libvirt/examples/apparmor/usr.sbin.libvirtd

94 lines
2.4 KiB
Plaintext
Raw Normal View History

# Last Modified: Mon Apr 5 15:03:58 2010
#include <tunables/global>
@{LIBVIRT}="libvirt"
/usr/sbin/libvirtd flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/dbus>
capability kill,
capability net_admin,
capability net_raw,
capability setgid,
capability sys_admin,
capability sys_module,
capability sys_ptrace,
capability sys_pacct,
capability sys_nice,
capability sys_chroot,
capability setuid,
capability dac_override,
capability dac_read_search,
capability fowner,
capability chown,
capability setpcap,
capability mknod,
capability fsetid,
capability audit_write,
capability ipc_lock,
# Needed for vfio
capability sys_resource,
network inet stream,
network inet dgram,
network inet6 stream,
network inet6 dgram,
network packet dgram,
network packet raw,
apparmor: support ptrace checks Kernel 4.13 introduced finer-grained ptrace checks https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07 With kernel 4.13 and apparmor 2.11, simply starting libvirtd results in the following apparmor denial type=AVC msg=audit(1506112085.645:954): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=6984 comm="libvirtd" requested_mask="trace" denied_mask="trace" peer="unconfined" Attempting to start an unconfined domain results in type=AVC msg=audit(1506112301.227:1112): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=7498 comm="libvirtd" requested_mask="trace" denied_mask="trace" peer="/usr/sbin/libvirtd" And attempting to start a confined domain results in type=AVC msg=audit(1506112631.408:1312): apparmor="DENIED" operation="open" profile="virt-aa-helper" name="/etc/libnl/classid" pid=8283 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1506112631.530:1319): apparmor="DENIED" operation="open" profile="virt-aa-helper" name="/etc/libnl/classid" pid=8289 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=8342 comm="libvirtd" requested_mask="trace" denied_mask="trace" peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff" Add ptrace rules to allow the trace operations. Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847 Signed-off-by: Jim Fehlig <jfehlig@suse.com> Reviewed-by: Guido Günther <agx@sigxcpu.org>
2017-09-22 23:02:42 +00:00
ptrace (trace) peer=unconfined,
ptrace (trace) peer=/usr/sbin/libvirtd,
ptrace (trace) peer=libvirt-*,
# Very lenient profile for libvirtd since we want to first focus on confining
# the guests. Guests will have a very restricted profile.
/ r,
/** rwmkl,
/bin/* PUx,
/sbin/* PUx,
/usr/bin/* PUx,
/usr/sbin/virtlogd pix,
/usr/sbin/* PUx,
/{usr/,}lib/udev/scsi_id PUx,
/usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
/usr/{lib,lib64}/xen/bin/* Ux,
/usr/lib/xen-*/bin/libxl-save-helper PUx,
# force the use of virt-aa-helper
audit deny /{usr/,}sbin/apparmor_parser rwxl,
audit deny /etc/apparmor.d/libvirt/** wxl,
audit deny /sys/kernel/security/apparmor/features rwxl,
audit deny /sys/kernel/security/apparmor/matching rwxl,
audit deny /sys/kernel/security/apparmor/.* rwxl,
/sys/kernel/security/apparmor/profiles r,
/usr/{lib,lib64}/libvirt/* PUxr,
/usr/{lib,lib64}/libvirt/libvirt_parthelper ix,
/usr/{lib,lib64}/libvirt/libvirt_iohelper ix,
/etc/libvirt/hooks/** rmix,
/etc/xen/scripts/** rmix,
# allow changing to our UUID-based named profiles
change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
# child profile for bridge helper process
profile qemu_bridge_helper {
#include <abstractions/base>
capability setuid,
capability setgid,
capability setpcap,
capability net_admin,
network inet stream,
/dev/net/tun rw,
/etc/qemu/** r,
owner @{PROC}/*/status r,
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
}
}