From 769627fc254eaea7ac0ff335e9fd194495202a1c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 3 Sep 2022 16:06:31 +0100 Subject: [PATCH] feat(profiles): remove libvirt abstractions. --- apparmor.d/abstractions/libvirt-lxc | 124 --------- apparmor.d/abstractions/libvirt-qemu | 258 ------------------- apparmor.d/groups/virt/libvirt/TEMPLATE.lxc | 21 -- apparmor.d/groups/virt/libvirt/TEMPLATE.qemu | 17 -- 4 files changed, 420 deletions(-) delete mode 100644 apparmor.d/abstractions/libvirt-lxc delete mode 100644 apparmor.d/abstractions/libvirt-qemu delete mode 100644 apparmor.d/groups/virt/libvirt/TEMPLATE.lxc delete mode 100644 apparmor.d/groups/virt/libvirt/TEMPLATE.qemu diff --git a/apparmor.d/abstractions/libvirt-lxc b/apparmor.d/abstractions/libvirt-lxc deleted file mode 100644 index f925ac27..00000000 --- a/apparmor.d/abstractions/libvirt-lxc +++ /dev/null @@ -1,124 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) Libvirt Team -# Copyright (C) 2021 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - include - - # Allow receiving signals from libvirtd - signal (receive) peer=libvirtd, - - umount, - - # ignore DENIED message on / remount - deny mount options=(ro, remount) -> /, - - # allow tmpfs mounts everywhere - mount fstype=tmpfs, - - # allow mqueue mounts everywhere - mount fstype=mqueue, - - # allow fuse mounts everywhere - mount fstype=fuse.*, - - # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted - mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/, - deny @{PROC}/sys/fs/** wklx, - - # allow efivars to be mounted, writing to it will be blocked though - mount fstype=efivarfs -> /sys/firmware/efi/efivars/, - - # block some other dangerous paths - deny @{PROC}/sysrq-trigger rwklx, - deny @{PROC}/mem rwklx, - deny @{PROC}/kmem rwklx, - - # deny writes in /sys except for /sys/fs/cgroup, also allow - # fusectl, securityfs and debugfs to be mounted there (read-only) - mount fstype=fusectl -> /sys/fs/fuse/connections/, - mount fstype=securityfs -> /sys/kernel/security/, - mount fstype=debugfs -> /sys/kernel/debug/, - mount fstype=proc -> /proc/, - mount fstype=sysfs -> /sys/, - deny /sys/firmware/efi/efivars/** rwklx, - deny /sys/kernel/security/** rwklx, - - # generated by: lxc-generate-aa-rules.py container-rules.base - deny /proc/sys/[^kn]*{,/**} wklx, - deny /proc/sys/k[^e]*{,/**} wklx, - deny /proc/sys/ke[^r]*{,/**} wklx, - deny /proc/sys/ker[^n]*{,/**} wklx, - deny /proc/sys/kern[^e]*{,/**} wklx, - deny /proc/sys/kerne[^l]*{,/**} wklx, - deny /proc/sys/kernel/[^smhd]*{,/**} wklx, - deny /proc/sys/kernel/d[^o]*{,/**} wklx, - deny /proc/sys/kernel/do[^m]*{,/**} wklx, - deny /proc/sys/kernel/dom[^a]*{,/**} wklx, - deny /proc/sys/kernel/doma[^i]*{,/**} wklx, - deny /proc/sys/kernel/domai[^n]*{,/**} wklx, - deny /proc/sys/kernel/domain[^n]*{,/**} wklx, - deny /proc/sys/kernel/domainn[^a]*{,/**} wklx, - deny /proc/sys/kernel/domainna[^m]*{,/**} wklx, - deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx, - deny /proc/sys/kernel/domainname?*{,/**} wklx, - deny /proc/sys/kernel/h[^o]*{,/**} wklx, - deny /proc/sys/kernel/ho[^s]*{,/**} wklx, - deny /proc/sys/kernel/hos[^t]*{,/**} wklx, - deny /proc/sys/kernel/host[^n]*{,/**} wklx, - deny /proc/sys/kernel/hostn[^a]*{,/**} wklx, - deny /proc/sys/kernel/hostna[^m]*{,/**} wklx, - deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx, - deny /proc/sys/kernel/hostname?*{,/**} wklx, - deny /proc/sys/kernel/m[^s]*{,/**} wklx, - deny /proc/sys/kernel/ms[^g]*{,/**} wklx, - deny /proc/sys/kernel/msg*/** wklx, - deny /proc/sys/kernel/s[^he]*{,/**} wklx, - deny /proc/sys/kernel/se[^m]*{,/**} wklx, - deny /proc/sys/kernel/sem*/** wklx, - deny /proc/sys/kernel/sh[^m]*{,/**} wklx, - deny /proc/sys/kernel/shm*/** wklx, - deny /proc/sys/kernel?