apparmor: Improve profiles

Tested on Debian unstable.
The profile updates are partly taken from the Ubuntu trusty libvirt package.

Signed-off-by: Guido Günther <agx@sigxcpu.org>

examples/apparmor/libvirt-qemu

@@ -9,6 +9,10 @@
   capability dac_read_search,
   capability chown,
 
+  # needed to drop privileges
+  capability setgid,
+  capability setuid,
+
   network inet stream,
   network inet6 stream,
 
@@ -20,7 +24,7 @@
 
   # For hostdev access. The actual devices will be added dynamically
   /sys/bus/usb/devices/ r,
-  /sys/devices/*/*/usb[0-9]*/** r,
+  /sys/devices/**/usb[0-9]*/** r,
 
   # WARNING: this gives the guest direct access to host hardware and specific
   # portions of shared memory. This is required for sound using ALSA with kvm,
@@ -32,6 +36,8 @@
   /{dev,run}/shmpulse-shm* rwk,
   /dev/snd/* rw,
   capability ipc_lock,
+  # spice
+  owner /{dev,run}/shm/spice.* rw,
   # 'kill' is not required for sound and is a security risk. Do not enable
   # unless you absolutely need it.
   deny capability kill,
@@ -58,6 +64,7 @@
   /usr/share/proll/** r,
   /usr/share/vgabios/** r,
   /usr/share/seabios/** r,
+  /usr/share/ovmf/** r,
 
   # access PKI infrastructure
   /etc/pki/libvirt-vnc/** r,
@@ -109,9 +116,15 @@
   /bin/dd rmix,
   /bin/cat rmix,
 
-  /usr/libexec/qemu-bridge-helper Cx,
+  # for usb access
+  /dev/bus/usb/ r,
+  /etc/udev/udev.conf r,
+  /sys/bus/ r,
+  /sys/class/ r,
+
+  /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
   # child profile for bridge helper process
-  profile /usr/libexec/qemu-bridge-helper {
+  profile qemu_bridge_helper {
    #include <abstractions/base>
 
    capability setuid,
@@ -125,5 +138,5 @@
    /etc/qemu/** r,
    owner @{PROC}/*/status r,
 
-   /usr/libexec/qemu-bridge-helper rmix,
+   /usr/{lib,libexec}/qemu-bridge-helper rmix,
   }

examples/apparmor/usr.lib.libvirt.virt-aa-helper

@@ -12,6 +12,8 @@
   network inet,
 
   deny @{PROC}/[0-9]*/mounts r,
+  @{PROC}/[0-9]*/net/psched r,
+  owner @{PROC}/[0-9]*/status r,
   @{PROC}/filesystems r,
 
   # for hostdev
@@ -35,4 +37,12 @@
   @{HOME}/** r,
   /var/lib/libvirt/images/ r,
   /var/lib/libvirt/images/** r,
+  /{media,mnt,opt,srv}/** r,
+
+  /**.img r,
+  /**.qcow{,2} r,
+  /**.qed r,
+  /**.vmdk r,
+  /**.[iI][sS][oO] r,
+  /**/disk{,.*} r,
 }

examples/apparmor/usr.sbin.libvirtd

@@ -4,6 +4,7 @@
 
 /usr/sbin/libvirtd {
   #include <abstractions/base>
+  #include <abstractions/dbus>
 
   capability kill,
   capability net_admin,
@@ -22,20 +23,25 @@
   capability setpcap,
   capability mknod,
   capability fsetid,
+  capability audit_write,
 
   network inet stream,
   network inet dgram,
   network inet6 stream,
   network inet6 dgram,
+  network packet dgram,
 
   # Very lenient profile for libvirtd since we want to first focus on confining
   # the guests. Guests will have a very restricted profile.
+  / r,
   /** rwmkl,
 
-  /bin/* Ux,
+  /bin/* PUx,
-  /sbin/* Ux,
+  /sbin/* PUx,
-  /usr/bin/* Ux,
+  /usr/bin/* PUx,
-  /usr/sbin/* Ux,
+  /usr/sbin/* PUx,
+  /lib/udev/scsi_id PUx,
+  /usr/lib/xen-common/bin/xen-toolstack PUx,
 
   # force the use of virt-aa-helper
   audit deny /sbin/apparmor_parser rwxl,
@@ -45,6 +51,8 @@
   audit deny /sys/kernel/security/apparmor/.* rwxl,
   /sys/kernel/security/apparmor/profiles r,
   /usr/lib/libvirt/* PUxr,
+  /etc/libvirt/hooks/** rmix,
+  /etc/xen/scripts/** rmix,
 
   # allow changing to our UUID-based named profiles
   change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,