42 Commits

Author SHA1 Message Date
Christian Ehrhardt
d6ecd766aa
apparmor: allow getattr on usb devices
For the handling of usb we already allow plenty of read access,
but so far /sys/bus/usb/devices only needed read access to the directory
to enumerate the symlinks in there that point to the actual entries via
relative links to ../../../devices/.

But in more recent systemd with updated libraries a program might do
getattr calls on those symlinks. And while symlinks in apparmor usually
do not matter, as it is the effective target of an access that has to be
allowed, here the getattr calls are on the links themselves.

On USB hostdev usage that causes a set of denials like:
 apparmor="DENIED" operation="getattr" class="file"
 name="/sys/bus/usb/devices/usb1" comm="qemu-system-x86"
 requested_mask="r" denied_mask="r" ...

It is safe to read the links, therefore add a rule to allow it to
the block of rules that covers the usb related access.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Michal Privoznik <mprivozn at redhat.com>
2022-11-22 09:44:16 +01:00
Andrea Bolognani
2b98d5d91d apparmor: Allow locking AAVMF firmware
We already allow this for OVMF.

Closes: https://gitlab.com/libvirt/libvirt/-/issues/312
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
2022-05-23 14:01:21 +02:00
Lena Voytek
d97f8807d2 apparmor: Allow swtpm to use its own apparmor profile
Signed-off-by: Lena Voytek <lena.voytek@canonical.com>
2022-04-20 11:55:21 +00:00
Andrea Bolognani
b94239a61e meson: Use dicts to initialize cfg_data objects
Instead of creating an empty object and then setting keys one
at a time, it is possible to pass a dict object to
configuration_data(). This is nicer because it doesn't require
repeating the name of the cfg_data object over and over.

There is one exception: the 'conf' object, where we store values
that are used directly by C code. In that case, using a dict
object is not feasible for two reasons: first of all, replacing
the set_quoted() calls would result in awkward code with a lot
of calls to format(); moreover, since code that modifies it is
sprinkled all over the place, refactoring it would probably
make things more complicated rather than simpler.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
2022-04-01 15:33:19 +02:00
Martin Pitt
7aec69b7fb
apparmor: Fix QEMU access for UEFI variable files
QEMU needs to read, write, and lock the NVRAM *.fd files with UEFI
firmware.

Fixes: https://bugs.debian.org/1006324
Fixes: https://launchpad.net/bugs/1962035

Signed-off-by: Martin Pitt <mpitt@debian.org>
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2022-03-09 10:50:23 +01:00
Christian Ehrhardt
e3c5a8ec73
apparmor: ceph config file names
If running multiple [1] clusters (uncommon) the ceph config file will be
derived from the cluster name. Therefore the rule to allow to read ceph
config files need to be opened up slightly to allow for that condition.

[1]: https://docs.ceph.com/en/mimic/rados/configuration/common/#running-multiple-clusters

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1588576

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-10-11 08:01:27 +02:00
Jim Fehlig
3c18bc304e Apparmor: Add profile for virtxend
A new apparmor profile initially derived from the libvirtd profile.
All rules were prefixed with the 'audit' qualifier to verify they
are actually used by virtxend. It turns out that several, beyond
the obvious ones, can be dropped in the resulting virtxend profile.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Neal Gompa <ngompa13@gmail.com>
2021-07-14 09:16:58 -06:00
Jim Fehlig
ccba72b414 Apparmor: Add profile for virtqemud
A new apparmor profile derived from the libvirtd profile, with non-QEMU
related rules removed. Adopt the libvirt-qemu abstraction to work with
the new profile.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Neal Gompa <ngompa13@gmail.com>
2021-07-14 09:16:58 -06:00
Olaf Hering
75803d16ee apparmor: Allow /usr/libexec for private xen-tools binaries
This is a followup for commit e906c4d02bdcddf141b4d124afd68c8ee10134fe
("apparmor: Allow /usr/libexec for libxl-save-helper and pygrub"):

In recent rpm versions --libexecdir changed from /usr/lib64 to
/usr/libexec. A plain rpmbuild %configure in xen.git will install all
files, including the private copies of qemu, into /usr/libexec/xen/bin.
Expand the existing pattern to cover also this libexecdir variant.