*{,/**} wklx, - deny /proc/sys/n[^e]*{,/**} wklx, - deny /proc/sys/ne[^t]*{,/**} wklx, - deny /proc/sys/net?*{,/**} wklx, - deny /sys/[^fdc]*{,/**} wklx, - deny /sys/c[^l]*{,/**} wklx, - deny /sys/cl[^a]*{,/**} wklx, - deny /sys/cla[^s]*{,/**} wklx, - deny /sys/clas[^s]*{,/**} wklx, - deny /sys/class/[^n]*{,/**} wklx, - deny /sys/class/n[^e]*{,/**} wklx, - deny /sys/class/ne[^t]*{,/**} wklx, - deny /sys/class/net?*{,/**} wklx, - deny /sys/class?*{,/**} wklx, - deny /sys/d[^e]*{,/**} wklx, - deny /sys/de[^v]*{,/**} wklx, - deny /sys/dev[^i]*{,/**} wklx, - deny /sys/devi[^c]*{,/**} wklx, - deny /sys/devic[^e]*{,/**} wklx, - deny /sys/device[^s]*{,/**} wklx, - deny /sys/devices/[^v]*{,/**} wklx, - deny /sys/devices/v[^i]*{,/**} wklx, - deny /sys/devices/vi[^r]*{,/**} wklx, - deny /sys/devices/vir[^t]*{,/**} wklx, - deny /sys/devices/virt[^u]*{,/**} wklx, - deny /sys/devices/virtu[^a]*{,/**} wklx, - deny /sys/devices/virtua[^l]*{,/**} wklx, - deny /sys/devices/virtual/[^n]*{,/**} wklx, - deny /sys/devices/virtual/n[^e]*{,/**} wklx, - deny /sys/devices/virtual/ne[^t]*{,/**} wklx, - deny /sys/devices/virtual/net?*{,/**} wklx, - deny /sys/devices/virtual?*{,/**} wklx, - deny /sys/devices?*{,/**} wklx, - deny /sys/f[^s]*{,/**} wklx, - deny /sys/fs/[^c]*{,/**} wklx, - deny /sys/fs/c[^g]*{,/**} wklx, - deny /sys/fs/cg[^r]*{,/**} wklx, - deny /sys/fs/cgr[^o]*{,/**} wklx, - deny /sys/fs/cgro[^u]*{,/**} wklx, - deny /sys/fs/cgrou[^p]*{,/**} wklx, - deny /sys/fs/cgroup?*{,/**} wklx, - deny /sys/fs?*{,/**} wklx, - - include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/libvirt-qemu b/apparmor.d/abstractions/libvirt-qemu deleted file mode 100644 index 26acd605..00000000 --- a/apparmor.d/abstractions/libvirt-qemu +++ /dev/null @@ -1,258 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) Libvirt Team -# Copyright (C) 2021-2022 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - include - include - include - - # required for reading disk images - capability dac_override, - capability dac_read_search, - capability chown, - - # needed to drop privileges - capability setgid, - capability setuid, - - network inet stream, - network inet6 stream, - - ptrace (readby, tracedby) peer=libvirtd, - ptrace (readby, tracedby) peer=virtqemud, - - signal (receive) peer=libvirtd, - signal (receive) peer=virtqemud, - - /dev/kvm rw, - /dev/net/tun rw, - /dev/ptmx rw, - @{PROC}/*/status r, - # When qemu is signaled to terminate, it will read cmdline of signaling - # process for reporting purposes. Allowing read access to a process - # cmdline may leak sensitive information embedded in the cmdline. - @{PROC}/@{pid}/cmdline r, - # Per man(5) proc, the kernel enforces that a thread may - # only modify its comm value or those in its thread group. - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - @{PROC}/sys/kernel/cap_last_cap r, - @{PROC}/sys/vm/overcommit_memory r, - # detect hardware capabilities via qemu_getauxval - owner @{PROC}/*/auxv r, - # allow reading libnl's classid file - /etc/libnl{,-3}/classid r, - - # For hostdev access. The actual devices will be added dynamically - /sys/bus/usb/devices/ r, - /sys/devices/**/usb[0-9]*/** r, - # libusb needs udev data about usb devices (~equal to content of lsusb -v) - @{run}/udev/data/+usb* r, - @{run}/udev/data/c16[6,7]* r, - @{run}/udev/data/c18[0,8,9]* r, - - # WARNING: this gives the guest direct access to host hardware and specific - # portions of shared memory. This is required for sound using ALSA with kvm, - # but may constitute a security risk. If your environment does not require - # the use of sound in your VMs, feel free to comment out or prepend 'deny' to - # the rules for files in /dev. - /dev/snd/* rw, - /{dev,run}/shm r, - /{dev,run}/shmpulse-shm* r, - /{dev,run}/shmpulse-shm* rwk, - capability ipc_lock, - # spice - owner /{dev,run}/shm/spice.