9:39 a.m.
Hi,
this is a summary of things I had to touch recently when working on 4.6.
The first two patches are re-submissions and modifications of last
year which were never totally challenged, but also not pushed yet (I had
no permissions yet back then).
The first was lost in a discussion about virt-aa-helper, whicih eventually
turned out to be clear that it could not help in that case.
- https://www.redhat.com/archives/libvir-list/2017-February/msg01598.html
- https://www.redhat.com/archives/libvir-list/2017-March/msg00052.html
The second even got a few Acks, but neither made it into upstream yet.
Parts of it where introduced already, in
7edcbd02 apparmor: allow libvirt to send term signal to unconfined
b482925c apparmor: support ptrace checks
But there are still signals blocked with those rules, so I resubmit the
remaining bit. Also I added the Acks to the resubmission.
The third change came in recently via various bug reports which I finally
wanted to adress - e.g. for ceph lib or smb. If we later on spot more
cases that have predictable safe paths under /tmp we can add those.
Finally the forth change was triggered by me testing libvirt 4.6 in
various conditions. Some of them were in containers, and the new libvirt
behavior to carry more mount points into the qemu namespace triggers the
need to rewrite the existing mount-moving rules that we added last year.
Christian Ehrhardt (4):
apparmor: allow openGraphicsFD for virt manager >1.4
apparmor: add mediation rules for unconfined guests
apparmor: allow expected /tmp access patterns
apparmor: allow to preserve /dev mountpoints into qemu namespaces
examples/apparmor/libvirt-qemu | 13 +++++++++++++
examples/apparmor/usr.sbin.libvirtd | 24 +++++++++++++-----------
2 files changed, 26 insertions(+), 11 deletions(-)
--
2.17.1
9:39 a.m.
New subject: [libvirt] [PATCH 1/4] apparmor: allow openGraphicsFD for virt manager >1.4
virt-manager's UI connection will need socket access for openGraphicsFD
to work - otherwise users will face a failed connection error when
opening the UI view.
Depending on the exact versions of libvirt and qemu involved this needs
either a rule from qemu to libvirt or vice versa.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
---
examples/apparmor/libvirt-qemu | 3 +++
examples/apparmor/usr.sbin.libvirtd | 5 +++++
2 files changed, 8 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index df5f512487..5caf14e418 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -188,6 +188,9 @@
@{PROC}/device-tree/** r,
/sys/firmware/devicetree/** r,
+ # allow connect with openGraphicsFD to work
+ unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
+
# for gathering information about available host resources
/sys/devices/system/cpu/ r,
/sys/devices/system/node/ r,
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index 3102cab382..dd37866c2a 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -69,6 +69,11 @@
unix (send, receive) type=stream addr=none
peer=(label=/usr/sbin/libvirtd//qemu_bridge_helper),
signal (send) set=("term") peer=/usr/sbin/libvirtd//qemu_bridge_helper,
+ # allow connect with openGraphicsFD, direction reversed in newer versions
+ unix (send, receive) type=stream addr=none
peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
+ # unconfined also required if guests run without security module
+ unix (send, receive) type=stream addr=none peer=(label=unconfined),
+
# Very lenient profile for libvirtd since we want to first focus on confining
# the guests. Guests will have a very restricted profile.
/ r,
--
2.17.1
11:53 a.m.
New subject: [libvirt] [PATCH 1/4] apparmor: allow openGraphicsFD for virt manager >1.4
On Mon, 2018-08-13 at 16:39 +0200, Christian Ehrhardt wrote:
virt-manager's UI connection will need socket access for
openGraphicsFD
to work - otherwise users will face a failed connection error when
opening the UI view.
Depending on the exact versions of libvirt and qemu involved this
needs
either a rule from qemu to libvirt or vice versa.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
---
examples/apparmor/libvirt-qemu | 3 +++
examples/apparmor/usr.sbin.libvirtd | 5 +++++
2 files changed, 8 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu
b/examples/apparmor/libvirt-qemu
index df5f512487..5caf14e418 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -188,6 +188,9 @@
@{PROC}/device-tree/** r,
/sys/firmware/devicetree/** r,
+ # allow connect with openGraphicsFD to work
+ unix (send, receive) type=stream addr=none
peer=(label=/usr/sbin/libvirtd),
+1 to apply
diff --git a/examples/apparmor/usr.sbin.libvirtd
b/examples/apparmor/usr.sbin.libvirtd
index 3102cab382..dd37866c2a 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -69,6 +69,11 @@
unix (send, receive) type=stream addr=none
peer=(label=/usr/sbin/libvirtd//qemu_bridge_helper),
signal (send) set=("term")
peer=/usr/sbin/libvirtd//qemu_bridge_helper,
+ # allow connect with openGraphicsFD, direction reversed in newer
versions
+ unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-
9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
+ # unconfined also required if guests run without security module
+ unix (send, receive) type=stream addr=none
peer=(label=unconfined),
Makes sense. This libvirtd policy is meant to be super restrictive, so
+1 to apply.
