mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-10-16 23:33:52 +03:00
apparmor: Move static data out of examples/
These files need to be installed on the system for apparmor support to work, so they don't belong with examples. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Erik Skultety <eskultet@redhat.com>
This commit is contained in:
Andrea Bolognani
@@ -19,12 +19,6 @@
|
||||
FILTERS = $(wildcard $(srcdir)/xml/nwfilter/*.xml)
|
||||
|
||||
EXTRA_DIST = \
|
||||
apparmor/TEMPLATE.qemu \
|
||||
apparmor/TEMPLATE.lxc \
|
||||
apparmor/libvirt-qemu \
|
||||
apparmor/libvirt-lxc \
|
||||
apparmor/usr.lib.libvirt.virt-aa-helper \
|
||||
apparmor/usr.sbin.libvirtd \
|
||||
lxcconvert/virt-lxc-convert \
|
||||
polkit/libvirt-acl.rules \
|
||||
$(wildcard $(srcdir)/systemtap/*.stp) \
|
||||
@@ -70,40 +64,6 @@ admin_logging_SOURCES = admin/logging.c
|
||||
INSTALL_DATA_LOCAL =
|
||||
UNINSTALL_LOCAL =
|
||||
|
||||
if WITH_APPARMOR_PROFILES
|
||||
apparmordir = $(sysconfdir)/apparmor.d/
|
||||
apparmor_DATA = \
|
||||
apparmor/usr.lib.libvirt.virt-aa-helper \
|
||||
apparmor/usr.sbin.libvirtd \
|
||||
$(NULL)
|
||||
|
||||
abstractionsdir = $(apparmordir)/abstractions
|
||||
abstractions_DATA = \
|
||||
apparmor/libvirt-qemu \
|
||||
apparmor/libvirt-lxc \
|
||||
$(NULL)
|
||||
|
||||
templatesdir = $(apparmordir)/libvirt
|
||||
templates_DATA = \
|
||||
apparmor/TEMPLATE.qemu \
|
||||
apparmor/TEMPLATE.lxc \
|
||||
$(NULL)
|
||||
|
||||
APPARMOR_LOCAL_DIR = "$(DESTDIR)$(apparmordir)/local"
|
||||
install-apparmor-local:
|
||||
$(MKDIR_P) "$(APPARMOR_LOCAL_DIR)"
|
||||
echo "# Site-specific additions and overrides for \
|
||||
'usr.lib.libvirt.virt-aa-helper'" \
|
||||
>"$(APPARMOR_LOCAL_DIR)/usr.lib.libvirt.virt-aa-helper"
|
||||
|
||||
uninstall-apparmor-local:
|
||||
rm -f "$(APPARMOR_LOCAL_DIR)/usr.lib.libvirt.virt-aa-helper"
|
||||
rmdir "$(APPARMOR_LOCAL_DIR)" || :
|
||||
|
||||
INSTALL_DATA_LOCAL += install-apparmor-local
|
||||
UNINSTALL_LOCAL += uninstall-apparmor-local
|
||||
endif WITH_APPARMOR_PROFILES
|
||||
|
||||
if WITH_NWFILTER
|
||||
NWFILTER_DIR = "$(DESTDIR)$(sysconfdir)/libvirt/nwfilter"