* rw, - # 'kill' is not required for sound and is a security risk. Do not enable - # unless you absolutely need it. - deny capability kill, - - # Uncomment the following if you need access to /dev/fb* - #/dev/fb* rw, - - /etc/pulse/client.conf r, - @{HOME}/.pulse-cookie rwk, - owner /root/.pulse-cookie rwk, - owner /root/.pulse/ rw, - owner /root/.pulse/* rw, - /usr/share/alsa/** r, - owner /tmp/pulse-*/ rw, - owner /tmp/pulse-*/* rw, - /var/lib/dbus/machine-id r, - - # access to firmware's etc - /usr/share/AAVMF/** r, - /usr/share/bochs/** r, - /usr/share/edk2-ovmf/** rk, - /usr/share/kvm/** r, - /usr/share/misc/sgabios.bin r, - /usr/share/openbios/** r, - /usr/share/openhackware/** r, - /usr/share/OVMF/** rk, - /usr/share/ovmf/** rk, - /usr/share/proll/** r, - /usr/share/qemu-efi/** r, - /usr/share/qemu-kvm/** r, - /usr/share/qemu/** r, - /usr/share/seabios/** r, - /usr/share/sgabios/** r, - /usr/share/slof/** r, - /usr/share/vgabios/** r, - - # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140) - /etc/pki/CA/ r, - /etc/pki/CA/* r, - /etc/pki/libvirt{,-spice,-vnc}/ r, - /etc/pki/libvirt{,-spice,-vnc}/** r, - /etc/pki/qemu/ r, - /etc/pki/qemu/** r, - - # the various binaries - /usr/bin/kvm rmix, - /usr/bin/kvm-spice rmix, - /usr/bin/qemu rmix, - /usr/bin/qemu-aarch64 rmix, - /usr/bin/qemu-alpha rmix, - /usr/bin/qemu-arm rmix, - /usr/bin/qemu-armeb rmix, - /usr/bin/qemu-cris rmix, - /usr/bin/qemu-i386 rmix, - /usr/bin/qemu-kvm rmix, - /usr/bin/qemu-m68k rmix, - /usr/bin/qemu-microblaze rmix, - /usr/bin/qemu-microblazeel rmix, - /usr/bin/qemu-mips rmix, - /usr/bin/qemu-mips64 rmix, - /usr/bin/qemu-mips64el rmix, - /usr/bin/qemu-mipsel rmix, - /usr/bin/qemu-mipsn32 rmix, - /usr/bin/qemu-mipsn32el rmix, - /usr/bin/qemu-or32 rmix, - /usr/bin/qemu-ppc rmix, - /usr/bin/qemu-ppc64 rmix, - /usr/bin/qemu-ppc64abi32 rmix, - /usr/bin/qemu-ppc64le rmix, - /usr/bin/qemu-s390x rmix, - /usr/bin/qemu-sh4 rmix, - /usr/bin/qemu-sh4eb rmix, - /usr/bin/qemu-sparc rmix, - /usr/bin/qemu-sparc32plus rmix, - /usr/bin/qemu-sparc64 rmix, - /usr/bin/qemu-system-aarch64 rmix, - /usr/bin/qemu-system-alpha rmix, - /usr/bin/qemu-system-arm rmix, - /usr/bin/qemu-system-cris rmix, - /usr/bin/qemu-system-hppa rmix, - /usr/bin/qemu-system-i386 rmix, - /usr/bin/qemu-system-lm32 rmix, - /usr/bin/qemu-system-m68k rmix, - /usr/bin/qemu-system-microblaze rmix, - /usr/bin/qemu-system-microblazeel rmix, - /usr/bin/qemu-system-mips rmix, - /usr/bin/qemu-system-mips64 rmix, - /usr/bin/qemu-system-mips64el rmix, - /usr/bin/qemu-system-mipsel rmix, - /usr/bin/qemu-system-moxie rmix, - /usr/bin/qemu-system-nios2 rmix, - /usr/bin/qemu-system-or1k rmix, - /usr/bin/qemu-system-or32 rmix, - /usr/bin/qemu-system-ppc rmix, - /usr/bin/qemu-system-ppc64 rmix, - /usr/bin/qemu-system-ppcemb rmix, - /usr/bin/qemu-system-riscv32 rmix, - /usr/bin/qemu-system-riscv64 rmix, - /usr/bin/qemu-system-s390x rmix, - /usr/bin/qemu-system-sh4 rmix, - /usr/bin/qemu-system-sh4eb rmix, - /usr/bin/qemu-system-sparc rmix, - /usr/bin/qemu-system-sparc64 rmix, - /usr/bin/qemu-system-tricore rmix, - /usr/bin/qemu-system-unicore32 rmix, - /usr/bin/qemu-system-x86_64 rmix, - /usr/bin/qemu-system-xtensa rmix, - /usr/bin/qemu-system-xtensaeb rmix, - /usr/bin/qemu-unicore32 rmix, - /usr/bin/qemu-x86_64 rmix, - # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761) - /usr/{lib,lib64}/qemu/*.so mr, - /usr/lib/@{multiarch}/qemu/*.so mr, - - # let qemu load old shared objects after upgrades (LP: #1847361) - /{var/,}run/qemu/*/*.so