--
Jamie Strandboge | http://www.canonical.com
1:12 a.m.
New subject: [libvirt] [PATCH 1/4] apparmor: allow openGraphicsFD for virt manager >1.4
On Mon, Aug 13, 2018 at 6:53 PM Jamie Strandboge <jamie(a)canonical.com>
wrote:
On Mon, 2018-08-13 at 16:39 +0200, Christian Ehrhardt wrote:
> virt-manager's UI connection will need socket access for
> openGraphicsFD
> to work - otherwise users will face a failed connection error when
> opening the UI view.
>
> Depending on the exact versions of libvirt and qemu involved this
> needs
> either a rule from qemu to libvirt or vice versa.
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
> ---
> examples/apparmor/libvirt-qemu | 3 +++
> examples/apparmor/usr.sbin.libvirtd | 5 +++++
> 2 files changed, 8 insertions(+)
>
> diff --git a/examples/apparmor/libvirt-qemu
> b/examples/apparmor/libvirt-qemu
> index df5f512487..5caf14e418 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -188,6 +188,9 @@
> @{PROC}/device-tree/** r,
> /sys/firmware/devicetree/** r,
>
> + # allow connect with openGraphicsFD to work
> + unix (send, receive) type=stream addr=none
> peer=(label=/usr/sbin/libvirtd),
+1 to apply
> diff --git a/examples/apparmor/usr.sbin.libvirtd
> b/examples/apparmor/usr.sbin.libvirtd
> index 3102cab382..dd37866c2a 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -69,6 +69,11 @@
> unix (send, receive) type=stream addr=none
> peer=(label=/usr/sbin/libvirtd//qemu_bridge_helper),
> signal (send) set=("term")
> peer=/usr/sbin/libvirtd//qemu_bridge_helper,
>
> + # allow connect with openGraphicsFD, direction reversed in newer
> versions
> + unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-
> 9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
> + # unconfined also required if guests run without security module
> + unix (send, receive) type=stream addr=none
> peer=(label=unconfined),
Makes sense. This libvirtd policy is meant to be super restrictive, so
+1 to apply.
Thanks, added your Ack in the v2 submission due to rewriting the latter
patches of this series.
--
Jamie Strandboge | http://www.canonical.com
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
9:39 a.m.
New subject: [libvirt] [PATCH 2/4] apparmor: add mediation rules for unconfined guests
If a guest runs unconfined <seclabel type='none'>, but libvirtd is
confined then the peer for signal can only be detected as
'unconfined'. That triggers issues like:
apparmor="DENIED" operation="signal"
profile="/usr/sbin/libvirtd" pid=22395 comm="libvirtd"
requested_mask="send" denied_mask="send" signal=term
peer="unconfined"
To fix this add unconfined as an allowed peer for those operations.
I discussed with the apparmor folks, right now there is no better
separation to be made in this case. But there might be further down the
road with "policy namespaces with scope and view control + stacking"
This is more a use-case addition than a fix to the following two changes:
- 3b1d19e6 AppArmor: add rules needed with additional mediation features
- b482925c apparmor: support ptrace checks
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
Acked-by: Jamie Strandboge <jamie(a)canonical.com>
Acked-by: intrigeri <intrigeri+libvirt(a)boum.org>
---
examples/apparmor/usr.sbin.libvirtd | 3 +++
1 file changed, 3 insertions(+)
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index dd37866c2a..3ff43c32a2 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -74,6 +74,9 @@
# unconfined also required if guests run without security module
unix (send, receive) type=stream addr=none peer=(label=unconfined),
+ # required if guests run unconfined seclabel type='none' but libvirtd is
confined
+ signal (read, send) peer=unconfined,
+
# Very lenient profile for libvirtd since we want to first focus on confining
# the guests. Guests will have a very restricted profile.
/ r,
--
2.17.1
11:54 a.m.
