External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-08-07 01:13:49 +00:00
Code Issues Packages Projects Releases Wiki Activity
a2028ae716
libvirt/examples/apparmor
History
Christian Ehrhardt a2028ae716
apparmor: add mediation rules for unconfined guests 
If a guest runs unconfined <seclabel type='none'>, but libvirtd is
confined then the peer for signal can only be detected as
'unconfined'. That triggers issues like:
   apparmor="DENIED" operation="signal"
   profile="/usr/sbin/libvirtd" pid=22395 comm="libvirtd"
   requested_mask="send" denied_mask="send" signal=term peer="unconfined"

To fix this add unconfined as an allowed peer for those operations.

I discussed with the apparmor folks, right now there is no better
separation to be made in this case. But there might be further down the
road with "policy namespaces with scope and view control + stacking"

This is more a use-case addition than a fix to the following two changes:
- 3b1d19e6 AppArmor: add rules needed with additional mediation features
- b482925c apparmor: support ptrace checks

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-by: intrigeri <intrigeri+libvirt@boum.org>
2018-08-16 12:58:56 +02:00
..
libvirt-lxc Rework lxc apparmor profile 2014-07-15 12:57:05 -06:00
libvirt-qemu apparmor: allow openGraphicsFD for virt manager >1.4 2018-08-16 12:58:56 +02:00
TEMPLATE.lxc apparmor: add attach_disconnected 2017-09-18 19:06:52 +02:00
TEMPLATE.qemu apparmor: add attach_disconnected 2017-09-18 19:06:52 +02:00
usr.lib.libvirt.virt-aa-helper apparmor: Fix forgotten comma at EOL 2018-07-04 07:59:29 +02:00
usr.sbin.libvirtd apparmor: add mediation rules for unconfined guests 2018-08-16 12:58:56 +02:00