Apparmor: Add profile for virtxend

A new apparmor profile initially derived from the libvirtd profile. All rules were prefixed with the 'audit' qualifier to verify they are actually used by virtxend. It turns out that several, beyond the obvious ones, can be dropped in the resulting virtxend profile. Signed-off-by: Jim Fehlig <jfehlig@suse.com> Reviewed-by: Neal Gompa <ngompa13@gmail.com>
2024-07-31 05:57:16 +00:00 · 2021-06-15 11:24:14 -06:00 · 2021-06-15 11:24:14 -06:00 · 3c18bc304e
commit 3c18bc304e
parent ccba72b414
2 changed files with 56 additions and 0 deletions
--- a/src/security/apparmor/meson.build
+++ b/src/security/apparmor/meson.build
@ -2,6 +2,7 @@ apparmor_gen_profiles = [
  'usr.lib.libvirt.virt-aa-helper',
  'usr.sbin.libvirtd',
  'usr.sbin.virtqemud',
+  'usr.sbin.virtxend',
 ]

 apparmor_gen_profiles_conf = configuration_data()
--- a/src/security/apparmor/usr.sbin.virtxend.in
+++ b/src/security/apparmor/usr.sbin.virtxend.in
@ -0,0 +1,55 @@
+#include <tunables/global>
+
+profile virtxend @sbindir@/virtxend flags=(attach_disconnected) {
+  #include <abstractions/base>
+  #include <abstractions/dbus>
+
+  capability kill,
+  capability setgid,
+  capability setuid,
+  capability sys_pacct,
+  capability ipc_lock,
+
+  network inet stream,
+  network inet dgram,
+  network inet6 stream,
+  network inet6 dgram,
+  network netlink raw,
+  network packet dgram,
+  network packet raw,
+
+  # for --p2p migrations
+  unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
+
+  ptrace (read,trace) peer=unconfined,
+
+  signal (send) set=(kill, term, hup) peer=unconfined,
+
+  # Very lenient profile for virtxend
+  / r,
+  /** rwmkl,
+
+  /bin/* PUx,
+  /sbin/* PUx,
+  /usr/bin/* PUx,
+  @sbindir@/virtlogd pix,
+  @sbindir@/* PUx,
+  /{usr/,}lib/udev/scsi_id PUx,
+  /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
+  /usr/{lib,lib64,libexec}/xen/bin/* Ux,
+  /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx,
+  /usr/{lib,libexec}/xen-*/bin/pygrub PUx,
+
+  # force the use of virt-aa-helper
+  audit deny /{usr/,}sbin/apparmor_parser rwxl,
+  audit deny /etc/apparmor.d/libvirt/** wxl,
+  audit deny /sys/kernel/security/apparmor/features rwxl,
+  audit deny /sys/kernel/security/apparmor/matching rwxl,
+  audit deny /sys/kernel/security/apparmor/.* rwxl,
+  /sys/kernel/security/apparmor/profiles r,
+  @libexecdir@/* PUxr,
+  @libexecdir@/libvirt_parthelper ix,
+  @libexecdir@/libvirt_iohelper ix,
+  /etc/libvirt/hooks/** rmix,
+  /etc/xen/scripts/** rmix,
+}