New subject: [libvirt] [PATCH 2/4] apparmor: add mediation rules for unconfined guests
On Mon, 2018-08-13 at 16:39 +0200, Christian Ehrhardt wrote:
If a guest runs unconfined <seclabel type='none'>, but
libvirtd is
confined then the peer for signal can only be detected as
'unconfined'. That triggers issues like:
apparmor="DENIED" operation="signal"
profile="/usr/sbin/libvirtd" pid=22395 comm="libvirtd"
requested_mask="send" denied_mask="send" signal=term
peer="unconfined"
To fix this add unconfined as an allowed peer for those operations.
I discussed with the apparmor folks, right now there is no better
separation to be made in this case. But there might be further down
the
road with "policy namespaces with scope and view control + stacking"
This is more a use-case addition than a fix to the following two
changes:
- 3b1d19e6 AppArmor: add rules needed with additional mediation
features
- b482925c apparmor: support ptrace checks
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
Acked-by: Jamie Strandboge <jamie(a)canonical.com>
Acked-by: intrigeri <intrigeri+libvirt(a)boum.org>
---
examples/apparmor/usr.sbin.libvirtd | 3 +++
1 file changed, 3 insertions(+)
diff --git a/examples/apparmor/usr.sbin.libvirtd
b/examples/apparmor/usr.sbin.libvirtd
index dd37866c2a..3ff43c32a2 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -74,6 +74,9 @@
# unconfined also required if guests run without security module
unix (send, receive) type=stream addr=none
peer=(label=unconfined),
+ # required if guests run unconfined seclabel type='none' but
libvirtd is confined
+ signal (read, send) peer=unconfined,
A tad unfortunate, but again, the libvirtd profile is meant to be super
strict. +1 to apply
--
Jamie Strandboge | http://www.canonical.com
9:39 a.m.
New subject: [libvirt] [PATCH 3/4] apparmor: allow expected /tmp access patterns
Several cases were found needing /tmp, for example ceph will try to list /tmp
and the samba feature of qemu will place things in /tmp/qemu-smb.*.
This is sort of safe because:
- While /tmp could contain anything it is not recommended to put critical
data there anyway
- We restrict general access to only dir listing and reading of files owned
(intentionally not the full power of user-tmp abstraction)
- While it would be hard to predict the PID as part of the string for the
qemu smb feature (this is not exposed through XML so virt-aa-helper
can't help) it is guarded by the "owner" statement and a pretty clear
qemu-smb infix in the path.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
---
examples/apparmor/libvirt-qemu | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 5caf14e418..c4f231b328 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -180,6 +180,16 @@
# for rbd
/etc/ceph/ceph.conf r,
+ # various functions will need /tmp (e.g. ceph), allow the base dir and a
+ # few known functions.
+ # we want to avoid to give blanket read or even write to everything under /tmp
+ # so users are expected to add site specific addons for more uncommon cases.
+ # allow only dir listing and owner based file read
+ /{,var/}tmp/ r,
+ owner /{,var/}tmp/**/ r,
+ # allow qemu smb feature specific path with write access
+ owner /tmp/qemu-smb.*/{,**} rw,
+
# for file-posix getting limits since 9103f1ce
/sys/devices/**/block/*/queue/max_segments r,
--
2.17.1
12:08 p.m.
New subject: [libvirt] [PATCH 3/4] apparmor: allow expected /tmp access patterns
On Mon, 2018-08-13 at 16:39 +0200, Christian Ehrhardt wrote:
Several cases were found needing /tmp, for example ceph will try to
list /tmp
and the samba feature of qemu will place things in /tmp/qemu-smb.*.
This is sort of safe because:
- While /tmp could contain anything it is not recommended to put
critical
data there anyway
- We restrict general access to only dir listing and reading of
files owned
(intentionally not the full power of user-tmp abstraction)
- While it would be hard to predict the PID as part of the string
for the
qemu smb feature (this is not exposed through XML so virt-aa-
helper
can't help) it is guarded by the "owner" statement and a pretty
clear
qemu-smb infix in the path.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
---
examples/apparmor/libvirt-qemu | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu
b/examples/apparmor/libvirt-qemu
index 5caf14e418..c4f231b328 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -180,6 +180,16 @@
# for rbd
/etc/ceph/ceph.conf r,
+ # various functions will need /tmp (e.g. ceph), allow the base dir
and a
+ # few known functions.
+ # we want to avoid to give blanket read or even write to
everything under /tmp
+ # so users are expected to add site specific addons for more
uncommon cases.
