External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-01-11 23:37:42 +00:00
Code Issues Packages Projects Releases Wiki Activity
37e18b0cc8
libvirt/examples/apparmor/libvirt-qemu
Christian Ehrhardt d4d50bcc79 virt-aa-helper: fix libusb access to udev usb descriptions 
In bf3a4140 "virt-aa-helper: fix libusb access to udev usb data" the
libusb access to properly detect the device/bus ids was fixed.

The path /run/udev/data/+usb* contains a subset of that information we
already allow to be read and are currently not needed for the function
qemu needs libusb for. But on the init of libusb all those files are
still read so a lot of apparmor denials can be seen when using usb host
devices, like:
  apparmor="DENIED" operation="open" name="/run/udev/data/+usb:2-1.2:1.0"
  comm="qemu-system-x86" requested_mask="r" denied_mask="r"

Today we could silence the warnings with a deny rule without breaking
current use cases. But since the data in there is only a subset of those
it can read already it is no additional information exposure. And on the
other hand a future udev/libusb/qemu combination might need it so allow
the access in the default apparmor profile.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2017-10-26 12:48:32 +02:00

182 lines
5.0 KiB
Plaintext
Raw Blame History

# Last Modified: Wed Sep 3 21:52:03 2014
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
# required for reading disk images
capability dac_override,
capability dac_read_search,
capability chown,
# needed to drop privileges
capability setgid,
capability setuid,
network inet stream,
network inet6 stream,
/dev/net/tun rw,
/dev/kvm rw,
/dev/ptmx rw,
/dev/kqemu rw,
@{PROC}/*/status r,
# Per man(5) proc, the kernel enforces that a thread may
# only modify its comm value or those in its thread group.
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
@{PROC}/sys/kernel/cap_last_cap r,
# For hostdev access. The actual devices will be added dynamically
/sys/bus/usb/devices/ r,
/sys/devices/**/usb[0-9]*/** r,
# libusb needs udev data about usb devices (~equal to content of lsusb -v)
/run/udev/data/c16[6,7]* r,
/run/udev/data/c18[0,8,9]* r,
/run/udev/data/+usb* r,
# WARNING: this gives the guest direct access to host hardware and specific
# portions of shared memory. This is required for sound using ALSA with kvm,
# but may constitute a security risk. If your environment does not require
# the use of sound in your VMs, feel free to comment out or prepend 'deny' to
# the rules for files in /dev.
/{dev,run}/shm r,
/{dev,run}/shmpulse-shm* r,
/{dev,run}/shmpulse-shm* rwk,
/dev/snd/* rw,
capability ipc_lock,
# spice
owner /{dev,run}/shm/spice.* rw,
# 'kill' is not required for sound and is a security risk. Do not enable
# unless you absolutely need it.
deny capability kill,
# Uncomment the following if you need access to /dev/fb*
#/dev/fb* rw,
/etc/pulse/client.conf r,
@{HOME}/.pulse-cookie rwk,
owner /root/.pulse-cookie rwk,
owner /root/.pulse/ rw,
owner /root/.pulse/* rw,
/usr/share/alsa/** r,
owner /tmp/pulse-*/ rw,
owner /tmp/pulse-*/* rw,