|
||||
|
||||
|
||||
@@ -1,15 +0,0 @@
|
||||
#
|
||||
# This profile is for the domain whose UUID matches this file.
|
||||
#
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
|
||||
#include <abstractions/libvirt-lxc>
|
||||
|
||||
# Globally allows everything to run under this profile
|
||||
# These can be narrowed depending on the container's use.
|
||||
file,
|
||||
capability,
|
||||
network,
|
||||
}
|
||||
@@ -1,9 +0,0 @@
|
||||
#
|
||||
# This profile is for the domain whose UUID matches this file.
|
||||
#
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
|
||||
#include <abstractions/libvirt-qemu>
|
||||
}
|
||||
@@ -1,116 +0,0 @@
|
||||
# Last Modified: Fri Feb 7 13:01:36 2014
|
||||
|
||||
#include <abstractions/base>
|
||||
|
||||
umount,
|
||||
|
||||
# ignore DENIED message on / remount
|
||||
deny mount options=(ro, remount) -> /,
|
||||
|
||||
# allow tmpfs mounts everywhere
|
||||
mount fstype=tmpfs,
|
||||
|
||||
# allow mqueue mounts everywhere
|
||||
mount fstype=mqueue,
|
||||
|
||||
# allow fuse mounts everywhere
|
||||
mount fstype=fuse.*,
|
||||
|
||||
# deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
|
||||
mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
|
||||
deny @{PROC}/sys/fs/** wklx,
|
||||
|
||||
# allow efivars to be mounted, writing to it will be blocked though
|
||||
mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
|
||||
|
||||
# block some other dangerous paths
|
||||
deny @{PROC}/sysrq-trigger rwklx,
|
||||
deny @{PROC}/mem rwklx,
|
||||
deny @{PROC}/kmem rwklx,
|
||||
|
||||
# deny writes in /sys except for /sys/fs/cgroup, also allow
|
||||
# fusectl, securityfs and debugfs to be mounted there (read-only)
|
||||
mount fstype=fusectl -> /sys/fs/fuse/connections/,
|
||||
mount fstype=securityfs -> /sys/kernel/security/,
|
||||
mount fstype=debugfs -> /sys/kernel/debug/,
|
||||
mount fstype=proc -> /proc/,
|
||||
mount fstype=sysfs -> /sys/,
|
||||
deny /sys/firmware/efi/efivars/** rwklx,
|
||||
deny /sys/kernel/security/** rwklx,
|
||||
|
||||
# generated by: lxc-generate-aa-rules.py container-rules.base
|
||||
deny /proc/sys/[^kn]*{,/**} wklx,
|
||||
deny /proc/sys/k[^e]*{,/**} wklx,
|
||||
deny /proc/sys/ke[^r]*{,/**} wklx,
|
||||
deny /proc/sys/ker[^n]*{,/**} wklx,
|
||||
deny /proc/sys/kern[^e]*{,/**} wklx,
|
||||
deny /proc/sys/kerne[^l]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/d[^o]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/do[^m]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/domainname?*{,/**} wklx,
|
||||
deny /proc/sys/kernel/h[^o]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/host[^n]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/hostname?*{,/**} wklx,
|
||||
deny /proc/sys/kernel/m[^s]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/msg*/** wklx,
|
||||
deny /proc/sys/kernel/s[^he]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/se[^m]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/sem*/** wklx,
