libvirt/src/security/apparmor/usr.sbin.virtxend.in

#include <tunables/global>

profile virtxend @sbindir@/virtxend flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/dbus>

  capability kill,
  capability setgid,
  capability setuid,
  capability sys_pacct,
  capability ipc_lock,

  network inet stream,
  network inet dgram,
  network inet6 stream,
  network inet6 dgram,
  network netlink raw,
  network packet dgram,
  network packet raw,

  # for --p2p migrations
  unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),

  ptrace (read,trace) peer=unconfined,

  signal (send) set=(kill, term, hup) peer=unconfined,

  # Very lenient profile for virtxend
  / r,
  /** rwmkl,

  /bin/* PUx,
  /sbin/* PUx,
  /usr/bin/* PUx,
  @sbindir@/virtlogd pix,
  @sbindir@/* PUx,
  /{usr/,}lib/udev/scsi_id PUx,
  /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
  /usr/{lib,lib64,libexec}/xen/bin/* Ux,
  /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx,
  /usr/{lib,libexec}/xen-*/bin/pygrub PUx,

  # force the use of virt-aa-helper
  audit deny /{usr/,}sbin/apparmor_parser rwxl,
  audit deny /etc/apparmor.d/libvirt/** wxl,
  audit deny /sys/kernel/security/apparmor/features rwxl,
  audit deny /sys/kernel/security/apparmor/matching rwxl,
  audit deny /sys/kernel/security/apparmor/.* rwxl,
  /sys/kernel/security/apparmor/profiles r,
  @libexecdir@/* PUxr,
  @libexecdir@/libvirt_parthelper ix,
  @libexecdir@/libvirt_iohelper ix,
  /etc/libvirt/hooks/** rmix,
  /etc/xen/scripts/** rmix,

@BEGIN_APPARMOR_3@
  include if exists <local/usr.sbin.virtxend>
@END_APPARMOR_3@
}
Apparmor: Add profile for virtxend A new apparmor profile initially derived from the libvirtd profile. All rules were prefixed with the 'audit' qualifier to verify they are actually used by virtxend. It turns out that several, beyond the obvious ones, can be dropped in the resulting virtxend profile. Signed-off-by: Jim Fehlig <jfehlig@suse.com> Reviewed-by: Neal Gompa <ngompa13@gmail.com> 2021-06-15 11:24:14 -06:00			`#include <tunables/global>`

			`profile virtxend @sbindir@/virtxend flags=(attach_disconnected) {`
			`#include <abstractions/base>`
			`#include <abstractions/dbus>`

			`capability kill,`
			`capability setgid,`
			`capability setuid,`
			`capability sys_pacct,`
			`capability ipc_lock,`

			`network inet stream,`
			`network inet dgram,`
			`network inet6 stream,`
			`network inet6 dgram,`
			`network netlink raw,`
			`network packet dgram,`
			`network packet raw,`

			`# for --p2p migrations`
			`unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),`

			`ptrace (read,trace) peer=unconfined,`

			`signal (send) set=(kill, term, hup) peer=unconfined,`

			`# Very lenient profile for virtxend`
			`/ r,`
			`/** rwmkl,`

			`/bin/* PUx,`
			`/sbin/* PUx,`
			`/usr/bin/* PUx,`
			`@sbindir@/virtlogd pix,`
			`@sbindir@/* PUx,`
			`/{usr/,}lib/udev/scsi_id PUx,`
			`/usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,`
			`/usr/{lib,lib64,libexec}/xen/bin/* Ux,`
			`/usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx,`
			`/usr/{lib,libexec}/xen-*/bin/pygrub PUx,`

			`# force the use of virt-aa-helper`
			`audit deny /{usr/,}sbin/apparmor_parser rwxl,`
			`audit deny /etc/apparmor.d/libvirt/** wxl,`
			`audit deny /sys/kernel/security/apparmor/features rwxl,`
			`audit deny /sys/kernel/security/apparmor/matching rwxl,`
			`audit deny /sys/kernel/security/apparmor/.* rwxl,`
			`/sys/kernel/security/apparmor/profiles r,`
			`@libexecdir@/* PUxr,`
			`@libexecdir@/libvirt_parthelper ix,`
			`@libexecdir@/libvirt_iohelper ix,`
			`/etc/libvirt/hooks/** rmix,`
			`/etc/xen/scripts/** rmix,`
apparmor: Make all profiles extensible Do for all other profiles what we already do for the virt-aa-helper one. In this case we limit the feature to AppArmor 3.x, as it was never implemented for 2.x. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Jim Fehlig <jfehlig@suse.com> 2023-06-29 12:04:02 +02:00
			`@BEGIN_APPARMOR_3@`
			`include if exists <local/usr.sbin.virtxend>`
			`@END_APPARMOR_3@`
Apparmor: Add profile for virtxend A new apparmor profile initially derived from the libvirtd profile. All rules were prefixed with the 'audit' qualifier to verify they are actually used by virtxend. It turns out that several, beyond the obvious ones, can be dropped in the resulting virtxend profile. Signed-off-by: Jim Fehlig <jfehlig@suse.com> Reviewed-by: Neal Gompa <ngompa13@gmail.com> 2021-06-15 11:24:14 -06:00			`}`