diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus index 85de26b0..6b8f606e 100644 --- a/apparmor.d/groups/virt/libvirt-dbus +++ b/apparmor.d/groups/virt/libvirt-dbus @@ -13,7 +13,7 @@ profile libvirt-dbus @{exec_path} { @{exec_path} mr, - /{usr/,}{s,}bin/libvirtd rPUx, + /{usr/,}{s,}bin/libvirtd rPx, /usr/share/dbus-1/interfaces/org.libvirt.*.xml r, diff --git a/apparmor.d/groups/virt/libvirt/TEMPLATE.lxc b/apparmor.d/groups/virt/libvirt/TEMPLATE.lxc new file mode 100644 index 00000000..e4363647 --- /dev/null +++ b/apparmor.d/groups/virt/libvirt/TEMPLATE.lxc @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) Libvirt Team +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# This profile is for the container whose UUID matches this file. + +abi , + +include + +profile LIBVIRT_TEMPLATE flags=(attach_disconnected) { + include + include + + # Globally allows everything to run under this profile + # These can be narrowed depending on the container's use. + file, + capability, + network, +} diff --git a/apparmor.d/groups/virt/libvirt/TEMPLATE.qemu b/apparmor.d/groups/virt/libvirt/TEMPLATE.qemu new file mode 100644 index 00000000..79f9f8ce --- /dev/null +++ b/apparmor.d/groups/virt/libvirt/TEMPLATE.qemu @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) Libvirt Team +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# This profile is for the VM whose UUID matches this file. + +abi , + +include + +profile LIBVIRT_TEMPLATE flags=(attach_disconnected) { + include + include + include + include +} diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index ffbc9bed..1ab0c2c2 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{,s}bin/libvirtd +@{exec_path} = /{usr/,}sbin/libvirtd /{usr/,}bin/libvirtd profile libvirtd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-g-l/libvirt/TEMPLATE.lxc b/apparmor.d/profiles-g-l/libvirt/TEMPLATE.lxc deleted file mode 100644 index 6894aa6b..00000000 --- a/apparmor.d/profiles-g-l/libvirt/TEMPLATE.lxc +++ /dev/null @@ -1,15 +0,0 @@ -# -# This profile is for the domain whose UUID matches this file. -# - -include - -profile LIBVIRT_TEMPLATE flags=(attach_disconnected) { - include - - # Globally allows everything to run under this profile - # These can be narrowed depending on the container's use. - file, - capability, - network, -} diff --git a/apparmor.d/profiles-g-l/libvirt/TEMPLATE.qemu b/apparmor.d/profiles-g-l/libvirt/TEMPLATE.qemu deleted file mode 100644 index b242a775..00000000 --- a/apparmor.d/profiles-g-l/libvirt/TEMPLATE.qemu +++ /dev/null @@ -1,9 +0,0 @@ -# -# This profile is for the domain whose UUID matches this file. -# - -include - -profile LIBVIRT_TEMPLATE flags=(attach_disconnected) { - include -} diff --git a/apparmor.d/profiles-s-z/usr.lib.libvirt.virt-aa-helper b/apparmor.d/profiles-s-z/usr.lib.libvirt.virt-aa-helper deleted file mode 100644 index 6ee44562..00000000 --- a/apparmor.d/profiles-s-z/usr.lib.libvirt.virt-aa-helper +++ /dev/null @@ -1,75 +0,0 @@ -#include - -profile virt-aa-helper /usr/lib/libvirt/virt-aa-helper { - #include - #include - - # needed for searching directories - capability dac_override, - capability dac_read_search, - - # needed for when disk is on a network filesystem - network inet, - network inet6, - - deny @{PROC}/[0-9]*/mounts r, - @{PROC}/[0-9]*/net/psched r, - owner @{PROC}/[0-9]*/status r, - @{PROC}/filesystems r, - - # Used when internally running another command (namely apparmor_parser) - @{PROC}/@{pid}/fd/ r, - - # allow reading libnl's classid file - /etc/libnl{,-3}/classid r, - - # for gl enabled graphics - /dev/dri/{,*} r, - - # for hostdev - /sys/devices/ r, - /sys/devices/** r, - /sys/bus/usb/devices/ r, - deny /dev/sd* r, - deny /dev/vd* r, - deny /dev/dm-* r, - deny /dev/drbd[0-9]* r, - deny /dev/dasd* r, - deny /dev/nvme* r, - deny /dev/zd[0-9]* r, - deny /dev/mapper/ r, - deny /dev/mapper/* r, - - /usr/lib/libvirt/virt-aa-helper mr, - /{usr/,}{s,}bin/apparmor_parser Ux, - - /etc/apparmor.d/libvirt/* r, - /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, - - # for backingstore -- allow access to non-hidden files in @{HOME} as well - # as storage pools - audit deny @{HOME}/.* mrwkl, - audit deny @{HOME}/.*/ rw, - audit deny @{HOME}/.*/** mrwkl, - audit deny @{HOME}/bin/ rw, - audit deny @{HOME}/bin/** mrwkl, - @{HOME}/ r, - @{HOME}/** r, - /var/lib/libvirt/images/ r, - /var/lib/libvirt/images/** r, - /var/lib/nova/instances/_base/* r, - /{media,mnt,opt,srv}/** r, - # For virt-sandbox - /{,var/}run/libvirt/**/[sv]d[a-z] r, - - /**.img r, - /**.raw r, - /**.qcow{,2} r, - /**.qed r, - /**.vmdk r, - /**.vhd r, - /**.[iI][sS][oO] r, - /**/disk{,.