|
||||
deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
|
||||
deny /proc/sys/kernel/shm*/** wklx,
|
||||
deny /proc/sys/kernel?*{,/**} wklx,
|
||||
deny /proc/sys/n[^e]*{,/**} wklx,
|
||||
deny /proc/sys/ne[^t]*{,/**} wklx,
|
||||
deny /proc/sys/net?*{,/**} wklx,
|
||||
deny /sys/[^fdc]*{,/**} wklx,
|
||||
deny /sys/c[^l]*{,/**} wklx,
|
||||
deny /sys/cl[^a]*{,/**} wklx,
|
||||
deny /sys/cla[^s]*{,/**} wklx,
|
||||
deny /sys/clas[^s]*{,/**} wklx,
|
||||
deny /sys/class/[^n]*{,/**} wklx,
|
||||
deny /sys/class/n[^e]*{,/**} wklx,
|
||||
deny /sys/class/ne[^t]*{,/**} wklx,
|
||||
deny /sys/class/net?*{,/**} wklx,
|
||||
deny /sys/class?*{,/**} wklx,
|
||||
deny /sys/d[^e]*{,/**} wklx,
|
||||
deny /sys/de[^v]*{,/**} wklx,
|
||||
deny /sys/dev[^i]*{,/**} wklx,
|
||||
deny /sys/devi[^c]*{,/**} wklx,
|
||||
deny /sys/devic[^e]*{,/**} wklx,
|
||||
deny /sys/device[^s]*{,/**} wklx,
|
||||
deny /sys/devices/[^v]*{,/**} wklx,
|
||||
deny /sys/devices/v[^i]*{,/**} wklx,
|
||||
deny /sys/devices/vi[^r]*{,/**} wklx,
|
||||
deny /sys/devices/vir[^t]*{,/**} wklx,
|
||||
deny /sys/devices/virt[^u]*{,/**} wklx,
|
||||
deny /sys/devices/virtu[^a]*{,/**} wklx,
|
||||
deny /sys/devices/virtua[^l]*{,/**} wklx,
|
||||
deny /sys/devices/virtual/[^n]*{,/**} wklx,
|
||||
deny /sys/devices/virtual/n[^e]*{,/**} wklx,
|
||||
deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
|
||||
deny /sys/devices/virtual/net?*{,/**} wklx,
|
||||
deny /sys/devices/virtual?*{,/**} wklx,
|
||||
deny /sys/devices?*{,/**} wklx,
|
||||
deny /sys/f[^s]*{,/**} wklx,
|
||||
deny /sys/fs/[^c]*{,/**} wklx,
|
||||
deny /sys/fs/c[^g]*{,/**} wklx,
|
||||
deny /sys/fs/cg[^r]*{,/**} wklx,
|
||||
deny /sys/fs/cgr[^o]*{,/**} wklx,
|
||||
deny /sys/fs/cgro[^u]*{,/**} wklx,
|
||||
deny /sys/fs/cgrou[^p]*{,/**} wklx,
|
||||
deny /sys/fs/cgroup?*{,/**} wklx,
|
||||
deny /sys/fs?*{,/**} wklx,
|
||||
@@ -1,222 +0,0 @@
|
||||
# Last Modified: Wed Sep 3 21:52:03 2014
|
||||
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/nameservice>
|
||||
|
||||
# required for reading disk images
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
capability chown,
|
||||
|
||||
# needed to drop privileges
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
||||
ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
|
||||
|
||||
signal (receive) peer=/usr/sbin/libvirtd,
|
||||
|
||||
/dev/net/tun rw,
|
||||
/dev/kvm rw,
|
||||
/dev/ptmx rw,
|
||||
/dev/kqemu rw,
|
||||
@{PROC}/*/status r,
|
||||
# When qemu is signaled to terminate, it will read cmdline of signaling
|
||||
# process for reporting purposes. Allowing read access to a process
|
||||
# cmdline may leak sensitive information embedded in the cmdline.
|
||||
@{PROC}/@{pid}/cmdline r,
|
||||
# Per man(5) proc, the kernel enforces that a thread may
|
||||
# only modify its comm value or those in its thread group.
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
@{PROC}/sys/kernel/cap_last_cap r,
|
||||
|
||||
# For hostdev access. The actual devices will be added dynamically
|
||||
/sys/bus/usb/devices/ r,
|
||||
/sys/devices/**/usb[0-9]*/** r,
|
||||
# libusb needs udev data about usb devices (~equal to content of lsusb -v)
|
||||
/run/udev/data/c16[6,7]* r,
|
||||
/run/udev/data/c18[0,8,9]* r,
|
||||
/run/udev/data/+usb* r,
|