Signed-off-by: Olaf Hering <olaf@aepfle.de>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-07-14 17:07:22 +02:00
Jim Fehlig
64ae7635e6 Apparmor: Allow reading /etc/ssl/openssl.cnf
I noticed the following denial when running confined VMs with the QEMU
driver

type=AVC msg=audit(1623865089.263:865): apparmor="DENIED" operation="open" \
profile="virt-aa-helper" name="/etc/ssl/openssl.cnf" pid=12503 \
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Allow reading the file by including the openssl abstraction in the
virt-aa-helper profile.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2021-06-24 13:54:47 -06:00
Jim Fehlig
f552e68d9f Apparmor: Allow reading libnl's classid file
I noticed the following denial messages from apparmor in audit.log when
starting confined VMs via the QEMU driver

type=AVC msg=audit(1623864006.370:837): apparmor="DENIED" operation="open" \
profile="virt-aa-helper" name="/etc/libnl/classid" pid=11265 \
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

type=AVC msg=audit(1623864006.582:849): apparmor="DENIED" operation="open" \
profile="libvirt-0ca2720d-6cff-48bb-86c2-61ab9a79b6e9" \
name="/etc/libnl/classid" pid=11270 comm="qemu-system-x86" \
requested_mask="r" denied_mask="r" fsuid=107 ouid=0

It is possible for site admins to assign names to classids in this file,
which are then used by all libnl tools, possibly those used by libvirt.
To be on the safe side, allow read access to the file in the virt-aa-helper
profile and the libvirt-qemu abstraction.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2021-06-24 13:54:42 -06:00
Jim Fehlig
4f2811eb81 apparmor: Permit new capabilities required by libvirtd
The audit log contains the following denials from libvirtd

apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="daemon-init" capability=17  capname="sys_rawio"
apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="rpc-worker" capability=39  capname="bpf"
apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="rpc-worker" capability=38  capname="perfmon"

Squelch the denials and allow the capabilities in the libvirtd
apparmor profile.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Neal Gompa <ngompa13@gmail.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-06-08 11:13:00 -06:00
Jim Fehlig
0d05d51b71 apparmor: Allow lxc processes to receive signals from libvirt
LXC processes confined by apparmor are not permitted to receive signals
from libvirtd. Attempting to destroy such a process fails

virsh --connect lxc:/// destroy distro_apparmor
 error: Failed to destroy domain distro_apparmor
 error: Failed to kill process 29491: Permission denied

And from /var/log/audit/audit.log

type=AVC msg=audit(1606949706.142:6345): apparmor="DENIED"
operation="signal" profile="libvirt-314b7109-fdce-48dc-ad28-7c47958a27c1"
pid=29390 comm="libvirtd" requested_mask="receive" denied_mask="receive"
signal=term peer="libvirtd"

Similar to the libvirt-qemu abstraction, add a rule to the libvirt-lxc
abstraction allowing reception of signals from libvirtd.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2020-12-03 16:38:33 -07:00
Christian Ehrhardt
1441ce83fe
apparmor: allow kvm-spice compat wrapper
'kvm-spice' is a binary name used to call 'kvm' which actually is a wrapper
around qemu-system-x86_64 enabling kvm acceleration. This isn't in use
for quite a while anymore, but required to work for compatibility e.g.
when migrating in old guests.

For years this was a symlink kvm-spice->kvm and therefore covered
apparmor-wise by the existing entry:
   /usr/bin/kvm rmix,
But due to a recent change [1] in qemu packaging this now is no symlink,
but a wrapper on its own and therefore needs an own entry that allows it
to be executed.