mr, - # but explicitly deny writing to these files - audit deny /{var/,}run/qemu/*/*.so w, - - # swtpm - /{usr/,}bin/swtpm rmix, - /usr/{lib,lib64}/libswtpm_libtpms.so mr, - /usr/lib/@{multiarch}/libswtpm_libtpms.so mr, - - # for save and resume - /{usr/,}bin/dash rmix, - /{usr/,}bin/dd rmix, - /{usr/,}bin/cat rmix, - - # for restore - /{usr/,}bin/bash rmix, - - # for usb access - /dev/bus/usb/ r, - /etc/udev/udev.conf r, - /sys/bus/ r, - /sys/class/ r, - - # for rbd - /etc/ceph/*.conf r, - - # Various functions will need to enumerate /tmp (e.g. ceph), allow the base - # dir and a few known functions like samba support. - # We want to avoid to give blanket rw permission to everything under /tmp, - # users are expected to add site specific addons for more uncommon cases. - # Qemu processes usually all run as the same users, so the "owner" - # restriction prevents access to other services files, but not across - # different instances. - # This is a tradeoff between usability and security - if paths would be more - # predictable that would be preferred - at least for write rules we would - # want more unique paths per rule. - /{,var/}tmp/ r, - owner /{,var/}tmp/**/ r, - - # for file-posix getting limits since 9103f1ce - /sys/devices/**/block/*/queue/max_segments r, - - # for ppc device-tree access - @{PROC}/device-tree/ r, - @{PROC}/device-tree/** r, - /sys/firmware/devicetree/** r, - - # allow connect with openGraphicsFD to work - unix (send, receive) type=stream addr=none peer=(label=libvirtd), - unix (send, receive) type=stream addr=none peer=(label=virtqemud), - - # for gathering information about available host resources - /sys/devices/system/cpu/ r, - /sys/devices/system/node/ r, - /sys/devices/system/node/node[0-9]*/meminfo r, - /sys/module/vhost/parameters/max_mem_regions r, - - # silence refusals to open lttng files (see LP: #1432644) - deny /dev/shm/lttng-ust-wait-* r, - deny @{run}/shm/lttng-ust-wait-* r, - - # for vfio hotplug on systems without static vfio (LP: #1775777) - /dev/vfio/vfio rw, - - # required for sasl GSSAPI plugin - /etc/gss/mech.d/ r, - /etc/gss/mech.d/* r, - - # required by libpmem init to fts_open()/fts_read() the symlinks in - # /sys/bus/nd/devices - / r, # harmless on any lsb compliant system - /sys/bus/nd/devices/{,**/} r, - - # required for QEMU accessing UEFI nvram variables - owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk, - owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk, - - include if exists diff --git a/apparmor.d/groups/virt/libvirt/TEMPLATE.lxc b/apparmor.d/groups/virt/libvirt/TEMPLATE.lxc deleted file mode 100644 index e4363647..00000000 --- a/apparmor.d/groups/virt/libvirt/TEMPLATE.lxc +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) Libvirt Team -# Copyright (C) 2021 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# This profile is for the container whose UUID matches this file. - -abi , - -include - -profile LIBVIRT_TEMPLATE flags=(attach_disconnected) { - include - include - - # Globally allows everything to run under this profile - # These can be narrowed depending on the container's use. - file, - capability, - network, -} diff --git a/apparmor.d/groups/virt/libvirt/TEMPLATE.qemu b/apparmor.d/groups/virt/libvirt/TEMPLATE.qemu deleted file mode 100644 index 79f9f8ce..00000000 --- a/apparmor.d/groups/virt/libvirt/TEMPLATE.qemu +++ /dev/null @@ -1,17 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) Libvirt Team -# Copyright (C) 2021 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# This profile is for the VM whose UUID matches this file. - -abi , - -include - -profile LIBVIRT_TEMPLATE flags=(attach_disconnected) { - include - include - include - include -}