From f88a3d9b0c7a04ce31c9dda813c7dbd40ea262e9 Mon Sep 17 00:00:00 2001 From: Felix Geyer Date: Sun, 26 Jan 2014 22:47:35 +0100 Subject: [PATCH] apparmor: Improve profiles MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Tested on Debian unstable. The profile updates are partly taken from the Ubuntu trusty libvirt package. Signed-off-by: Guido Günther --- examples/apparmor/libvirt-qemu | 21 +++++++++++++++---- .../apparmor/usr.lib.libvirt.virt-aa-helper | 10 +++++++++ examples/apparmor/usr.sbin.libvirtd | 16 ++++++++++---- 3 files changed, 39 insertions(+), 8 deletions(-) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 766a334e27..e1980b7cb7 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -9,6 +9,10 @@ capability dac_read_search, capability chown, + # needed to drop privileges + capability setgid, + capability setuid, + network inet stream, network inet6 stream, @@ -20,7 +24,7 @@ # For hostdev access. The actual devices will be added dynamically /sys/bus/usb/devices/ r, - /sys/devices/*/*/usb[0-9]*/** r, + /sys/devices/**/usb[0-9]*/** r, # WARNING: this gives the guest direct access to host hardware and specific # portions of shared memory. This is required for sound using ALSA with kvm, @@ -32,6 +36,8 @@ /{dev,run}/shmpulse-shm* rwk, /dev/snd/* rw, capability ipc_lock, + # spice + owner /{dev,run}/shm/spice.* rw, # 'kill' is not required for sound and is a security risk. Do not enable # unless you absolutely need it. deny capability kill, @@ -58,6 +64,7 @@ /usr/share/proll/** r, /usr/share/vgabios/** r, /usr/share/seabios/** r, + /usr/share/ovmf/** r, # access PKI infrastructure /etc/pki/libvirt-vnc/** r, @@ -109,9 +116,15 @@ /bin/dd rmix, /bin/cat rmix, - /usr/libexec/qemu-bridge-helper Cx, + # for usb access + /dev/bus/usb/ r, + /etc/udev/udev.conf r, + /sys/bus/ r, + /sys/class/ r, + + /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, # child profile for bridge helper process - profile /usr/libexec/qemu-bridge-helper { + profile qemu_bridge_helper { #include capability setuid, @@ -125,5 +138,5 @@ /etc/qemu/** r, owner @{PROC}/*/status r, - /usr/libexec/qemu-bridge-helper rmix, + /usr/{lib,libexec}/qemu-bridge-helper rmix, } diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper index 94bf3599a8..bceaaffdf7 100644 --- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper +++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper @@ -12,6 +12,8 @@ network inet, deny @{PROC}/[0-9]*/mounts r, + @{PROC}/[0-9]*/net/psched r, + owner @{PROC}/[0-9]*/status r, @{PROC}/filesystems r, # for hostdev @@ -35,4 +37,12 @@ @{HOME}/** r, /var/lib/libvirt/images/ r, /var/lib/libvirt/images/** r, + /{media,mnt,opt,srv}/** r, + + /**.img r, + /**.qcow{,2} r, + /**.qed r, + /**.vmdk r, + /**.[iI][sS][oO] r, + /**/disk{,.*} r, } diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 1b2483552b..fd6def1d85 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -4,6 +4,7 @@ /usr/sbin/libvirtd { #include + #include capability kill, capability net_admin, @@ -22,20 +23,25 @@ capability setpcap, capability mknod, capability fsetid, + capability audit_write, network inet stream, network inet dgram, network inet6 stream, network inet6 dgram, + network packet dgram, # Very lenient profile for libvirtd since we want to first focus on confining # the guests. Guests will have a very restricted profile. + / r, /** rwmkl, - /bin/* Ux, - /sbin/* Ux, - /usr/bin/* Ux, - /usr/sbin/* Ux, + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, + /usr/sbin/* PUx, + /lib/udev/scsi_id PUx, + /usr/lib/xen-common/bin/xen-toolstack PUx, # force the use of virt-aa-helper audit deny /sbin/apparmor_parser rwxl, @@ -45,6 +51,8 @@ audit deny /sys/kernel/security/apparmor/.* rwxl, /sys/kernel/security/apparmor/profiles r, /usr/lib/libvirt/* PUxr, + /etc/libvirt/hooks/** rmix, + /etc/xen/scripts/** rmix, # allow changing to our UUID-based named profiles change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,