+ # allow only dir listing and owner based file read
+ /{,var/}tmp/ r,
+ owner /{,var/}tmp/**/ r,
+ # allow qemu smb feature specific path with write access
+ owner /tmp/qemu-smb.*/{,**} rw,
The actual rule additions are a compromise between security and
usability. Personally I'd prefer they not be there and let admins add
them or allow distros to patch them. That said, the comments and commit
message don't seem quite right for what you are adding. Eg, you mention
ceph, but there is no ceph rule and the profile comment doesn't mention
ceph only needs to list dirs; the profile comments are formatted a bit
weird too.
You mention 'sort of safe', but because of the '/{,var/}tmp/ r,' rule,
you are allowing guests to enumerate all the /tmp/qemu-smb.*
directories and then there is a 'rw' rule for that path. While this is
an 'owner' match, in practice, VMs all run under the same uid so this
means a rogue vm would be allowed to access files in these directories.
That said, I don't know what qemu is setting up in there-- so maybe it
is designed in such a way that this doesn't matter.
I'd much rather not call this 'sort of safe' but instead call out the
problem, justify why the rule should be there and perhaps add a TODO
that once smb is supported in domain xml that this rule will be added
conditionally.
+0 for rule inclusion provided the comments and commit message are
addressed. +1 if it can be demonstrated that qemu is handling those
dirs safely wrt vm isolation.
--
Jamie Strandboge | http://www.canonical.com
1:10 a.m.
New subject: [libvirt] [PATCH 3/4] apparmor: allow expected /tmp access patterns
On Mon, Aug 13, 2018 at 7:08 PM Jamie Strandboge <jamie(a)canonical.com>
wrote:
On Mon, 2018-08-13 at 16:39 +0200, Christian Ehrhardt wrote:
> Several cases were found needing /tmp, for example ceph will try to
> list /tmp
> and the samba feature of qemu will place things in /tmp/qemu-smb.*.
> This is sort of safe because:
> - While /tmp could contain anything it is not recommended to put
> critical
> data there anyway
> - We restrict general access to only dir listing and reading of
> files owned
> (intentionally not the full power of user-tmp abstraction)
> - While it would be hard to predict the PID as part of the string
> for the
> qemu smb feature (this is not exposed through XML so virt-aa-
> helper
> can't help) it is guarded by the "owner" statement and a pretty
> clear
> qemu-smb infix in the path.
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
> ---
> examples/apparmor/libvirt-qemu | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/examples/apparmor/libvirt-qemu
> b/examples/apparmor/libvirt-qemu
> index 5caf14e418..c4f231b328 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -180,6 +180,16 @@
> # for rbd
> /etc/ceph/ceph.conf r,
>
> + # various functions will need /tmp (e.g. ceph), allow the base dir
> and a
> + # few known functions.
> + # we want to avoid to give blanket read or even write to
> everything under /tmp
> + # so users are expected to add site specific addons for more
> uncommon cases.
> + # allow only dir listing and owner based file read
> + /{,var/}tmp/ r,
> + owner /{,var/}tmp/**/ r,
> + # allow qemu smb feature specific path with write access
> + owner /tmp/qemu-smb.*/{,**} rw,
The actual rule additions are a compromise between security and
usability. Personally I'd prefer they not be there and let admins add
them or allow distros to patch them. That said, the comments and commit
message don't seem quite right for what you are adding. Eg, you mention
ceph, but there is no ceph rule and the profile comment doesn't mention
ceph only needs to list dirs; the profile comments are formatted a bit
weird too.
You mention 'sort of safe', but because of the '/{,var/}tmp/ r,' rule,
you are allowing guests to enumerate all the /tmp/qemu-smb.*
directories and then there is a 'rw' rule for that path. While this is
an 'owner' match, in practice, VMs all run under the same uid so this
means a rogue vm would be allowed to access files in these directories.
That said, I don't know what qemu is setting up in there-- so maybe it
is designed in such a way that this doesn't matter.
I'd much rather not call this 'sort of safe' but instead call out the
problem, justify why the rule should be there and perhaps add a TODO
that once smb is supported in domain xml that this rule will be added
conditionally.
I updated the comments and commit message to better cover the existing
concerns and TODOs.
And that this is a tradeoff between usability and security.
Further I split the general /tmp from the smb access, to discuss those two
changes individually as needed.
Thanks for the feedback on this!
+0 for rule inclusion provided the comments and commit message are
addressed. +1 if it can be demonstrated that qemu is handling those
dirs safely wrt vm isolation.
--
Jamie Strandboge | http://www.canonical.com
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
9:39 a.m.