||||
|
||||
# WARNING: this gives the guest direct access to host hardware and specific
|
||||
# portions of shared memory. This is required for sound using ALSA with kvm,
|
||||
# but may constitute a security risk. If your environment does not require
|
||||
# the use of sound in your VMs, feel free to comment out or prepend 'deny' to
|
||||
# the rules for files in /dev.
|
||||
/{dev,run}/shm r,
|
||||
/{dev,run}/shmpulse-shm* r,
|
||||
/{dev,run}/shmpulse-shm* rwk,
|
||||
/dev/snd/* rw,
|
||||
capability ipc_lock,
|
||||
# spice
|
||||
owner /{dev,run}/shm/spice.* rw,
|
||||
# 'kill' is not required for sound and is a security risk. Do not enable
|
||||
# unless you absolutely need it.
|
||||
deny capability kill,
|
||||
|
||||
# Uncomment the following if you need access to /dev/fb*
|
||||
#/dev/fb* rw,
|
||||
|
||||
/etc/pulse/client.conf r,
|
||||
@{HOME}/.pulse-cookie rwk,
|
||||
owner /root/.pulse-cookie rwk,
|
||||
owner /root/.pulse/ rw,
|
||||
owner /root/.pulse/* rw,
|
||||
/usr/share/alsa/** r,
|
||||
owner /tmp/pulse-*/ rw,
|
||||
owner /tmp/pulse-*/* rw,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
# access to firmware's etc
|
||||
/usr/share/kvm/** r,
|
||||
/usr/share/qemu/** r,
|
||||
/usr/share/qemu-kvm/** r,
|
||||
/usr/share/bochs/** r,
|
||||
/usr/share/openbios/** r,
|
||||
/usr/share/openhackware/** r,
|
||||
/usr/share/proll/** r,
|
||||
/usr/share/vgabios/** r,
|
||||
/usr/share/seabios/** r,
|
||||
/usr/share/misc/sgabios.bin r,
|
||||
/usr/share/ovmf/** r,
|
||||
/usr/share/OVMF/** r,
|
||||
/usr/share/AAVMF/** r,
|
||||
/usr/share/qemu-efi/** r,
|
||||
/usr/share/slof/** r,
|
||||
|
||||
# pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140)
|
||||
/etc/pki/CA/ r,
|
||||
/etc/pki/CA/* r,
|
||||
/etc/pki/libvirt{,-spice,-vnc}/ r,
|
||||
/etc/pki/libvirt{,-spice,-vnc}/** r,
|
||||
|
||||
# the various binaries
|
||||
/usr/bin/kvm rmix,
|
||||
/usr/bin/qemu rmix,
|
||||
/usr/bin/qemu-kvm rmix,
|
||||
/usr/bin/qemu-system-aarch64 rmix,
|
||||
/usr/bin/qemu-system-alpha rmix,
|
||||
/usr/bin/qemu-system-arm rmix,
|
||||
/usr/bin/qemu-system-cris rmix,
|
||||
/usr/bin/qemu-system-i386 rmix,
|
||||
/usr/bin/qemu-system-lm32 rmix,
|
||||
/usr/bin/qemu-system-m68k rmix,
|
||||
/usr/bin/qemu-system-microblaze rmix,
|
||||
/usr/bin/qemu-system-microblazeel rmix,
|
||||
/usr/bin/qemu-system-mips rmix,
|
||||
/usr/bin/qemu-system-mips64 rmix,
|
||||
/usr/bin/qemu-system-mips64el rmix,
|
||||
/usr/bin/qemu-system-mipsel rmix,
|
||||
/usr/bin/qemu-system-moxie rmix,
|
||||
/usr/bin/qemu-system-or32 rmix,
|
||||
/usr/bin/qemu-system-ppc rmix,
|
||||
/usr/bin/qemu-system-ppc64 rmix,
|
||||
/usr/bin/qemu-system-ppcemb rmix,
|
||||
/usr/bin/qemu-system-s390x rmix,
|
||||
/usr/bin/qemu-system-sh4 rmix,
|
||||
/usr/bin/qemu-system-sh4eb rmix,
|
||||
/usr/bin/qemu-system-sparc rmix,
|
||||
/usr/bin/qemu-system-sparc64 rmix,
|
||||
/usr/bin/qemu-system-tricore rmix,
|
||||
/usr/bin/qemu-system-unicore32 rmix,
|
||||
/usr/bin/qemu-system-x86_64 rmix,
|
||||
/usr/bin/qemu-system-xtensa rmix,
|
||||
/usr/bin/qemu-system-xtensaeb rmix,
|
||||
/usr/bin/qemu-aarch64 rmix,
|
||||
/usr/bin/qemu-alpha rmix,
|
||||
/usr/bin/qemu-arm rmix,
|
||||
/usr/bin/qemu-armeb rmix,
|
||||
/usr/bin/qemu-cris rmix,
|
||||
/usr/bin/qemu-i386 rmix,
