mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 17:34:18 +03:00
Documentation and examples for SVirt Apparmor driver
* docs/drvqemu.html.in: include documentation for AppArmor sVirt confinement * examples/apparmor/TEMPLATE examples/apparmor/libvirt-qemu examples/apparmor/usr.lib.libvirt.virt-aa-helper examples/apparmor/usr.sbin.libvirtd: example templates and configuration files for SVirt Apparmor when using KVM/QEmu
This commit is contained in:
parent
bbaecd6a8f
commit
624a7927f0
@ -296,6 +296,73 @@
|
||||
file can be used to change the setting to <code>security_driver="none"</code>
|
||||
</p>
|
||||
|
||||
<h3><a name="securitysvirtaa">AppArmor sVirt confinement</a></h3>
|
||||
|
||||
<p>
|
||||
When using basic AppArmor protection for the libvirtd daemon and
|
||||
QEMU virtual machines, the intention is to protect the host OS
|
||||
from a compromised virtual machine process. There is no protection
|
||||
between guests.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
The AppArmor sVirt protection for QEMU virtual machines builds on
|
||||
this basic level of protection, to also allow individual guests to
|
||||
be protected from each other.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
In the sVirt model, if a profile is loaded for the libvirtd daemon,
|
||||
then each <code>qemu:///system</code> QEMU virtual machine will have
|
||||
a profile created for it when the virtual machine is started if one
|
||||
does not already exist. This generated profile uses a profile name
|
||||
based on the UUID of the QEMU virtual machine and contains rules
|
||||
allowing access to only the files it needs to run, such as its disks,
|
||||
pid file and log files. Just before the QEMU virtual machine is
|
||||
started, the libvirtd daemon will change into this unique profile,
|
||||
preventing the QEMU process from accessing any file resources that
|
||||
are present in another QEMU process or the host machine.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
The AppArmor sVirt implementation is flexible in that it allows an
|
||||
administrator to customize the template file in
|
||||
<code>/etc/apparmor.d/libvirt/TEMPLATE</code> for site-specific
|
||||
access for all newly created QEMU virtual machines. Also, when a new
|
||||
profile is generated, two files are created:
|
||||
<code>/etc/apparmor.d/libvirt/libvirt-<uuid></code> and
|
||||
<code>/etc/apparmor.d/libvirt/libvirt-<uuid>.files</code>. The
|
||||
former can be fine-tuned by the administrator to allow custom access
|
||||
for this particular QEMU virtual machine, and the latter will be
|
||||
updated appropriately when required file access changes, such as when
|
||||
a disk is added. This flexibility allows for situations such as
|
||||
having one virtual machine in complain mode with all others in
|
||||
enforce mode.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
While users can define their own AppArmor profile scheme, a typical
|
||||
configuration will include a profile for <code>/usr/sbin/libvirtd</code>,
|
||||
<code>/usr/lib/libvirt/virt-aa-helper</code> (a helper program which the
|
||||
libvirtd daemon uses instead of manipulating AppArmor directly), and
|
||||
an abstraction to be included by <code>/etc/apparmor.d/libvirt/TEMPLATE</code>
|
||||
(typically <code>/etc/apparmor.d/abstractions/libvirt-qemu</code>).
|
||||
An example profile scheme can be found in the examples/apparmor
|
||||
directory of the source distribution.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
If the sVirt security model is active, then the node capabilities
|
||||
XML will include its details. If a virtual machine is currently
|
||||
protected by the security model, then the guest XML will include
|
||||
its assigned profile name. If enabled at compile time, the sVirt
|
||||
security model will be activated if AppArmor is available on the host
|
||||
OS and a profile for the libvirtd daemon is loaded when libvirtd is
|
||||
started. To disable sVirt, and revert to the basic level of AppArmor
|
||||
protection (host protection only), the <code>/etc/libvirt/qemu.conf</code>
|
||||
file can be used to change the setting to <code>security_driver="none"</code>.