New subject: [libvirt] [PATCH 4/4] apparmor: allow to preserve /dev mountpoints into qemu namespaces
Libvirt now tries to preserve all mounts under /dev in qemu namespaces.
The old rules only listed a set of known paths but those are no more enough.
I found some due to containers like /dev/.lxc/* and such but also /dev/console
and /dev/net/tun.
Libvirt is correct to do so, but we can no more predict the names properly, so
we modify the rule to allow a wildcard based pattern matching what libvirt does.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
---
examples/apparmor/usr.sbin.libvirtd | 16 +++++-----------
1 file changed, 5 insertions(+), 11 deletions(-)
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index 3ff43c32a2..b2e38fe0ad 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -33,17 +33,11 @@
mount options=(rw,rslave) -> /,
mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
- mount options=(rw, move) /dev/ -> /{var/,}run/libvirt/qemu/*.dev/,
- mount options=(rw, move) /dev/hugepages/ -> /{var/,}run/libvirt/qemu/*.hugepages/,
- mount options=(rw, move) /dev/mqueue/ -> /{var/,}run/libvirt/qemu/*.mqueue/,
- mount options=(rw, move) /dev/pts/ -> /{var/,}run/libvirt/qemu/*.pts/,
- mount options=(rw, move) /dev/shm/ -> /{var/,}run/libvirt/qemu/*.shm/,
-
- mount options=(rw, move) /{var/,}run/libvirt/qemu/*.dev/ -> /dev/,
- mount options=(rw, move) /{var/,}run/libvirt/qemu/*.hugepages/ -> /dev/hugepages/,
- mount options=(rw, move) /{var/,}run/libvirt/qemu/*.mqueue/ -> /dev/mqueue/,
- mount options=(rw, move) /{var/,}run/libvirt/qemu/*.pts/ -> /dev/pts/,
- mount options=(rw, move) /{var/,}run/libvirt/qemu/*.shm/ -> /dev/shm/,
+ # libvirt provides any mounts under /dev to qemu namespaces
+ mount options=(rw, move) /dev/ -> /{var/,}run/libvirt/qemu/*.dev/,
+ mount options=(rw, move) /dev/**{/,} -> /{var/,}run/libvirt/qemu/*{/,},
+ mount options=(rw, move) /{var/,}run/libvirt/qemu/*.dev/ -> /dev/,
+ mount options=(rw, move) /{var/,}run/libvirt/qemu/*{/,} -> /dev/**{/,},
network inet stream,
network inet dgram,
--
2.17.1
12:11 p.m.
New subject: [libvirt] [PATCH 4/4] apparmor: allow to preserve /dev mountpoints into qemu namespaces
On Mon, 2018-08-13 at 16:39 +0200, Christian Ehrhardt wrote:
Libvirt now tries to preserve all mounts under /dev in qemu
namespaces.
The old rules only listed a set of known paths but those are no more
enough.
I found some due to containers like /dev/.lxc/* and such but also
/dev/console
and /dev/net/tun.
Libvirt is correct to do so, but we can no more predict the names
properly, so
we modify the rule to allow a wildcard based pattern matching what
libvirt does.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
---
examples/apparmor/usr.sbin.libvirtd | 16 +++++-----------
1 file changed, 5 insertions(+), 11 deletions(-)
diff --git a/examples/apparmor/usr.sbin.libvirtd
b/examples/apparmor/usr.sbin.libvirtd
index 3ff43c32a2..b2e38fe0ad 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -33,17 +33,11 @@
mount options=(rw,rslave) -> /,
mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
- mount options=(rw, move) /dev/ ->
/{var/,}run/libvirt/qemu/*.dev/,
- mount options=(rw, move) /dev/hugepages/ ->
/{var/,}run/libvirt/qemu/*.hugepages/,
- mount options=(rw, move) /dev/mqueue/ ->
/{var/,}run/libvirt/qemu/*.mqueue/,
- mount options=(rw, move) /dev/pts/ ->
/{var/,}run/libvirt/qemu/*.pts/,
- mount options=(rw, move) /dev/shm/ ->
/{var/,}run/libvirt/qemu/*.shm/,
-
- mount options=(rw, move) /{var/,}run/libvirt/qemu/*.dev/ ->
/dev/,
- mount options=(rw, move) /{var/,}run/libvirt/qemu/*.hugepages/ ->
/dev/hugepages/,
- mount options=(rw, move) /{var/,}run/libvirt/qemu/*.mqueue/ ->
/dev/mqueue/,
- mount options=(rw, move) /{var/,}run/libvirt/qemu/*.pts/ ->
/dev/pts/,
- mount options=(rw, move) /{var/,}run/libvirt/qemu/*.shm/ ->
/dev/shm/,
+ # libvirt provides any mounts under /dev to qemu namespaces
+ mount options=(rw, move) /dev/ -> /{var/,}run/libvirt/qemu/*.dev/,
+ mount options=(rw, move) /dev/**{/,} ->
/{var/,}run/libvirt/qemu/*{/,},
What are you trying to convey with this rule? As written, the '{/,}' is
redundant since '**' will match that.
