/{,**/} r, + + # required for QEMU accessing UEFI nvram variables + owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk, + owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk, diff --git a/src/security/apparmor-2/meson.build b/src/security/apparmor-2/meson.build new file mode 100644 index 0000000000..58b4024b85 --- /dev/null +++ b/src/security/apparmor-2/meson.build @@ -0,0 +1,41 @@ +apparmor_gen_profiles = [ + 'usr.lib.libvirt.virt-aa-helper', + 'usr.sbin.libvirtd', + 'usr.sbin.virtqemud', + 'usr.sbin.virtxend', +] + +apparmor_gen_profiles_conf = configuration_data({ + 'sysconfdir': sysconfdir, + 'sbindir': sbindir, + 'runstatedir': runstatedir, + 'libexecdir': libexecdir, +}) + +apparmor_dir = sysconfdir / 'apparmor.d' + +foreach name : apparmor_gen_profiles + configure_file( + input: '@0@.in'.format(name), + output: name, + configuration: apparmor_gen_profiles_conf, + install: true, + install_dir: apparmor_dir, + ) +endforeach + +install_data( + [ 'libvirt-qemu', 'libvirt-lxc' ], + install_dir: apparmor_dir / 'abstractions', +) + +install_data( + [ 'TEMPLATE.qemu', 'TEMPLATE.lxc' ], + install_dir: apparmor_dir / 'libvirt', +) + +install_data( + 'usr.lib.libvirt.virt-aa-helper.local', + install_dir: apparmor_dir / 'local', + rename: 'usr.lib.libvirt.virt-aa-helper', +) diff --git a/src/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.in new file mode 100644 index 0000000000..ff1d46bebe --- /dev/null +++ b/src/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.in @@ -0,0 +1,75 @@ +#include <tunables/global> + +profile virt-aa-helper @libexecdir@/virt-aa-helper { + #include <abstractions/base> + #include <abstractions/openssl> + + # needed for searching directories + capability dac_override, + capability dac_read_search, + + # needed for when disk is on a network filesystem + network inet, + network inet6, + + deny @{PROC}/[0-9]*/mounts r, + @{PROC}/[0-9]*/net/psched r, + owner @{PROC}/[0-9]*/status r, + @{PROC}/filesystems r, + + # Used when internally running another command (namely apparmor_parser) + @{PROC}/@{pid}/fd/ r, + + # allow reading libnl's classid file + @sysconfdir@/libnl{,-3}/classid r, + + # for gl enabled graphics + /dev/dri/{,*} r, + + # for hostdev + /sys/devices/ r, + /sys/devices/** r, + /sys/bus/usb/devices/ r, + deny /dev/sd* r, + deny /dev/vd* r, + deny /dev/dm-* r, + deny /dev/drbd[0-9]* r, + deny /dev/dasd* r, + deny /dev/nvme* r, + deny /dev/zd[0-9]* r, + deny /dev/mapper/ r, + deny /dev/mapper/* r, + + @libexecdir@/virt-aa-helper mr, + /{usr/,}sbin/apparmor_parser Ux, + + @sysconfdir@/apparmor.d/libvirt/* r, + @sysconfdir@/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + + # for backingstore -- allow access to non-hidden files in @{HOME} as well + # as storage pools + audit deny @{HOME}/.* mrwkl, + audit deny @{HOME}/.*/ rw, + audit deny @{HOME}/.*/** mrwkl, + audit deny @{HOME}/bin/ rw, + audit deny @{HOME}/bin/** mrwkl, + @{HOME}/ r, + @{HOME}/** r, + /var/lib/libvirt/images/ r, + /var/lib/libvirt/images/** r, + /var/lib/nova/instances/_base/* r, + /{media,mnt,opt,srv}/** r, + # For virt-sandbox + /{,var/}run/libvirt/**/[sv]d[a-z] r, + + /**.img r, + /**.raw r, + /**.qcow{,2} r, + /**.qed r, + /**.vmdk r, + /**.vhd r, + /**.[iI][sS][oO] r, + /**/disk{,.*} r, + + #include <local/usr.lib.libvirt.virt-aa-helper> +} diff --git a/src/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.local b/src/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.local new file mode 100644 index 0000000000..c0990e51d0 --- /dev/null +++ b/src/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.local @@ -0,0 +1 @@ +# Site-specific additions and overrides for 'usr.lib.libvirt.virt-aa-helper' diff --git a/src/security/apparmor-2/usr.sbin.libvirtd.in b/src/security/apparmor-2/usr.sbin.libvirtd.in new file mode 100644 index 0000000000..edb8dd8e26 --- /dev/null +++ b/src/security/apparmor-2/usr.sbin.libvirtd.in @@ -0,0 +1,142 @@ +#include <tunables/global> +@{LIBVIRT}="libvirt" + +profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { + #include <abstractions/base> + #include <abstractions/dbus> + + capability kill, + capability net_admin, + capability net_raw, + capability setgid, + capability sys_admin, + capability sys_module, + capability sys_ptrace, + capability sys_pacct, + capability sys_nice, + capability sys_chroot, + capability setuid, + capability dac_override, + capability dac_read_search, + capability fowner, + capability chown, + capability setpcap, + capability mknod, + capability fsetid, + capability audit_write, + capability ipc_lock, + capability sys_rawio, + capability bpf, + capability perfmon, + + # Needed for vfio + capability