|
||||
</p>
|
||||
|
||||
|
||||
<h3><a name="securityacl">Cgroups device ACLs</a></h3>
|
||||
|
||||
|
9
examples/apparmor/TEMPLATE
Normal file
9
examples/apparmor/TEMPLATE
Normal file
@ -0,0 +1,9 @@
|
||||
#
|
||||
# This profile is for the domain whose UUID matches this file.
|
||||
#
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
profile LIBVIRT_TEMPLATE {
|
||||
#include <abstractions/libvirt-qemu>
|
||||
}
|
71
examples/apparmor/libvirt-qemu
Normal file
71
examples/apparmor/libvirt-qemu
Normal file
@ -0,0 +1,71 @@
|
||||
# Last Modified: Wed Jul 8 09:57:41 2009
|
||||
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/nameservice>
|
||||
|
||||
# required for reading disk images
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
capability chown,
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
||||
/dev/net/tun rw,
|
||||
/dev/kvm rw,
|
||||
/dev/ptmx rw,
|
||||
/dev/kqemu rw,
|
||||
|
||||
# WARNING: uncommenting these gives the guest direct access to host hardware.
|
||||
# This is required for USB pass through but is a security risk. You have been
|
||||
# warned.
|
||||
#/sys/bus/usb/devices/ r,
|
||||
#/sys/devices/*/*/usb[0-9]*/** r,
|
||||
#/dev/bus/usb/*/[0-9]* rw,
|
||||
|
||||
/usr/share/kvm/** r,
|
||||
/usr/share/qemu/** r,
|
||||
/usr/share/bochs/** r,
|
||||
/usr/share/openbios/** r,
|
||||
/usr/share/openhackware/** r,
|
||||
/usr/share/proll/** r,
|
||||
/usr/share/vgabios/** r,
|
||||
|
||||
# the various binaries
|
||||
/usr/bin/kvm rmix,
|
||||
/usr/bin/qemu rmix,
|
||||
/usr/bin/qemu-system-arm rmix,
|
||||
/usr/bin/qemu-system-cris rmix,
|
||||
/usr/bin/qemu-system-i386 rmix,
|
||||
/usr/bin/qemu-system-m68k rmix,
|
||||
/usr/bin/qemu-system-mips rmix,
|
||||
/usr/bin/qemu-system-mips64 rmix,
|
||||
/usr/bin/qemu-system-mips64el rmix,
|
||||
/usr/bin/qemu-system-mipsel rmix,
|
||||
/usr/bin/qemu-system-ppc rmix,
|
||||
/usr/bin/qemu-system-ppc64 rmix,
|
||||
/usr/bin/qemu-system-ppcemb rmix,
|
||||
/usr/bin/qemu-system-sh4 rmix,
|
||||
/usr/bin/qemu-system-sh4eb rmix,
|
||||
/usr/bin/qemu-system-sparc rmix,
|
||||
/usr/bin/qemu-system-sparc64 rmix,
|
||||
/usr/bin/qemu-system-x86_64 rmix,
|
||||
/usr/bin/qemu-alpha rmix,
|
||||
/usr/bin/qemu-arm rmix,
|
||||
/usr/bin/qemu-armeb rmix,
|
||||
/usr/bin/qemu-cris rmix,
|
||||
/usr/bin/qemu-i386 rmix,
|
||||
/usr/bin/qemu-m68k rmix,
|
||||
/usr/bin/qemu-mips rmix,
|
||||
/usr/bin/qemu-mipsel rmix,
|
||||
/usr/bin/qemu-ppc rmix,
|
||||
/usr/bin/qemu-ppc64 rmix,
|
||||
/usr/bin/qemu-ppc64abi32 rmix,
|
||||
/usr/bin/qemu-sh4 rmix,
|
||||
/usr/bin/qemu-sh4eb rmix,
|
||||
/usr/bin/qemu-sparc rmix,
|
||||
/usr/bin/qemu-sparc64 rmix,
|
||||
/usr/bin/qemu-sparc32plus rmix,
|
||||
/usr/bin/qemu-sparc64 rmix,
|
||||
/usr/bin/qemu-x86_64 rmix,
|
22
examples/apparmor/usr.lib.libvirt.virt-aa-helper
Normal file
22
examples/apparmor/usr.lib.libvirt.virt-aa-helper
Normal file
@ -0,0 +1,22 @@
|
||||
# Last Modified: Mon Jul 06 17:22:37 2009
|
||||
#include <tunables/global>
|
||||
|
||||
/usr/lib/libvirt/virt-aa-helper {
|
||||
#include <abstractions/base>
|
||||
|
||||
# needed for searching directories
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
|
||||
# needed for when disk is on a network filesystem
|
||||
network inet,
|
||||
|
||||
deny @{PROC}/[0-9]*/mounts r,
|
||||
@{PROC}/filesystems r,
|
||||
|
||||
/usr/lib/libvirt/virt-aa-helper mr,
|
||||
/sbin/apparmor_parser Ux,
|
||||
|
||||
/etc/apparmor.d/libvirt/* r,
|
||||
/etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
|
||||
}
|
48
examples/apparmor/usr.sbin.libvirtd
Normal file
48
examples/apparmor/usr.sbin.libvirtd
Normal file
@ -0,0 +1,48 @@
|
||||
# Last Modified: Wed Sep 23 23:23:58 2009
|
||||
#include <tunables/global>
|
||||
@{LIBVIRT}="libvirt"
|
||||
|
||||
/usr/sbin/libvirtd {
|
||||
#include <abstractions/base>
|
||||
|
||||
capability kill,
|
||||
capability net_admin,
|
||||
capability net_raw,
|
||||
capability setgid,
|
||||
capability sys_admin,
|
||||
capability sys_module,
|
||||
capability sys_ptrace,
|
||||
capability sys_nice,
|
||||
capability sys_chroot,
|
||||
capability setuid,
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
capability fowner,
|
||||
capability chown,
|
||||
capability setpcap,
|
||||
capability mknod,
|
||||
|
||||
network inet stream,
|
||||
|
||||
# Very lenient profile for libvirtd since we want to first focus on confining
|
||||
# the guests. Guests will have a very restricted profile.
|
||||
/** rwmkl,
|
||||
|
||||
/bin/* Ux,
|
||||
/sbin/* Ux,
|
||||
/usr/bin/* Ux,
|
||||
/usr/sbin/* Ux,
|
||||
|
||||
# force the use of virt-aa-helper
|
||||
audit deny /sbin/apparmor_parser rwxl,
|
||||
audit deny /etc/apparmor.d/libvirt/** wxl,
|
||||
audit deny /sys/kernel/security/apparmor/features rwxl,
|
||||
audit deny /sys/kernel/security/apparmor/matching rwxl,
|
||||
audit deny /sys/kernel/security/apparmor/.* rwxl,
|
||||
/sys/kernel/security/apparmor/profiles r,
|
||||
/usr/lib/libvirt/virt-aa-helper Pxr,
|
||||
|
||||
# allow changing to our UUID-based named profiles
|
||||
change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
|
||||
|
||||
}
|
Loading…
Reference in New Issue
Block a user