Several cases were found needing /tmp, for example ceph will try to list /tmp
This is a compromise of security and usability:
- we only allow generally enumerating the base dir
- enumerating anything deeper in the dir is at least guarded by the
"owner" restriction, but while that protects files of other services
it won't protect qemu instances against each other as they usually run
with the same user.
- even with the owner restriction we only allow read for the wildcard
path
Acked-by: Jamie Strandboge <jamie@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
virt-manager's UI connection will need socket access for openGraphicsFD
to work - otherwise users will face a failed connection error when
opening the UI view.
Depending on the exact versions of libvirt and qemu involved this needs
either a rule from qemu to libvirt or vice versa.
Acked-by: Jamie Strandboge <jamie@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
This patch extends the AppArmor domain profile with file paths
the swtpm accesses for state, log, pid, and socket files.
Both, QEMU and swtpm, use this AppArmor profile.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Cc: Christian Ehrhardt <christian.ehrhardt@canonical.com>
The base vfio has not much functionality but to provide a custom
container by opening this path.
See https://www.kernel.org/doc/Documentation/vfio.txt for more.
Systems with static hostdevs will get /dev/vfio/vfio by virt-aa-hotplug
right from the beginning. But if the guest initially had no hostdev at
all it will run into the following deny before the security module
labelling callbacks will make the actual vfio device (like /dev/vfio/93)
known.
Example of such a deny:
[ 2652.756712] audit: type=1400 audit(1491303691.719:25):
apparmor="DENIED" operation="open"
profile="libvirt-17a61b87-5132-497c-b928-421ac2ee0c8a"
name="/dev/vfio/vfio" pid=8486 comm="qemu-system-x86"
requested_mask="wr" denied_mask="wr" fsuid=64055 ouid=0
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1678322
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1775777
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Jamie Strandboge <jamie@canonical.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
If a system has sasl GSSAPI plugin available qemu with sasl support will
try to read /etc/gss/mech.d/.
It is required to allow that to let the modules fully work and it should
be safe to do so as it only registers/configures plugins but has no secrets.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Acked-by: Jamie Strandboge <jamie@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
While libvirtd might do so, qemu itself as a guest will not need
to call qemu-nbd so remove it from the profile.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Adding the PKI path that is used as default suggestion in src/qemu/qemu.conf
If people use non-default paths they should use local overrides but the
suggested defaults we should open up.
This is the default path as referenced by src/qemu/qemu.conf in libvirt.
While doing so merge the several places we have to cover PKI access into
one.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1690140
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Allows (multi-arch enabled) access to libraries under the
/usr/lib/@{multiarch}/qemu/*.so path in the Debian/Ubuntu
qemu-block-extra package and all such libs for the paths
of rpm qemu-block-* packages.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1554761
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Prevent denial messages related to attempted reads on lttng
files from spamming the logs.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1432644
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Noticed the following denial in audit.log when shutting down
an apparmor confined domain
type=AVC msg=audit(1512002299.742:131): apparmor="DENIED"
operation="open" profile="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
name="/proc/1475/cmdline" pid=2958 comm="qemu-system-x86"
requested_mask="r" denied_mask="r" fsuid=469 ouid=0
Squelch the denial by allowing read access to /proc/<pid>/cmdline.
Since qemu 2.9 via 9103f1ce "file-posix: Consider max_segments for
BlockLimits.max_transfer" this is a new access that is denied by the
qemu profile.
It is non fatal, but prevents the fix mentioned to actually work.
It should be safe to allow reading from that path.
Since qemu opens a symlink path we need to translate that for apparmor from
"/sys/dev/block/*/queue/max_segments" to
"/sys/devices/**/block/*/queue/max_segments"
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
In bf3a4140 "virt-aa-helper: fix libusb access to udev usb data" the
libusb access to properly detect the device/bus ids was fixed.
