AppArmor: add rules needed with additional mediation features brought by Linux 4.14.

3b1d19e6 · intrigeri · Guido Günther · 2f3054c2 · 3b1d19e6 · 3b1d19e6
隐藏空白更改
内联并排

Showing with 8 addition and 0 deletion

examples/apparmor/libvirt-qemu examples/apparmor/libvirt-qemu +4 -0

examples/apparmor/usr.sbin.libvirtd examples/apparmor/usr.sbin.libvirtd +4 -0

未找到文件。
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -16,6 +16,10 @@
  network inet stream,
  network inet6 stream,

+  ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
+
+  signal (receive) peer=/usr/sbin/libvirtd,
+
  /dev/net/tun rw,
  /dev/kvm rw,
  /dev/ptmx rw,

--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -34,6 +34,7 @@
  network inet dgram,
  network inet6 stream,
  network inet6 dgram,
+  network netlink raw,
  network packet dgram,
  network packet raw,

@@ -42,6 +43,9 @@
  ptrace (trace) peer=/usr/sbin/dnsmasq,
  ptrace (trace) peer=libvirt-*,

+  signal (send) peer=/usr/sbin/dnsmasq,
+  signal (read, send) peer=libvirt-*,
+
  # Very lenient profile for libvirtd since we want to first focus on confining
  # the guests. Guests will have a very restricted profile.
  / r,