*} r, - - include if exists -} diff --git a/apparmor.d/profiles-s-z/usr.sbin.libvirtd b/apparmor.d/profiles-s-z/usr.sbin.libvirtd deleted file mode 100644 index bae57d2d..00000000 --- a/apparmor.d/profiles-s-z/usr.sbin.libvirtd +++ /dev/null @@ -1,143 +0,0 @@ -#include -@{LIBVIRT}="libvirt" - -profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { - #include - #include - - capability kill, - capability net_admin, - capability net_raw, - capability setgid, - capability sys_admin, - capability sys_module, - capability sys_ptrace, - capability sys_pacct, - capability sys_nice, - capability sys_chroot, - capability setuid, - capability dac_override, - capability dac_read_search, - capability fowner, - capability chown, - capability setpcap, - capability mknod, - capability fsetid, - capability audit_write, - capability ipc_lock, - capability sys_rawio, - capability bpf, - capability perfmon, - - # Needed for vfio - capability sys_resource, - - mount options=(rw,rslave) -> /, - mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/, - umount /{var/,}run/libvirt/qemu/*.dev/, - - # libvirt provides any mounts under /dev to qemu namespaces - mount options=(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/, - mount options=(rw, move) /dev/** -> /{,var/}run/libvirt/qemu/*{,/}, - mount options=(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/, - mount options=(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**, - - network inet stream, - network inet dgram, - network inet6 stream, - network inet6 dgram, - network netlink raw, - network packet dgram, - network packet raw, - - # for --p2p migrations - unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none), - - ptrace (read,trace) peer=unconfined, - ptrace (read,trace) peer=@{profile_name}, - ptrace (read,trace) peer=dnsmasq, - ptrace (read,trace) peer=/usr/sbin/dnsmasq, - ptrace (read,trace) peer=libvirt-*, - ptrace (read,trace) peer=virt-manager, - - signal (send) peer=dnsmasq, - signal (send) peer=/usr/sbin/dnsmasq, - signal (read, send) peer=libvirt-*, - signal (send) set=("kill", "term") peer=unconfined, - - # For communication/control to qemu-bridge-helper - unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper), - signal (send) set=("term") peer=libvirtd//qemu_bridge_helper, - - # allow connect with openGraphicsFD, direction reversed in newer versions - unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*), - # unconfined also required if guests run without security module - unix (send, receive) type=stream addr=none peer=(label=unconfined), - - # required if guests run unconfined seclabel type='none' but libvirtd is confined - signal (read, send) peer=unconfined, - - # Very lenient profile for libvirtd since we want to first focus on confining - # the guests. Guests will have a very restricted profile. - / r, - /** rwmkl, - - /bin/* PUx, - /sbin/* PUx, - /usr/bin/* PUx, - /usr/sbin/virtlogd pix, - /usr/sbin/* PUx, - /{usr/,}lib/udev/scsi_id PUx, - /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, - /usr/{lib,lib64,libexec}/xen/bin/* Ux, - /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx, - /usr/{lib,libexec}/xen-*/bin/pygrub PUx, - /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx, - /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx, - - # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to - # read and run an ebtables script. - /var/lib/libvirt/virtd* ixr, - - # force the use of virt-aa-helper - audit deny /{usr/,}{s,}bin/apparmor_parser rwxl, - audit deny /etc/apparmor.d/libvirt/** wxl, - audit deny /sys/kernel/security/apparmor/features rwxl, - audit deny /sys/kernel/security/apparmor/matching rwxl, - audit deny /sys/kernel/security/apparmor/.* rwxl, - /sys/kernel/security/apparmor/profiles r, - /usr/lib/libvirt/* PUxr, - /usr/lib/libvirt/libvirt_parthelper ix, - /usr/lib/libvirt/libvirt_iohelper ix, - /etc/libvirt/hooks/** rmix, - /etc/xen/scripts/** rmix, - - # allow changing to our UUID-based named profiles - change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, - - /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, - # child profile for bridge helper process - profile qemu_bridge_helper { - #include - - capability setuid, - capability setgid, - capability setpcap, - capability net_admin, - - network inet stream, - - # For communication/control from libvirtd - unix (send, receive) type=stream addr=none peer=(label=libvirtd), - signal (receive) set=("term") peer=/usr/sbin/libvirtd, - signal (receive) set=("term") peer=libvirtd, - - /dev/net/tun rw, - /etc/qemu/** r, - owner @{PROC}/*/status r, - - /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, - } - - include if exists -}