[1]: https://salsa.debian.org/qemu-team/qemu/-/commit/9944836d3

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Michal Privoznik <mprivozn redhat com>
2020-11-17 15:56:43 +01:00
Jim Fehlig
e906c4d02b apparmor: Allow /usr/libexec for libxl-save-helper and pygrub
Like other distros, openSUSE Tumbleweed recently changed libexecdir from
/usr/lib to /usr/libexec. Add it as an allowed path for libxl-save-helper
and pygrub.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Neal Gompa <ngompa13@gmail.com>
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2020-09-24 07:47:34 -06:00
Kevin Locke
44cbd3afaf
apparmor: allow libvirtd to call virtiofsd
When using [virtiofs], libvirtd must launch [virtiofsd] to provide
filesystem access on the host.  When a guest is configured with
virtiofs, such as:

    <filesystem type='mount' accessmode='passthrough'>
      <driver type='virtiofs'/>
      <source dir='/path'/>
      <target dir='mount_tag'/>
    </filesystem>

Attempting to start the guest fails with:

    internal error: virtiofsd died unexpectedly

/var/log/libvirt/qemu/$name-fs0-virtiofsd.log contains (as a single
line, wrapped below):

    libvirt:  error : cannot execute binary /usr/lib/qemu/virtiofsd:
    Permission denied

dmesg contains (as a single line, wrapped below):

    audit: type=1400 audit(1598229295.959:73): apparmor="DENIED"
    operation="exec" profile="libvirtd" name="/usr/lib/qemu/virtiofsd"
    pid=46007 comm="rpc-worker" requested_mask="x" denied_mask="x"
    fsuid=0 ouid=0

To avoid this, allow execution of virtiofsd from the libvirtd AppArmor
profile.

[virtiofs]: https://libvirt.org/kbase/virtiofs.html
[virtiofsd]: https://www.qemu.org/docs/master/interop/virtiofsd.html

Signed-off-by: Kevin Locke <kevin@kevinlocke.name>
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2020-08-26 10:34:53 +02:00
Christian Ehrhardt
d61d8206f3
apparmor: allow unmounting .dev entries
With qemu 5.0 and libvirt 6.6 there are new apparmor denials:
  apparmor="DENIED" operation="umount" profile="libvirtd"
  name="/run/libvirt/qemu/1-kvmguest-groovy-norm.dev/" comm="rpc-worker"

These are related to new issues around devmapper handling [1] and the
error path triggered by these issues now causes this new denial.

There are already related rules for mounting and it seems right to
allow also the related umount.

[1]: https://www.redhat.com/archives/libvir-list/2020-August/msg00236.html

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2020-08-13 12:52:45 +02:00
Christian Ehrhardt
3ef2af8ed3
apparmor: let qemu load old shared objects after upgrades
Since [1] qemu can after upgrade fall back to pre-upgrade modules
to still be able to dynamically load qemu-module based features.

The paths for these modules are pre-defined by the code and should
be allowed to be mapped and loaded from which will allow packagers
avoiding the inability of late feature load [2] after package upgrades.

[1]: https://github.com/qemu/qemu/commit/bd83c861
[2]: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1847361

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Acked-by: Jamie Strandboge <jamie@canonical.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange redhat com>
2020-08-10 07:32:07 +02:00
Stefan Bader
7c5ef98c00
apparmor: qemu access to @{PROC}/*/auxv for hw_cap
On some architectures (ppc, s390x, sparc, arm) qemu will read auxv
to detect hardware capabilities via qemu_getauxval.

Allow that access read-only for the entry owned by the current
qemu process.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Acked-by: Jamie Strandboge <jamie@canonical.com>
2020-08-10 07:32:06 +02:00
Jamie Strandboge
e16967fd6e
apparmor: read only access to overcommit_memory
Allow qemu to read @{PROC}/sys/vm/overcommit_memory.
This is read on guest start-up and (as read-only) not a
critical secret that has to stay hidden.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Jamie Strandboge <jamie@ubuntu.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
2020-08-10 07:32:06 +02:00
Stefan Bader
8b6ee1afdb
apparmor: allow libvirtd to call pygrub
When using xen through libxl in Debian/Ubuntu it needs to be able to
call pygrub.