|
||||
/usr/bin/qemu-m68k rmix,
|
||||
/usr/bin/qemu-microblaze rmix,
|
||||
/usr/bin/qemu-microblazeel rmix,
|
||||
/usr/bin/qemu-mips rmix,
|
||||
/usr/bin/qemu-mips64 rmix,
|
||||
/usr/bin/qemu-mips64el rmix,
|
||||
/usr/bin/qemu-mipsel rmix,
|
||||
/usr/bin/qemu-mipsn32 rmix,
|
||||
/usr/bin/qemu-mipsn32el rmix,
|
||||
/usr/bin/qemu-or32 rmix,
|
||||
/usr/bin/qemu-ppc rmix,
|
||||
/usr/bin/qemu-ppc64 rmix,
|
||||
/usr/bin/qemu-ppc64abi32 rmix,
|
||||
/usr/bin/qemu-ppc64le rmix,
|
||||
/usr/bin/qemu-s390x rmix,
|
||||
/usr/bin/qemu-sh4 rmix,
|
||||
/usr/bin/qemu-sh4eb rmix,
|
||||
/usr/bin/qemu-sparc rmix,
|
||||
/usr/bin/qemu-sparc32plus rmix,
|
||||
/usr/bin/qemu-sparc64 rmix,
|
||||
/usr/bin/qemu-unicore32 rmix,
|
||||
/usr/bin/qemu-x86_64 rmix,
|
||||
# for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761)
|
||||
/usr/{lib,lib64}/qemu/*.so mr,
|
||||
/usr/lib/@{multiarch}/qemu/*.so mr,
|
||||
|
||||
# swtpm
|
||||
/{usr/,}bin/swtpm rmix,
|
||||
/usr/{lib,lib64}/libswtpm_libtpms.so mr,
|
||||
/usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
|
||||
|
||||
# for save and resume
|
||||
/{usr/,}bin/dash rmix,
|
||||
/{usr/,}bin/dd rmix,
|
||||
/{usr/,}bin/cat rmix,
|
||||
|
||||
# for restore
|
||||
/{usr/,}bin/bash rmix,
|
||||
|
||||
# for usb access
|
||||
/dev/bus/usb/ r,
|
||||
/etc/udev/udev.conf r,
|
||||
/sys/bus/ r,
|
||||
/sys/class/ r,
|
||||
|
||||
# for rbd
|
||||
/etc/ceph/ceph.conf r,
|
||||
|
||||
# Various functions will need to enumerate /tmp (e.g. ceph), allow the base
|
||||
# dir and a few known functions like samba support.
|
||||
# We want to avoid to give blanket rw permission to everything under /tmp,
|
||||
# users are expected to add site specific addons for more uncommon cases.
|
||||
# Qemu processes usually all run as the same users, so the "owner"
|
||||
# restriction prevents access to other services files, but not across
|
||||
# different instances.
|
||||
# This is a tradeoff between usability and security - if paths would be more
|
||||
# predictable that would be preferred - at least for write rules we would
|
||||
# want more unique paths per rule.
|
||||
/{,var/}tmp/ r,
|
||||
owner /{,var/}tmp/**/ r,
|
||||
|
||||
# for file-posix getting limits since 9103f1ce
|
||||
/sys/devices/**/block/*/queue/max_segments r,
|
||||
|
||||
# for ppc device-tree access
|
||||
@{PROC}/device-tree/ r,
|
||||
@{PROC}/device-tree/** r,
|
||||
/sys/firmware/devicetree/** r,
|
||||
|
||||
# allow connect with openGraphicsFD to work
|
||||
unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
|
||||
|
||||
# for gathering information about available host resources
|
||||
/sys/devices/system/cpu/ r,
|
||||
/sys/devices/system/node/ r,
|
||||
/sys/devices/system/node/node[0-9]*/meminfo r,
|
||||
/sys/module/vhost/parameters/max_mem_regions r,
|
||||
|
||||
# silence refusals to open lttng files (see LP: #1432644)
|
||||
deny /dev/shm/lttng-ust-wait-* r,
|
||||
deny /run/shm/lttng-ust-wait-* r,
|
||||
|
||||
# for vfio hotplug on systems without static vfio (LP: #1775777)
|
||||
/dev/vfio/vfio rw,
|
||||
|
||||
# required for sasl GSSAPI plugin
|
||||
/etc/gss/mech.d/ r,
|
||||
/etc/gss/mech.d/* r,
|
||||
@@ -1,67 +0,0 @@
|
||||
# Last Modified: Mon Apr 5 15:10:27 2010
|
||||
#include <tunables/global>
