apparmor: Reflect paths from configure in profiles

The configure script allows users to specify different paths for /etc/, /usr/sbin/, /var/run/ and /usr/libexec/. Instead of assuming user will pass expected value, generate the apparmor profiles using the actual values. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2025-01-11 15:27:47 +00:00 · 2020-01-30 11:06:47 +01:00 · 2020-01-30 11:06:47 +01:00 · 5c8bd31c88
commit 5c8bd31c88
parent 2df925459c
3 changed files with 35 additions and 16 deletions
--- a/src/security/Makefile.inc.am
+++ b/src/security/Makefile.inc.am
@ -30,16 +30,36 @@ SECURITY_DRIVER_APPARMOR_SOURCES = \
 	security/security_apparmor.c \
 	$(NULL)
 SECURITY_DRIVER_APPARMOR_GENERATED_PROFILES_IN = \
 	security/apparmor/usr.lib.libvirt.virt-aa-helper.in \
 	security/apparmor/usr.sbin.libvirtd.in \
 	$(NULL)
 SECURITY_DRIVER_APPARMOR_GENERATED_PROFILES = \
 	$(SECURITY_DRIVER_APPARMOR_GENERATED_PROFILES_IN:%.in=%)
 	$(NULL)
 security/apparmor/%: $(srcdir)/security/apparmor/%.in
 	$(AM_V_GEN)$(MKDIR_P) `dirname $@` && \
 	$(SED) \
 		-e 's|[@]sysconfdir[@]|@sysconfdir@|' \
 		-e 's|[@]sbindir[@]|@sbindir@|' \
 		-e 's|[@]runstatedir[@]|@runstatedir@|' \
 		-e 's|[@]libexecdir[@]|@libexecdir@|' \
 		$< > $@
 BUILT_SOURCES += $(SECURITY_DRIVER_APPARMOR_GENERATED_PROFILES)
 CLEANFILES += $(SECURITY_DRIVER_APPARMOR_GENERATED_PROFILES)
 EXTRA_DIST += \
 	$(SECURITY_DRIVER_SELINUX_SOURCES) \
 	$(SECURITY_DRIVER_APPARMOR_SOURCES) \
 	$(SECURITY_DRIVER_APPARMOR_HELPER_SOURCES) \
 	$(SECURITY_DRIVER_APPARMOR_GENERATED_PROFILES_IN) \
 	security/apparmor/TEMPLATE.qemu \
 	security/apparmor/TEMPLATE.lxc \
 	security/apparmor/libvirt-qemu \
 	security/apparmor/libvirt-lxc \
 	security/apparmor/usr.lib.libvirt.virt-aa-helper \
 	security/apparmor/usr.sbin.libvirtd \
 	$(NULL)
 libvirt_security_manager_la_SOURCES = $(SECURITY_DRIVER_SOURCES)
@ -91,8 +111,7 @@ endif WITH_SECDRIVER_APPARMOR
 if WITH_APPARMOR_PROFILES
 apparmordir = $(sysconfdir)/apparmor.d/
 apparmor_DATA = \
-	security/apparmor/usr.lib.libvirt.virt-aa-helper \
+	$(SECURITY_DRIVER_APPARMOR_GENERATED_PROFILES)
 	security/apparmor/usr.sbin.libvirtd \
 	$(NULL)
 abstractionsdir = $(apparmordir)/abstractions
@ -108,7 +127,7 @@ templates_DATA = \
 	$(NULL)
 APPARMOR_LOCAL_DIR = "$(DESTDIR)$(apparmordir)/local"
-install-apparmor-local:
+install-apparmor-local: $(SECURITY_DRIVER_APPARMOR_GENERATED_PROFILES)
 	$(MKDIR_P) "$(APPARMOR_LOCAL_DIR)"
 	echo "# Site-specific additions and overrides for \
 		'usr.lib.libvirt.virt-aa-helper'" \
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
@ -1,6 +1,6 @@
 #include <tunables/global>
-profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
+profile virt-aa-helper @libexecdir@/virt-aa-helper {
  #include <abstractions/base>
  # needed for searching directories
@ -19,7 +19,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
  # Used when internally running another command (namely apparmor_parser)
  @{PROC}/@{pid}/fd/ r,
-  /etc/libnl-3/classid r,
+  @sysconfdir@/libnl-3/classid r,
  # for gl enabled graphics
  /dev/dri/{,*} r,
@ -38,11 +38,11 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
  deny /dev/mapper/ r,
  deny /dev/mapper/* r,
-  /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
+  @libexecdir@/virt-aa-helper mr,
  /{usr/,}sbin/apparmor_parser Ux,
-  /etc/apparmor.d/libvirt/* r,
+  @sysconfdir@/apparmor.d/libvirt/* r,
-  /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+  @sysconfdir@/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
  # for backingstore -- allow access to non-hidden files in @{HOME} as well
  # as storage pools
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@ -1,7 +1,7 @@
 #include <tunables/global>
@{LIBVIRT}="libvirt"
-profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
+profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/dbus>
@ -80,8 +80,8 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
  /bin/* PUx,
  /sbin/* PUx,
  /usr/bin/* PUx,
-  /usr/sbin/virtlogd pix,
+  @sbindir@/virtlogd pix,
-  /usr/sbin/* PUx,
+  @sbindir@/* PUx,
  /{usr/,}lib/udev/scsi_id PUx,
  /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
  /usr/{lib,lib64}/xen/bin/* Ux,
@ -98,9 +98,9 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
  audit deny /sys/kernel/security/apparmor/matching rwxl,
  audit deny /sys/kernel/security/apparmor/.* rwxl,
  /sys/kernel/security/apparmor/profiles r,
-  /usr/{lib,lib64}/libvirt/* PUxr,
+  @libexecdir@/* PUxr,
-  /usr/{lib,lib64}/libvirt/libvirt_parthelper ix,
+  @libexecdir@/libvirt_parthelper ix,
-  /usr/{lib,lib64}/libvirt/libvirt_iohelper ix,
+  @libexecdir@/libvirt_iohelper ix,
  /etc/libvirt/hooks/** rmix,
  /etc/xen/scripts/** rmix,