sys_resource, + + mount options=(rw,rslave) -> /, + mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/, + umount /{var/,}run/libvirt/qemu/*.dev/, + umount /dev/, + + # libvirt provides any mounts under /dev to qemu namespaces + mount options=(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/, + mount options=(rw, move) /dev/** -> /{,var/}run/libvirt/qemu/*{,/}, + mount options=(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/, + mount options=(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**, + + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + network netlink raw, + network packet dgram, + network packet raw, + + # for --p2p migrations + unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none), + + ptrace (read,trace) peer=unconfined, + ptrace (read,trace) peer=@{profile_name}, + ptrace (read,trace) peer=dnsmasq, + ptrace (read,trace) peer=/usr/sbin/dnsmasq, + ptrace (read,trace) peer=libvirt-*, + ptrace (read,trace) peer=swtpm, + + signal (send) peer=dnsmasq, + signal (send) peer=/usr/sbin/dnsmasq, + signal (read, send) peer=libvirt-*, + signal (send) set=("kill", "term") peer=unconfined, + + # For communication/control to qemu-bridge-helper + unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper), + signal (send) set=("term") peer=libvirtd//qemu_bridge_helper, + + # allow connect with openGraphicsFD, direction reversed in newer versions + unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*), + # unconfined also required if guests run without security module + unix (send, receive) type=stream addr=none peer=(label=unconfined), + + # required if guests run unconfined seclabel type='none' but libvirtd is confined + signal (read, send) peer=unconfined, + + # Very lenient profile for libvirtd since we want to first focus on confining + # the guests. Guests will have a very restricted profile. + / r, + /** rwmkl, + + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, + @sbindir@/virtlogd pix, + @sbindir@/* PUx, + /{usr/,}lib/udev/scsi_id PUx, + /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, + /usr/{lib,lib64,libexec}/xen/bin/* Ux, + /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx, + /usr/{lib,libexec}/xen-*/bin/pygrub PUx, + /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx, + /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx, + + # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to + # read and run an ebtables script. + /var/lib/libvirt/virtd* ixr, + + # force the use of virt-aa-helper + audit deny /{usr/,}sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + @libexecdir@/* PUxr, + @libexecdir@/libvirt_parthelper ix, + @libexecdir@/libvirt_iohelper ix, + /etc/libvirt/hooks/** rmix, + /etc/xen/scripts/** rmix, + + # allow changing to our UUID-based named profiles + change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, + + /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, + # child profile for bridge helper process + profile qemu_bridge_helper { + #include <abstractions/base> + + capability setuid, + capability setgid, + capability setpcap, + capability net_admin, + + network inet stream, + + # For communication/control from libvirtd + unix (send, receive) type=stream addr=none peer=(label=libvirtd), + signal (receive) set=("term") peer=/usr/sbin/libvirtd, + signal (receive) set=("term") peer=libvirtd, + + /dev/net/tun rw, + /etc/qemu/** r, + owner @{PROC}/*/status r, + + /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, + } +} diff --git a/src/security/apparmor-2/usr.sbin.virtqemud.in b/src/security/apparmor-2/usr.sbin.virtqemud.in new file mode 100644 index 0000000000..f269c60809 --- /dev/null +++ b/src/security/apparmor-2/usr.sbin.virtqemud.in @@ -0,0 +1,135 @@ +#include <tunables/global> +@{LIBVIRT}="libvirt" + +profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) { + #include <abstractions/base> + #include <abstractions/dbus> + + capability kill, + capability net_admin, + capability net_raw, + capability setgid, + capability sys_admin, + capability sys_module, + capability sys_ptrace, + capability sys_pacct, + capability sys_nice, + capability sys_chroot, + capability setuid, + capability dac_override, + capability dac_read_search, + capability fowner, + capability chown, + capability setpcap, + capability mknod, + capability fsetid, + capability audit_write, + capability ipc_lock, + capability sys_rawio, + capability bpf, + capability perfmon, + + # Needed for vfio + capability sys_resource, + + mount options=(rw,rslave) -> /, + mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/, + umount /{var/,}run/libvirt/qemu/*.dev/, + umount /dev/, + + # libvirt provides any mounts under /dev to qemu