apparmor: QEMU bridge helper policy updates

This patch provides AppArmor policy updates for the QEMU bridge helper. The QEMU bridge helper is a SUID executable exec'd by QEMU that drops capabilities to CAP_NET_ADMIN and adds a tap device to a network bridge. Signed-off-by: N Richa Marwaha <rmarwah@linux.vnet.ibm.com> Signed-off-by: Corey Bryant<coreyb@linux.vnet.ibm.com>

apparmor: QEMU bridge helper policy updates
This patch provides AppArmor policy updates for the QEMU bridge helper. The QEMU bridge helper is a SUID executable exec'd by QEMU that drops capabilities to CAP_NET_ADMIN and adds a tap device to a network bridge. Signed-off-by: N Richa Marwaha <rmarwah@linux.vnet.ibm.com> Signed-off-by: Corey Bryant<coreyb@linux.vnet.ibm.com>
b0e47898 · Richa Marwaha · Michal Privoznik · e060f864 · b0e47898
隐藏空白更改
内联并排

Showing with 20 addition and 1 deletion

examples/apparmor/libvirt-qemu examples/apparmor/libvirt-qemu +20 -1

未找到文件。
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
-# Last Modified: Mon Apr  5 15:11:27 2010
+# Last Modified: Fri Mar 9 14:43:22 2012

  #include <abstractions/base>
  #include <abstractions/consoles>
@@ -108,3 +108,22 @@
  /bin/dash rmix,
  /bin/dd rmix,
  /bin/cat rmix,
+
+  /usr/libexec/qemu-bridge-helper Cx,
+  # child profile for bridge helper process
+  profile /usr/libexec/qemu-bridge-helper {
+   #include <abstractions/base>
+
+   capability setuid,
+   capability setgid,
+   capability setpcap,
+   capability net_admin,
+
+   network inet stream,
+
+   /dev/net/tun rw,
+   /etc/qemu/** r,
+   owner @{PROC}/*/status r,
+
+   /usr/libexec/qemu-bridge-helper rmix,
+  }