+ mount options=(rw, move) /{var/,}run/libvirt/qemu/*.dev/ ->
/dev/,
+ mount options=(rw, move) /{var/,}run/libvirt/qemu/*{/,} ->
/dev/**{/,},
ditto
--
Jamie Strandboge | http://www.canonical.com
12:27 a.m.
New subject: [libvirt] [PATCH 4/4] apparmor: allow to preserve /dev mountpoints into qemu namespaces
On Mon, Aug 13, 2018 at 7:11 PM Jamie Strandboge <jamie(a)canonical.com>
wrote:
On Mon, 2018-08-13 at 16:39 +0200, Christian Ehrhardt wrote:
> Libvirt now tries to preserve all mounts under /dev in qemu
> namespaces.
> The old rules only listed a set of known paths but those are no more
> enough.
>
> I found some due to containers like /dev/.lxc/* and such but also
> /dev/console
> and /dev/net/tun.
>
> Libvirt is correct to do so, but we can no more predict the names
> properly, so
> we modify the rule to allow a wildcard based pattern matching what
> libvirt does.
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
> ---
> examples/apparmor/usr.sbin.libvirtd | 16 +++++-----------
> 1 file changed, 5 insertions(+), 11 deletions(-)
>
> diff --git a/examples/apparmor/usr.sbin.libvirtd
> b/examples/apparmor/usr.sbin.libvirtd
> index 3ff43c32a2..b2e38fe0ad 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -33,17 +33,11 @@
> mount options=(rw,rslave) -> /,
> mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
>
> - mount options=(rw, move) /dev/ ->
> /{var/,}run/libvirt/qemu/*.dev/,
> - mount options=(rw, move) /dev/hugepages/ ->
> /{var/,}run/libvirt/qemu/*.hugepages/,
> - mount options=(rw, move) /dev/mqueue/ ->
> /{var/,}run/libvirt/qemu/*.mqueue/,
> - mount options=(rw, move) /dev/pts/ ->
> /{var/,}run/libvirt/qemu/*.pts/,
> - mount options=(rw, move) /dev/shm/ ->
> /{var/,}run/libvirt/qemu/*.shm/,
> -
> - mount options=(rw, move) /{var/,}run/libvirt/qemu/*.dev/ ->
> /dev/,
> - mount options=(rw, move) /{var/,}run/libvirt/qemu/*.hugepages/ ->
> /dev/hugepages/,
> - mount options=(rw, move) /{var/,}run/libvirt/qemu/*.mqueue/ ->
> /dev/mqueue/,
> - mount options=(rw, move) /{var/,}run/libvirt/qemu/*.pts/ ->
> /dev/pts/,
> - mount options=(rw, move) /{var/,}run/libvirt/qemu/*.shm/ ->
> /dev/shm/,
> + # libvirt provides any mounts under /dev to qemu namespaces
> + mount options=(rw, move) /dev/ -> /{var/,}run/libvirt/qemu/*.dev/,
> + mount options=(rw, move) /dev/**{/,} ->
> /{var/,}run/libvirt/qemu/*{/,},
What are you trying to convey with this rule? As written, the '{/,}' is
redundant since '**' will match that.
I had issues on the other end, with different paths being accessed
with/without trailing slash
/{var/,}run/libvirt/qemu/*{/,},
So I added the trailing "with or without slash" part.
You are right, on the other end due to the unpredictable path I already had
** which will cover the trailing slash.
I can do a V2 without the trailing part on the side that has the "**"
already
> + mount options=(rw, move) /{var/,}run/libvirt/qemu/*.dev/
-> /dev/,
> + mount options=(rw, move) /{var/,}run/libvirt/qemu/*{/,} ->
> /dev/**{/,},
ditto
--
Jamie Strandboge | http://www.canonical.com
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
2292
days inactive
2293
days old
11 comments
2 participants
participants (2)
-
Christian Ehrhardt -
Jamie Strandboge