/var/lib/dbus/machine-id r,
# access to firmware's etc
/usr/share/kvm/** r,
/usr/share/qemu/** r,
/usr/share/qemu-kvm/** r,
/usr/share/bochs/** r,
/usr/share/openbios/** r,
/usr/share/openhackware/** r,
/usr/share/proll/** r,
/usr/share/vgabios/** r,
/usr/share/seabios/** r,
/usr/share/ovmf/** r,
/usr/share/OVMF/** r,
/usr/share/AAVMF/** r,
/usr/share/qemu-efi/** r,
/usr/share/slof/** r,
# access PKI infrastructure
/etc/pki/libvirt-vnc/** r,
# the various binaries
/usr/bin/kvm rmix,
/usr/bin/qemu rmix,
/usr/bin/qemu-kvm rmix,
/usr/bin/qemu-system-aarch64 rmix,
/usr/bin/qemu-system-alpha rmix,
/usr/bin/qemu-system-arm rmix,
/usr/bin/qemu-system-cris rmix,
/usr/bin/qemu-system-i386 rmix,
/usr/bin/qemu-system-lm32 rmix,
/usr/bin/qemu-system-m68k rmix,
/usr/bin/qemu-system-microblaze rmix,
/usr/bin/qemu-system-microblazeel rmix,
/usr/bin/qemu-system-mips rmix,
/usr/bin/qemu-system-mips64 rmix,
/usr/bin/qemu-system-mips64el rmix,
/usr/bin/qemu-system-mipsel rmix,
/usr/bin/qemu-system-moxie rmix,
/usr/bin/qemu-system-or32 rmix,
/usr/bin/qemu-system-ppc rmix,
/usr/bin/qemu-system-ppc64 rmix,
/usr/bin/qemu-system-ppcemb rmix,
/usr/bin/qemu-system-s390x rmix,
/usr/bin/qemu-system-sh4 rmix,
/usr/bin/qemu-system-sh4eb rmix,
/usr/bin/qemu-system-sparc rmix,
/usr/bin/qemu-system-sparc64 rmix,
/usr/bin/qemu-system-tricore rmix,
/usr/bin/qemu-system-unicore32 rmix,
/usr/bin/qemu-system-x86_64 rmix,
/usr/bin/qemu-system-xtensa rmix,
/usr/bin/qemu-system-xtensaeb rmix,
/usr/bin/qemu-aarch64 rmix,
/usr/bin/qemu-alpha rmix,
/usr/bin/qemu-arm rmix,
/usr/bin/qemu-armeb rmix,
/usr/bin/qemu-cris rmix,
/usr/bin/qemu-i386 rmix,
/usr/bin/qemu-m68k rmix,
/usr/bin/qemu-microblaze rmix,
/usr/bin/qemu-microblazeel rmix,
/usr/bin/qemu-mips rmix,
/usr/bin/qemu-mips64 rmix,
/usr/bin/qemu-mips64el rmix,
/usr/bin/qemu-mipsel rmix,
/usr/bin/qemu-mipsn32 rmix,
/usr/bin/qemu-mipsn32el rmix,
/usr/bin/qemu-nbd rmix,
/usr/bin/qemu-or32 rmix,
/usr/bin/qemu-ppc rmix,
/usr/bin/qemu-ppc64 rmix,
/usr/bin/qemu-ppc64abi32 rmix,
/usr/bin/qemu-ppc64le rmix,
/usr/bin/qemu-s390x rmix,
/usr/bin/qemu-sh4 rmix,
/usr/bin/qemu-sh4eb rmix,
/usr/bin/qemu-sparc rmix,
/usr/bin/qemu-sparc32plus rmix,
/usr/bin/qemu-sparc64 rmix,
/usr/bin/qemu-unicore32 rmix,
/usr/bin/qemu-x86_64 rmix,
/usr/{lib,lib64}/qemu/block-curl.so mr,
/usr/{lib,lib64}/qemu/block-rbd.so mr,
# for use by libvirt-vnc (LP: #901272)
/etc/pki/CA/ r,
/etc/pki/CA/* r,
/etc/pki/libvirt/ r,
/etc/pki/libvirt/** r,
# for save and resume
/{usr/,}bin/dash rmix,
/{usr/,}bin/dd rmix,
/{usr/,}bin/cat rmix,
# for restore
/{usr/,}bin/bash rmix,
# for usb access
/dev/bus/usb/ r,
/etc/udev/udev.conf r,
/sys/bus/ r,
/sys/class/ r,
# for rbd
/etc/ceph/ceph.conf r,
# for ppc device-tree access
@{PROC}/device-tree/ r,
@{PROC}/device-tree/** r,
/sys/firmware/devicetree/** r,
# for gathering information about available host resources
/sys/devices/system/cpu/ r,
/sys/devices/system/node/ r,
/sys/devices/system/node/node[0-9]*/meminfo r,
/sys/module/vhost/parameters/max_mem_regions r,
Reference in New Issue View Git Blame Copy Permalink