This is placed in a versioned path like /usr/lib/xen-4.11/bin.
In theory the rule could be more strict by rendering the libexec_dir
setting pkg-config can derive from libbxen-dev. But that would make
particular libvirt/xen packages version-depend on each other. It seems
more reasonable to avoid these versioned dependencies and use a wildcard
rule instead as it is already in place for libxl-save-helper.

Note: This change was in Debian [1] and Ubuntu [2] for quite some time
already.

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931768
[2]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1326003

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Acked-by: Jamie Strandboge <jamie@canonical.com>
2020-08-10 07:32:06 +02:00
Sam Hartman
155d4fe3fa
apparmor: allow default pki path
/etc/pki/qemu is a pki path recommended by qemu tls docs [1]
and one that can cause issues with spice connections when missing.

Add the path to the allowed list of pki paths to fix the issue.

Note: this is active in Debian/Ubuntu [1] for quite a while already.

[1]: https://www.qemu.org/docs/master/system/tls.html
[2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930100

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Acked-by: Jamie Strandboge <jamie@canonical.com>
2020-08-10 07:32:05 +02:00
Pavel Hrdina
de389dddad meson: src/security: install apparmor profile files
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Neal Gompa <ngompa13@gmail.com>
2020-08-03 09:27:05 +02:00
Christian Ehrhardt
8f61fd6bf2
apparmor: avoid denials on libpmem initialization
With libpmem support compiled into qemu it will trigger the following
denials on every startup.
  apparmor="DENIED" operation="open" name="/"
  apparmor="DENIED" operation="open" name="/sys/bus/nd/devices/"

This is due to [1] that tries to auto-detect if the platform supports
auto flush for all region.

Once we know all the paths that are potentially needed if this feature
is really used we can add them conditionally in virt-aa-helper and labelling
calls in case </pmem> is enabled.

But until then the change here silences the denial warnings seen above.

[1]: https://github.com/pmem/pmdk/blob/master/src/libpmem2/auto_flush_linux.c#L131

Bug: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1871354

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Acked-by: Jamie Strandboge <jamie@canonical.com>
2020-04-15 10:33:23 +02:00
Christian Ehrhardt
8dd9875787
apparmor: allow to call vhost-user-gpu
Configuring vhost-user-gpu like:
    <video>
      <driver name='vhostuser'/>
      <model type='virtio' heads='1'/>
    </video>
Triggers an apparmor denial like:
    apparmor="DENIED" operation="exec" profile="libvirtd"
    name="/usr/lib/qemu/vhost-user-gpu" pid=888257 comm="libvirtd"
    requested_mask="x" denied_mask="x" fsuid=0 ouid=0

This helper is provided by qemu for vhost-user-gpu and thereby being
in the same path as qemu_bridge_helper. Due to that adding a rule allowing
to call uses the same path list.

Reviewed-by: Jim Fehlig <jfehlig@suse.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2020-02-24 14:53:18 +01:00
Michal Privoznik
5c8bd31c88 apparmor: Reflect paths from configure in profiles
The configure script allows users to specify different paths for
/etc/, /usr/sbin/, /var/run/ and /usr/libexec/. Instead of
assuming user will pass expected value, generate the apparmor
profiles using the actual values.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2020-02-04 09:08:51 +01:00
Christian Ehrhardt
5a21fd513a
apparmor: fix qemu_bridge_helper for named profile
Since a3ab6d42 "apparmor: convert libvirtd profile to a named profile"
the detection of the subelement for qemu_bridge_helper is wrong.

