From a8a560dd3aaa71d343729c699459fe156e382367 Mon Sep 17 00:00:00 2001 From: Jamie Strandboge Date: Fri, 13 Nov 2009 15:19:05 +0100 Subject: [PATCH] AppArmor updates of examples * examples/apparmor/libvirt-qemu: adds pulseaudio, alsa and preliminary save/restore to the example apparmor abstraction * examples/apparmor/usr.sbin.libvirtd: allows libvirtd access to inet dgram, inet6 dgram, inet6 stream and /usr/lib/libvirt/* --- examples/apparmor/libvirt-qemu | 40 ++++++++++++++++++++++++++++- examples/apparmor/usr.sbin.libvirtd | 4 +++ 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 6555f85bab..a8c4a84a0f 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -1,4 +1,4 @@ -# Last Modified: Wed Jul 8 09:57:41 2009 +# Last Modified: Fri Nov 6 16:41:59 2009 #include #include @@ -24,6 +24,31 @@ #/sys/devices/*/*/usb[0-9]*/** r, #/dev/bus/usb/*/[0-9]* rw, + # WARNING: this gives the guest direct access to host hardware and specific + # portions of shared memory. This is required for sound using ALSA with kvm, + # but may constitute a security risk. If your environment does not require + # the use of sound in your VMs, feel free to comment out or prepend 'deny' to + # the rules for files in /dev. + /dev/shm/ r, + /dev/shm/pulse-shm* r, + /dev/shm/pulse-shm* rwk, + /dev/snd/* rw, + capability ipc_lock, + # 'kill' is not required for sound and is a security risk. Do not enable + # unless you absolutely need it. + deny capability kill, + + /etc/pulse/client.conf r, + @{HOME}/.pulse-cookie rwk, + owner /root/.pulse-cookie rwk, + owner /root/.pulse/ rw, + owner /root/.pulse/* rw, + /usr/share/alsa/** r, + owner /tmp/pulse-*/ rw, + owner /tmp/pulse-*/* rw, + /var/lib/dbus/machine-id r, + + # access to firmware's etc /usr/share/kvm/** r, /usr/share/qemu/** r, /usr/share/bochs/** r, @@ -69,3 +94,16 @@ /usr/bin/qemu-sparc32plus rmix, /usr/bin/qemu-sparc64 rmix, /usr/bin/qemu-x86_64 rmix, + + # for save and resume + /bin/dash rmix, + /bin/dd rmix, + /bin/cat rmix, + + # The svirt driver does not relabel the state file + # (https://bugzilla.redhat.com/show_bug.cgi?id=529363) resulting in denied + # messages. Uncommenting these lines can work around this somewhat by + # allowing users to save state files in the specified directory. We use + # 'owner' to make sure we don't overwrite the user's files. + #owner @{HOME}/libvirt-state-files/ r, + #owner @{HOME}/libvirt-state-files/** rw, diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 47d3916334..5f9fd53cad 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -23,6 +23,9 @@ capability mknod, network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, # Very lenient profile for libvirtd since we want to first focus on confining # the guests. Guests will have a very restricted profile. @@ -32,6 +35,7 @@ /sbin/* Ux, /usr/bin/* Ux, /usr/sbin/* Ux, + /usr/lib/libvirt/* Ux, # force the use of virt-aa-helper audit deny /sbin/apparmor_parser rwxl, -- GitLab