namespaces + mount options=(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/, + mount options=(rw, move) /dev/** -> /{,var/}run/libvirt/qemu/*{,/}, + mount options=(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/, + mount options=(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**, + + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + network netlink raw, + network packet dgram, + network packet raw, + + # for --p2p migrations + unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none), + + ptrace (read,trace) peer=unconfined, + ptrace (read,trace) peer=@{profile_name}, + ptrace (read,trace) peer=dnsmasq, + ptrace (read,trace) peer=/usr/sbin/dnsmasq, + ptrace (read,trace) peer=libvirt-*, + + signal (send) peer=dnsmasq, + signal (send) peer=/usr/sbin/dnsmasq, + signal (read, send) peer=libvirt-*, + signal (send) set=(kill, term) peer=unconfined, + + # For communication/control to qemu-bridge-helper + unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper), + signal (send) set=(term) peer=libvirtd//qemu_bridge_helper, + + # allow connect with openGraphicsFD, direction reversed in newer versions + unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*), + # unconfined also required if guests run without security module + unix (send, receive) type=stream addr=none peer=(label=unconfined), + + # required if guests run unconfined seclabel type='none' but libvirtd is confined + signal (read, send) peer=unconfined, + + # Very lenient profile for libvirtd since we want to first focus on confining + # the guests. Guests will have a very restricted profile. + / r, + /** rwmkl, + + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, + @sbindir@/virtlogd pix, + @sbindir@/* PUx, + /{usr/,}lib/udev/scsi_id PUx, + /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx, + /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx, + + # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to + # read and run an ebtables script. + /var/lib/libvirt/virtd* ixr, + + # force the use of virt-aa-helper + audit deny /{usr/,}sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + @libexecdir@/* PUxr, + @libexecdir@/libvirt_parthelper ix, + @libexecdir@/libvirt_iohelper ix, + /etc/libvirt/hooks/** rmix, + + # allow changing to our UUID-based named profiles + change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, + + /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, + # child profile for bridge helper process + profile qemu_bridge_helper { + #include <abstractions/base> + + capability setuid, + capability setgid, + capability setpcap, + capability net_admin, + + network inet stream, + + # For communication/control from virtqemud + unix (send, receive) type=stream addr=none peer=(label=virtqemud), + signal (receive) set=(term) peer=virtqemud, + + /dev/net/tun rw, + /etc/qemu/** r, + owner @{PROC}/*/status r, + + /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, + } +} diff --git a/src/security/apparmor-2/usr.sbin.virtxend.in b/src/security/apparmor-2/usr.sbin.virtxend.in new file mode 100644 index 0000000000..72e0d801e5 --- /dev/null +++ b/src/security/apparmor-2/usr.sbin.virtxend.in @@ -0,0 +1,55 @@ +#include <tunables/global> + +profile virtxend @sbindir@/virtxend flags=(attach_disconnected) { + #include <abstractions/base> + #include <abstractions/dbus> + + capability kill, + capability setgid, + capability setuid, + capability sys_pacct, + capability ipc_lock, + + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + network netlink raw, + network packet dgram, + network packet raw, + + # for --p2p migrations + unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none), + + ptrace (read,trace) peer=unconfined, + + signal (send) set=(kill, term, hup) peer=unconfined, + + # Very lenient profile for virtxend + / r, + /** rwmkl, + + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, + @sbindir@/virtlogd pix, + @sbindir@/* PUx, + /{usr/,}lib/udev/scsi_id PUx, + /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, + /usr/{lib,lib64,libexec}/xen/bin/* Ux, + /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx, + /usr/{lib,libexec}/xen-*/bin/pygrub PUx, + + # force the use of virt-aa-helper + audit deny /{usr/,}sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + @libexecdir@/* PUxr, + @libexecdir@/libvirt_parthelper ix, + @libexecdir@/libvirt_iohelper ix, + /etc/libvirt/hooks/** rmix, + /etc/xen/scripts/** rmix, +} diff --git a/src/security/meson.build b/src/security/meson.build index 6230b34aa4..078111d251 100644 --- a/src/security/meson.build +++ b/src/security/meson.build @@ -55,3 +55,6 @@ endif if conf.has('WITH_APPARMOR_PROFILES') subdir('apparmor') endif +if conf.has('WITH_APPARMOR_PROFILES_2') + subdir('apparmor-2') +endif -- 2.41.0