|
||||
|
||||
profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
|
||||
#include <abstractions/base>
|
||||
|
||||
# needed for searching directories
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
|
||||
# needed for when disk is on a network filesystem
|
||||
network inet,
|
||||
network inet6,
|
||||
|
||||
deny @{PROC}/[0-9]*/mounts r,
|
||||
@{PROC}/[0-9]*/net/psched r,
|
||||
owner @{PROC}/[0-9]*/status r,
|
||||
@{PROC}/filesystems r,
|
||||
|
||||
/etc/libnl-3/classid r,
|
||||
|
||||
# for hostdev
|
||||
/sys/devices/ r,
|
||||
/sys/devices/** r,
|
||||
/sys/bus/usb/devices/ r,
|
||||
deny /dev/sd* r,
|
||||
deny /dev/vd* r,
|
||||
deny /dev/dm-* r,
|
||||
deny /dev/drbd[0-9]* r,
|
||||
deny /dev/dasd* r,
|
||||
deny /dev/nvme* r,
|
||||
deny /dev/zd[0-9]* r,
|
||||
deny /dev/mapper/ r,
|
||||
deny /dev/mapper/* r,
|
||||
|
||||
/usr/{lib,lib64}/libvirt/virt-aa-helper mr,
|
||||
/{usr/,}sbin/apparmor_parser Ux,
|
||||
|
||||
/etc/apparmor.d/libvirt/* r,
|
||||
/etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
|
||||
|
||||
# for backingstore -- allow access to non-hidden files in @{HOME} as well
|
||||
# as storage pools
|
||||
audit deny @{HOME}/.* mrwkl,
|
||||
audit deny @{HOME}/.*/ rw,
|
||||
audit deny @{HOME}/.*/** mrwkl,
|
||||
audit deny @{HOME}/bin/ rw,
|
||||
audit deny @{HOME}/bin/** mrwkl,
|
||||
@{HOME}/ r,
|
||||
@{HOME}/** r,
|
||||
/var/lib/libvirt/images/ r,
|
||||
/var/lib/libvirt/images/** r,
|
||||
/var/lib/nova/instances/_base/* r,
|
||||
/{media,mnt,opt,srv}/** r,
|
||||
# For virt-sandbox
|
||||
/{,var/}run/libvirt/**/[sv]d[a-z] r,
|
||||
|
||||
/**.img r,
|
||||
/**.raw r,
|
||||
/**.qcow{,2} r,
|
||||
/**.qed r,
|
||||
/**.vmdk r,
|
||||
/**.[iI][sS][oO] r,
|
||||
/**/disk{,.*} r,
|
||||
|
||||
#include <local/usr.lib.libvirt.virt-aa-helper>
|
||||
}
|
||||
@@ -1,131 +0,0 @@
|
||||
# Last Modified: Mon Apr 5 15:03:58 2010
|
||||
#include <tunables/global>
|
||||
@{LIBVIRT}="libvirt"
|
||||
|
||||
/usr/sbin/libvirtd flags=(attach_disconnected) {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/dbus>
|
||||
|
||||
capability kill,
|
||||
capability net_admin,
|
||||
capability net_raw,
|
||||
capability setgid,
|
||||
capability sys_admin,
|
||||
capability sys_module,
|
||||
capability sys_ptrace,
|
||||
capability sys_pacct,
|
||||
capability sys_nice,
|
||||
capability sys_chroot,
|
||||
capability setuid,
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
capability fowner,
|
||||
capability chown,
|
||||
capability setpcap,
|
||||
capability mknod,
|
||||
capability fsetid,
|
||||
capability audit_write,
|
||||
capability ipc_lock,
|
||||
|
||||
# Needed for vfio
|
||||
capability sys_resource,
|
||||
|
||||
mount options=(rw,rslave) -> /,
|
||||
mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
|
||||
|
||||
# libvirt provides any mounts under /dev to qemu namespaces
|
||||
mount options=(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/,
|
||||
mount options=(rw, move) /dev/** -> /{,var/}run/libvirt/qemu/*{,/},
|
||||
mount options=(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/,
|
||||
mount options=(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**,
|
||||
|
||||
network inet stream,
|
||||
network inet dgram,
|
||||
network inet6 stream,