In combination with the older 123cc3e1 "apparmor: allow
/usr/lib/qemu/qemu-bridge-helper" it now detects qemu-bridge-helper no
more with its path, but instead as a proper subelement of the named profile
like: label=libvirtd//qemu_bridge_helper

In the same fashion the reverse rule in the qemu_bridge_helper
sub-profile still uses the path and not the named profile label.

Triggering denies like:
apparmor="DENIED" operation="file_inherit"
  profile="libvirtd//qemu_bridge_helper" pid=5629 comm="qemu-bridge-hel"
  family="unix" sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none peer="libvirtd"

This patch fixes the unix socket rules for the communication between
libvirtd and qemu-bridge-helper to match that.

Fixes: a3ab6d42d825499af44b8f19f9299e150d9687bc
Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1655111

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2020-01-31 08:32:00 +01:00
Michal Privoznik
2f74105d2c apparmor: Drop 'Last modified' comment from profiles
At the beginning of each profile we have a comment that says when
the profile was last updated. In theory, it makes sense because
one can see immediately if they are using an outdated profile.
However, we don't do a good job in keeping the comments in sync
with reality and also sysadmins should rather use their package
manager to find out libvirt version which installed the profiles.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2020-01-30 08:57:59 +01:00
Michal Privoznik
8f204fb4da apparmor: Allow some more BIOS/UEFI paths
There are two more paths that we are missing in the default
domain profile: /usr/share/edk2-ovmf/ and /usr/share/sgabios/.
These exist on my Gentoo box and contain UEFI and BIOS images
respectively.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2020-01-30 08:57:59 +01:00
Michal Privoznik
07af71ad99 apparmor: Sort paths in blocks in libvirt-qemu profile
Even though we construct a domain specific profile for each
domain we start (which should cover domain specific paths), there
is also another file that is included from the profile and which
contains domain agnostic paths (e.g. to cover libraries that qemu
links with). The paths in the file are split into blocks divided
by comments. Sort the paths in each block individually (ignoring
case sensitivity).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2020-01-30 08:57:59 +01:00
Andrea Bolognani
60dfe76990 virt-aa-helper: Drop unnecessary AppArmor rule
Apparently /proc/self is automatically converted to /proc/@{pid}
before checking rules, which makes spelling it out explicitly
redundant.

Suggested-by: Jamie Strandboge <jamie@canonical.com>
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
2019-08-22 10:58:41 +02:00
Andrea Bolognani
9c2446ed4a virt-aa-helper: Actually fix AppArmor profile
Tried previously in

  commit b1eb8b3e8fd1d4cb1da8e5e2b16f2c10837fd823
  Author: Andrea Bolognani <abologna@redhat.com>
  Date:   Mon Aug 19 10:23:42 2019 +0200

    virt-aa-helper: Fix AppArmor profile

  v5.6.0-243-gb1eb8b3e8f

with somewhat disappointing results.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-08-20 10:35:18 +02:00
Andrea Bolognani
b1eb8b3e8f virt-aa-helper: Fix AppArmor profile
Since

  commit 432faf259b696043ee5d7e8f657d855419a9a3fa
  Author: Michal Privoznik <mprivozn@redhat.com>
  Date:   Tue Jul 2 19:49:51 2019 +0200

    virCommand: use procfs to learn opened FDs

    When spawning a child process, between fork() and exec() we close
    all file descriptors and keep only those the caller wants us to
    pass onto the child. The problem is how we do that. Currently, we
    get the limit of opened files and then iterate through each one
    of them and either close() it or make it survive exec(). This
    approach is suboptimal (although, not that much in default
    configurations where the limit is pretty low - 1024). We have
    /proc where we can learn what FDs we hold open and thus we can
    selectively close only those.

    Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
    Reviewed-by: Ján Tomko <jtomko@redhat.com>

  v5.5.0-173-g432faf259b

programs using the virCommand APIs on Linux need read access to
/proc/self/fd, or they will fail like

  error : virCommandWait:2796 : internal error: Child process
  (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -c
   -u libvirt-b20e9a8e-091a-45e0-8823-537119e98bc6) unexpected exit
  status 1: libvirt:  error : cannot open directory '/proc/self/fd':
  Permission denied
  virt-aa-helper: error: apparmor_parser exited with error

Update the AppArmor profile for virt-aa-helper so that read access
to the relevant path is granted.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-08-19 15:47:24 +02:00
Christian Ehrhardt
bc85411c49
security: aa-helper: allow virt-aa-helper to read .vhd images
VHD images can be used as any other, so we should add them to the list
of types that virt-aa-helper can read when creating the per-guest rules
for backing files.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Acked-by: Jamie Strandboge <jamie@canonical.com>
2019-07-15 13:43:51 +02:00
Christian Ehrhardt
18ffb1670e
apparmor: Add openGraphicsFD rule for named profile
Commit a3ab6d42 changed the libvirtd profile to a named profile
but neglected to accommodate the change in the qemu profile
ptrace and signal rules.
Later on 4ec3cf9a fixed that for ptrace and signal but openGraphicsFD
is still missing.

As a result, libvirtd is unable to open UI on libvirt >=5.1 e.g. with
virt-manager.

Add openGraphicsFD rule that references the libvirtd profile
by name in addition to full binary path.

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1833040

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2019-06-19 14:22:47 +02:00
intrigeri
80e83d63dc apparmor: support more QEMU architectures
Add hppa, nios2, or1k, riscv32 and riscv64 to the profile.

Fixes: https://bugs.debian.org/914940

Signed-off-by: intrigeri <intrigeri@boum.org>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
2019-04-01 12:32:55 +02:00
Jim Fehlig
4ec3cf9a0f apparmor: Add ptrace and signal rules for named profile
Commit a3ab6d42 changed the libvirtd profile to a named profile
but neglected to accommodate the change in the qemu profile
ptrace and signal rules. As a result, libvirtd is unable to
signal confined qemu processes and hence unable to shutdown
or destroy VMs.

Add ptrace and signal rules that reference the libvirtd profile
by name in addition to full binary path.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Acked-by: Jamie Strandboge <jamie@canonical.com>
2019-03-06 09:51:01 -07:00
Christian Ehrhardt
d85e8e400b
security: aa-helper: allow virt-aa-helper to read /dev/dri
Change fb01e1a44 "virt-aa-helper: generate rules for gl enabled
graphics devices" implemented the detection for gl enabled
devices in virt-aa-helper. But it will in certain cases e.g. if
no rendernode was explicitly specified need to read /dev/dri
which it currently isn't allowed.

Add a rule to the apparmor profile of virt-aa-helper itself to
be able to do that.

Acked-by: Jamie Strandboge <jamie@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2019-02-25 08:50:38 +01:00
Ján Tomko
060e07c3ca Remove remaining references to kqemu
We dropped support in commit 8e91a40 (November 2015), but some
occurrences still remained, even in live code.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reported-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
2019-02-19 08:33:50 +01:00
Jim Fehlig
a3ab6d42d8 apparmor: convert libvirtd profile to a named profile
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
2019-01-23 11:10:15 -07:00
Jim Fehlig
70c2933da2 apparmor: Add support for named profiles
Upstream apparmor is switching to named profiles. In short,

/usr/sbin/dnsmasq {

becomes

profile dnsmasq /usr/sbin/dnsmasq {

Consequently, any profiles that reference profiles in a peer= condition
need to be updated if the referenced profile switches to a named profile.
Apparmor commit 9ab45d81 switched dnsmasq to a named profile. ATM it is
the only named profile switch that has affected libvirt. Add rules to the
libvirtd profile to reference dnsmasq in peer= conditions by profile name.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
2019-01-23 11:10:15 -07:00
Andrea Bolognani
6ee53e54dc apparmor: Move static data out of examples/
These files need to be installed on the system for apparmor
support to work, so they don't belong with examples.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
2019-01-10 16:48:12 +01:00