The path /run/udev/data/+usb* contains a subset of that information we
already allow to be read and are currently not needed for the function
qemu needs libusb for. But on the init of libusb all those files are
still read so a lot of apparmor denials can be seen when using usb host
devices, like:
apparmor="DENIED" operation="open" name="/run/udev/data/+usb:2-1.2:1.0"
comm="qemu-system-x86" requested_mask="r" denied_mask="r"
Today we could silence the warnings with a deny rule without breaking
current use cases. But since the data in there is only a subset of those
it can read already it is no additional information exposure. And on the
other hand a future udev/libusb/qemu combination might need it so allow
the access in the default apparmor profile.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
libusb as used by qemu needs to read data from /run/udev/data/ about usb
devices. That is read once on the first initialization of libusb_init by
qemu.
Therefore generating just the device we need would not be sufficient as
another hotplug later can need another device which would fail as the
data is no more re-read at this point.
But we can restrict the paths very much to just the major number of
potential usb devices which will make it match approximately the detail
that e.g. an lsusb -v would reveal - that is much safer than the
"/run/udev/data/* r" blanket many users are using now as a workaround.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
When setting up VncTLS according to the official Libvirt documentation,
only one certificate for libvirt/libvirt-vnc is used. The document
indicates to use the following directories :
/etc/pki/CA
/etc/pki/libvirt
/etc/pki/libvirt/private
in order to manage the certificates used by libvirt-vnc.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/901272
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Updates profile to allow running on ppc64el.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1374554
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
The split firmware and variables files introduced by
https://bugs.debian.org/764918 are in a different directory for
some reason. Let the virtual machine read both.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
libcap-ng >= 0.7.4 fails when it can't read /sys/kernel/cap_last_cap
and thus running a qemu guest fails.
Allow reading cap_last_cap in the libvirt-qemu apparmor abstraction.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
See lp#1276719 for the bug description. As virt-aa-helper doesn't know
the VFIO groups to use for the guest, allow access to all
/dev/vfio/[0-9]* and /dev/vfio/vfio files if there is a potential need
for vfio
Signed-off-by: Eric Blake <eblake@redhat.com>
This patch provides AppArmor policy updates for the QEMU bridge helper.
The QEMU bridge helper is a SUID executable exec'd by QEMU that drops
capabilities to CAP_NET_ADMIN and adds a tap device to a network bridge.
Signed-off-by: Richa Marwaha <rmarwah@linux.vnet.ibm.com>
Signed-off-by: Corey Bryant<coreyb@linux.vnet.ibm.com>
In the Ubuntu development release we recently got a new udev that
moves /var/run to /run, /var/lock to /run/lock and /dev/shm to /run/shm.
This change in udev requires updating the apparmor security driver in
libvirt[1].
Attached is a patch that:
* adjusts src/security/virt-aa-helper.c to allow both
LOCALSTATEDIR/run/libvirt/**/%s.pid and /run/libvirt/**/%s.pid. While
the profile is not as precise, LOCALSTATEDIR/run/ is typically a symlink
to /run/ anyway, so there is no additional access (remember that
apparmor resolves symlinks, which is why this is still required even
if /var/run points to /run).
* adjusts example/apparmor/libvirt-qemu paths for /dev/shm
[1]https://launchpad.net/bugs/810270
--
Jamie Strandboge | http://www.canonical.com
Add libvirt support for MicroBlaze architecture as a QEMU target. Based on mips/mipsel pattern.
Signed-off-by: John Williams <john.williams@petalogix.com>
* examples/apparmor/libvirt-qemu: adds pulseaudio, alsa and preliminary
save/restore to the example apparmor abstraction
* examples/apparmor/usr.sbin.libvirtd: allows libvirtd access to inet
dgram, inet6 dgram, inet6 stream and /usr/lib/libvirt/*
* docs/drvqemu.html.in: include documentation for AppArmor sVirt
confinement
* examples/apparmor/TEMPLATE examples/apparmor/libvirt-qemu
examples/apparmor/usr.lib.libvirt.virt-aa-helper
examples/apparmor/usr.sbin.libvirtd: example templates and
configuration files for SVirt Apparmor when using KVM/QEmu