|
||||
network inet6 dgram,
|
||||
network netlink raw,
|
||||
network packet dgram,
|
||||
network packet raw,
|
||||
|
||||
# for --p2p migrations
|
||||
unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
|
||||
|
||||
ptrace (read,trace) peer=unconfined,
|
||||
ptrace (read,trace) peer=/usr/sbin/libvirtd,
|
||||
ptrace (read,trace) peer=/usr/sbin/dnsmasq,
|
||||
ptrace (read,trace) peer=libvirt-*,
|
||||
|
||||
signal (send) peer=/usr/sbin/dnsmasq,
|
||||
signal (read, send) peer=libvirt-*,
|
||||
signal (send) set=("kill", "term") peer=unconfined,
|
||||
|
||||
# For communication/control to qemu-bridge-helper
|
||||
unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd//qemu_bridge_helper),
|
||||
signal (send) set=("term") peer=/usr/sbin/libvirtd//qemu_bridge_helper,
|
||||
|
||||
# allow connect with openGraphicsFD, direction reversed in newer versions
|
||||
unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
|
||||
# unconfined also required if guests run without security module
|
||||
unix (send, receive) type=stream addr=none peer=(label=unconfined),
|
||||
|
||||
# required if guests run unconfined seclabel type='none' but libvirtd is confined
|
||||
signal (read, send) peer=unconfined,
|
||||
|
||||
# Very lenient profile for libvirtd since we want to first focus on confining
|
||||
# the guests. Guests will have a very restricted profile.
|
||||
/ r,
|
||||
/** rwmkl,
|
||||
|
||||
/bin/* PUx,
|
||||
/sbin/* PUx,
|
||||
/usr/bin/* PUx,
|
||||
/usr/sbin/virtlogd pix,
|
||||
/usr/sbin/* PUx,
|
||||
/{usr/,}lib/udev/scsi_id PUx,
|
||||
/usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
|
||||
/usr/{lib,lib64}/xen/bin/* Ux,
|
||||
/usr/lib/xen-*/bin/libxl-save-helper PUx,
|
||||
|
||||
# Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
|
||||
# read and run an ebtables script.
|
||||
/var/lib/libvirt/virtd* ixr,
|
||||
|
||||
# force the use of virt-aa-helper
|
||||
audit deny /{usr/,}sbin/apparmor_parser rwxl,
|
||||
audit deny /etc/apparmor.d/libvirt/** wxl,
|
||||
audit deny /sys/kernel/security/apparmor/features rwxl,
|
||||
audit deny /sys/kernel/security/apparmor/matching rwxl,
|
||||
audit deny /sys/kernel/security/apparmor/.* rwxl,
|
||||
/sys/kernel/security/apparmor/profiles r,
|
||||
/usr/{lib,lib64}/libvirt/* PUxr,
|
||||
/usr/{lib,lib64}/libvirt/libvirt_parthelper ix,
|
||||
/usr/{lib,lib64}/libvirt/libvirt_iohelper ix,
|
||||
/etc/libvirt/hooks/** rmix,
|
||||
/etc/xen/scripts/** rmix,
|
||||
|
||||
# allow changing to our UUID-based named profiles
|
||||
change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
|
||||
|
||||
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
|
||||
# child profile for bridge helper process
|
||||
profile qemu_bridge_helper {
|
||||
#include <abstractions/base>
|
||||
|
||||
capability setuid,
|
||||
capability setgid,
|
||||
capability setpcap,
|
||||
capability net_admin,
|
||||
|
||||
network inet stream,
|
||||
|
||||
# For communication/control from libvirtd
|
||||
unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
|
||||
signal (receive) set=("term") peer=/usr/sbin/libvirtd,
|
||||
|
||||
/dev/net/tun rw,
|
||||
/etc/qemu/** r,
|
||||
owner @{PROC}/*/status r,
|
||||
|
||||
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user