From 2df320609acc9d2dd79665b16381257bdaf92aef Mon Sep 17 00:00:00 2001
From: Jamie Strandboge <jamie@ubuntu.com>
Date: Tue, 6 Apr 2010 22:56:07 +0200
Subject: [PATCH] Improve the apparmor example

* examples/apparmor/libvirt-qemu examples/apparmor/usr.sbin.libvirtd
  examples/apparmor/usr.lib.libvirt.virt-aa-helper: Update the examples
---
 examples/apparmor/libvirt-qemu                | 27 +++++++++----------
 .../apparmor/usr.lib.libvirt.virt-aa-helper   | 18 ++++++++++++-
 examples/apparmor/usr.sbin.libvirtd           |  6 ++---
 3 files changed, 32 insertions(+), 19 deletions(-)

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index a8c4a84a0f..faf86363c6 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -1,4 +1,4 @@
-# Last Modified: Fri Nov  6 16:41:59 2009
+# Last Modified: Mon Apr  5 15:11:27 2010
 
   #include <abstractions/base>
   #include <abstractions/consoles>
@@ -16,13 +16,11 @@
   /dev/kvm rw,
   /dev/ptmx rw,
   /dev/kqemu rw,
+  @{PROC}/*/status r,
 
-  # WARNING: uncommenting these gives the guest direct access to host hardware.
-  # This is required for USB pass through but is a security risk. You have been
-  # warned.
-  #/sys/bus/usb/devices/ r,
-  #/sys/devices/*/*/usb[0-9]*/** r,
-  #/dev/bus/usb/*/[0-9]* rw,
+  # For hostdev access. The actual devices will be added dynamically
+  /sys/bus/usb/devices/ r,
+  /sys/devices/*/*/usb[0-9]*/** r,
 
   # WARNING: this gives the guest direct access to host hardware and specific
   # portions of shared memory. This is required for sound using ALSA with kvm,
@@ -38,6 +36,9 @@
   # unless you absolutely need it.
   deny capability kill,
 
+  # Uncomment the following if you need access to /dev/fb*
+  #/dev/fb* rw,
+
   /etc/pulse/client.conf r,
   @{HOME}/.pulse-cookie rwk,
   owner /root/.pulse-cookie rwk,
@@ -56,6 +57,10 @@
   /usr/share/openhackware/** r,
   /usr/share/proll/** r,
   /usr/share/vgabios/** r,
+  /usr/share/seabios/** r,
+
+  # access PKI infrastructure
+  /etc/pki/libvirt-vnc/** r,
 
   # the various binaries
   /usr/bin/kvm rmix,
@@ -99,11 +104,3 @@
   /bin/dash rmix,
   /bin/dd rmix,
   /bin/cat rmix,
-
-  # The svirt driver does not relabel the state file
-  # (https://bugzilla.redhat.com/show_bug.cgi?id=529363) resulting in denied
-  # messages. Uncommenting these lines can work around this somewhat by
-  # allowing users to save state files in the specified directory. We use
-  # 'owner' to make sure we don't overwrite the user's files.
-  #owner @{HOME}/libvirt-state-files/ r,
-  #owner @{HOME}/libvirt-state-files/** rw,
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
index 096b6753fc..94bf3599a8 100644
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -1,4 +1,4 @@
-# Last Modified: Mon Jul  06 17:22:37 2009
+# Last Modified: Mon Apr  5 15:10:27 2010
 #include <tunables/global>
 
 /usr/lib/libvirt/virt-aa-helper {
@@ -14,9 +14,25 @@
   deny @{PROC}/[0-9]*/mounts r,
   @{PROC}/filesystems r,
 
+  # for hostdev
+  /sys/devices/ r,
+  /sys/devices/** r,
+
   /usr/lib/libvirt/virt-aa-helper mr,
   /sbin/apparmor_parser Ux,
 
   /etc/apparmor.d/libvirt/* r,
   /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+
+  # for backingstore -- allow access to non-hidden files in @{HOME} as well
+  # as storage pools
+  audit deny @{HOME}/.* mrwkl,
+  audit deny @{HOME}/.*/ rw,
+  audit deny @{HOME}/.*/** mrwkl,
+  audit deny @{HOME}/bin/ rw,
+  audit deny @{HOME}/bin/** mrwkl,
+  @{HOME}/ r,
+  @{HOME}/** r,
+  /var/lib/libvirt/images/ r,
+  /var/lib/libvirt/images/** r,
 }
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index 5f9fd53cad..1b2483552b 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -1,4 +1,4 @@
-# Last Modified: Wed Sep 23 23:23:58 2009
+# Last Modified: Mon Apr  5 15:03:58 2010
 #include <tunables/global>
 @{LIBVIRT}="libvirt"
 
@@ -21,6 +21,7 @@
   capability chown,
   capability setpcap,
   capability mknod,
+  capability fsetid,
 
   network inet stream,
   network inet dgram,
@@ -35,7 +36,6 @@
   /sbin/* Ux,
   /usr/bin/* Ux,
   /usr/sbin/* Ux,
-  /usr/lib/libvirt/* Ux,
 
   # force the use of virt-aa-helper
   audit deny /sbin/apparmor_parser rwxl,
@@ -44,7 +44,7 @@
   audit deny /sys/kernel/security/apparmor/matching rwxl,
   audit deny /sys/kernel/security/apparmor/.* rwxl,
   /sys/kernel/security/apparmor/profiles r,
-  /usr/lib/libvirt/virt-aa-helper Pxr,
+  /usr/lib/libvirt/* PUxr,
 
   # allow changing to our UUID-based named profiles
   change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
-- 
GitLab