Commit 7a39b04d683f introduced support for passt in the qemu apparmor abstraction, but it contains an 'include if exists' directive that is only stable on apparmor 3.x. Remove support for passt from the 2.x variant of the abstraction. Signed-off-by: Jim Fehlig <jfehlig@suse.com> --- src/security/apparmor-2/libvirt-qemu | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/src/security/apparmor-2/libvirt-qemu b/src/security/apparmor-2/libvirt-qemu index 44056b5f14..9af1333b22 100644 --- a/src/security/apparmor-2/libvirt-qemu +++ b/src/security/apparmor-2/libvirt-qemu @@ -185,21 +185,6 @@ /usr/{lib,lib64}/libswtpm_libtpms.so mr, /usr/lib/@{multiarch}/libswtpm_libtpms.so mr, - # support for passt network back-end - /usr/bin/passt Cx -> passt, - - profile passt { - /usr/bin/passt r, - - signal (receive) set=("term") peer=/usr/sbin/libvirtd, - signal (receive) set=("term") peer=libvirtd, - signal (receive) set=("term") peer=virtqemud, - - owner /{,var/}run/libvirt/qemu/passt/* rw, - - include if exists <abstractions/passt> - } - # for save and resume /{usr/,}bin/dash rmix, /{usr/,}bin/dd rmix, -- 2.41.0
Apparmor profiles in /etc/apparmor.d/ are config files that can be replaced on package upgrade, which introduces the potential to overwrite any local changes. Apparmor supports local profile customizations via /etc/apparmor.d/local/<service> [1]. In addition, apparmor 3.x supports local customizations of profile abstractions via an abstractions/<service>.d drop directory. In order to support local customizations, the main profiles and abstractions must 'include if exists' the local changes. This directive is only stable on apparmor 3.x, so support for local profile customizations is limited to apparmor >= 3.0.0. Signed-off-by: Jim Fehlig <jfehlig@suse.com> --- src/security/apparmor/libvirt-lxc | 3 +++ src/security/apparmor/libvirt-qemu | 3 +++ src/security/apparmor/usr.sbin.libvirtd.in | 5 ++++- src/security/apparmor/usr.sbin.virtqemud.in | 3 +++ src/security/apparmor/usr.sbin.virtxend.in | 3 +++ 5 files changed, 16 insertions(+), 1 deletion(-) diff --git a/src/security/apparmor/libvirt-lxc b/src/security/apparmor/libvirt-lxc index 0c8b812743..734dd95c6e 100644 --- a/src/security/apparmor/libvirt-lxc +++ b/src/security/apparmor/libvirt-lxc @@ -116,3 +116,6 @@ deny /sys/fs/cgrou[^p]*{,/**} wklx, deny /sys/fs/cgroup?*{,/**} wklx, deny /sys/fs?*{,/**} wklx, + + # Site-specific additions and overrides. + include if exists <abstractions/libvirt-lxc.d> diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu index 44056b5f14..bed7c4ad76 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -269,3 +269,6 @@ # required for QEMU accessing UEFI nvram variables owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk, owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk, + + # Site-specific additions and overrides. + include if exists <abstractions/libvirt-qemu.d> diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in index edb8dd8e26..20041fcf67 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -139,4 +139,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, } -} + + # Site-specific additions and overrides. See local/README for details. + include if exists <local/usr.sbin.libvirtd> + } diff --git a/src/security/apparmor/usr.sbin.virtqemud.in b/src/security/apparmor/usr.sbin.virtqemud.in index f269c60809..3ebdbf2a8f 100644 --- a/src/security/apparmor/usr.sbin.virtqemud.in +++ b/src/security/apparmor/usr.sbin.virtqemud.in @@ -132,4 +132,7 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) { /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, } + + # Site-specific additions and overrides. See local/README for details. + include if exists <local/usr.sbin.virtqemud> } diff --git a/src/security/apparmor/usr.sbin.virtxend.in b/src/security/apparmor/usr.sbin.virtxend.in index 72e0d801e5..719766a0c1 100644 --- a/src/security/apparmor/usr.sbin.virtxend.in +++ b/src/security/apparmor/usr.sbin.virtxend.in @@ -52,4 +52,7 @@ profile virtxend @sbindir@/virtxend flags=(attach_disconnected) { @libexecdir@/libvirt_iohelper ix, /etc/libvirt/hooks/** rmix, /etc/xen/scripts/** rmix, + + # Site-specific additions and overrides. See local/README for details. + include if exists <local/usr.sbin.virtxend> } -- 2.41.0
On Wed, Jun 28, 2023 at 05:15:26PM -0600, Jim Fehlig wrote:
This is a stab at a V2 of
https://listman.redhat.com/archives/libvir-list/2023-June/240219.html
That patch was ACKed and committed, but reverted before the 9.5.0 release since it could be problematic with older apparmor 2.x versions still supported by libvirt.
Andrea suggested copies of the profiles for apparmor 2.x and 3.x. This series takes that approach, with patch 1 making an identical copy of the src/security/apparmor directory. Patches 2 and 3 then adjust the profiles accordingly.
My approach to copying the existing directory does introduce some duplicate files in the tree, but otherwise it's minimally disruptive and will be easy to rip out when upstream libvirt no longer needs to support apparmor 2.x.
FYI, so far I've only tested with apparmor 3.x, but I did push the changes to my fork with CI enabled
https://gitlab.com/jfehlig/libvirt/-/pipelines/915347878
Thanks for comments/suggestions!
Jim Fehlig (3): apparmor: Create version specific apparmor profiles apparmor: Remove support for passt from apparmor 2.x apparmor: Add support for local profile customizations
I'm not a fan of this approach. It introduces a lot of duplication for what are ultimately just a dozen or so lines that need to be different between the 2.x and 3.x profiles; most importantly, I'm very concerned about the two copies accidentally drifting apart over the ~2 years that separate us from the joyous day when we can finally stop caring about 2.x. Please have a look at my attempt: https://listman.redhat.com/archives/libvir-list/2023-June/240544.html -- Andrea Bolognani / Red Hat / Virtualization
On 6/29/23 07:21, Andrea Bolognani wrote:
On Wed, Jun 28, 2023 at 05:15:26PM -0600, Jim Fehlig wrote:
This is a stab at a V2 of
https://listman.redhat.com/archives/libvir-list/2023-June/240219.html
That patch was ACKed and committed, but reverted before the 9.5.0 release since it could be problematic with older apparmor 2.x versions still supported by libvirt.
Andrea suggested copies of the profiles for apparmor 2.x and 3.x. This series takes that approach, with patch 1 making an identical copy of the src/security/apparmor directory. Patches 2 and 3 then adjust the profiles accordingly.
My approach to copying the existing directory does introduce some duplicate files in the tree, but otherwise it's minimally disruptive and will be easy to rip out when upstream libvirt no longer needs to support apparmor 2.x.
FYI, so far I've only tested with apparmor 3.x, but I did push the changes to my fork with CI enabled
https://gitlab.com/jfehlig/libvirt/-/pipelines/915347878
Thanks for comments/suggestions!
Jim Fehlig (3): apparmor: Create version specific apparmor profiles apparmor: Remove support for passt from apparmor 2.x apparmor: Add support for local profile customizations
I'm not a fan of this approach. It introduces a lot of duplication for what are ultimately just a dozen or so lines that need to be different between the 2.x and 3.x profiles; most importantly, I'm very concerned about the two copies accidentally drifting apart over the ~2 years that separate us from the joyous day when we can finally stop caring about 2.x.
Please have a look at my attempt:
https://listman.redhat.com/archives/libvir-list/2023-June/240544.html
I was going down the same path until I thought of the more brute force approach, which I admit to be fond of due to ease of ripping out the 2.x stuff when no longer needed. But yeah, two copies of the profiles is not nice. I'll take a closer look at your patches now. Regards, Jim
Hello, Am Donnerstag, 29. Juni 2023, 19:05:09 CEST schrieb Jim Fehlig: [...]
I was going down the same path until I thought of the more brute force approach, which I admit to be fond of due to ease of ripping out the 2.x stuff when no longer needed. But yeah, two copies of the profiles is not nice.
I have quite some experience with [getting rid of] code duplication [1], and "not nice" is a very diplomatic description ;-)
I'll take a closer look at your patches now.
I had a look, and those conditional blocks look much better than duplicating the whole directory. Another thing you might want to add to all profiles and abstractions for AppArmor >= 3.0 is abi <abi/3.0>, This will enable enforcing of some newer rule types - which might mean that you need to add a few new rules to the profiles. See the "Feature ABI" section in man 5 apparmor.d for details. (Since this is unrelated to local/, adding the abi lines should probably be a separate patch.) Regards, Christian Boltz [1] unrelated to AppArmor -- File Not Found.....Loading something that looks similar
participants (3)
-
Andrea Bolognani -
Christian Boltz -
Jim Fehlig