feat(profiles): add most virtio related profiles.

2025-01-18 00:48:10 +01:00 · 2023-03-25 15:54:20 +00:00 · 2023-03-25 15:54:20 +00:00 · c7cf156de9
commit c7cf156de9
parent 02499d90f0
8 changed files with 300 additions and 21 deletions
--- a/apparmor.d/groups/virt/virtinterfaced
+++ b/apparmor.d/groups/virt/virtinterfaced
@ -0,0 +1,41 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/virtinterfaced
+profile virtinterfaced @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  /{usr/,}lib/gconv/gconv-modules rm,
+  /{usr/,}lib/gconv/gconv-modules.d/{,*} r,
+
+        @{run}/systemd/inhibit/*.ref rw,
+  owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
+  owner @{run}/user/@{uid}/libvirt/interface/ rw,
+  owner @{run}/user/@{uid}/libvirt/interface/run rw,
+  owner @{run}/user/@{uid}/libvirt/interface/run/* rwk,
+  owner @{run}/user/@{uid}/libvirt/secrets/run/driver.pid rw,
+  owner @{run}/user/@{uid}/libvirt/virtinterfaced* rwk,
+
+  @{run}/utmp rk,
+
+  @{sys}/bus/ r,
+  @{sys}/class/ r,
+  @{sys}/class/net/ r,
+  @{sys}/devices/pci[0-9]*/**/net/{,**} r,
+  @{sys}/devices/virtual/net/{,**} r,
+
+  owner @{PROC}/@{pids}/stat r,
+
+  include if exists <local/virtinterfaced>
+}
--- a/apparmor.d/groups/virt/virtiofsd
+++ b/apparmor.d/groups/virt/virtiofsd
@ -1,44 +1,63 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,

 include <tunables/global>

-@{exec_path} = /{,usr/}lib/qemu/virtiofsd
-profile virtiofsd @{exec_path} flags=(attach_disconnected) {
+@{exec_path} = /{usr/,}lib/qemu/virtiofsd /{usr/,}{s,}bin/virtiofsd
+profile virtiofsd @{exec_path} {
  include <abstractions/base>

-  capability setgid,
-  capability setuid,
+  capability chown,
+  capability dac_override,
+  capability dac_read_search,
  capability fowner,
  capability fsetid,
-  capability sys_resource,
-  capability sys_admin,
+  capability mknod,
+  capability setfcap,
+  capability setgid,
  capability setpcap,
-  capability dac_read_search,
-  capability dac_override,
-  capability chown,
+  capability setuid,
+  capability sys_admin,
+  capability sys_resource,
+
+  mount options=(rw, bind) @{PROC}/1/fd/ -> @{PROC},
+  mount options=(rw, nosuid, nodev, noexec, relatime) -> @{PROC},
+  mount options=(rw, rslave) -> /,
+
+  mount options=(rw, rbind) -> @{user_publicshare_dirs}/,
+  mount options=(rw, rbind) -> @{user_vm_dirs}/,
+  mount options=(rw, rbind) -> @{user_vm_shares}/,
+
+  umount /,
+
+  pivot_root @{user_publicshare_dirs}/, # TODO: -> pivoted,
+  pivot_root @{user_vm_dirs}/,
+  pivot_root @{user_vm_shares}/,
+
+  signal (receive) set=term peer=libvirtd,

  unix (send, receive) type=stream peer=(addr=none, label=libvirt-@{uuid}),

-  mount options=(rw, rslave) -> /,
-  umount /,
-  mount options=(rw, nosuid, nodev, noexec, relatime) -> @{PROC},
-  mount options=(rw, bind) @{PROC}/1/fd/ -> @{PROC},
+  @{exec_path} mr,

-  @{exec_path} r,
+  / r,
+  /var/lib/libvirt/qemu/*/fs[0-9]*-fs.sock rw,

-  @{PROC}/sys/fs/file-max r,
+  @{user_publicshare_dirs}/{,**} r,
+  @{user_vm_dirs}/{,**} r,
+  @{user_vm_shares}/{,**} r,

  owner @{run}/libvirt/qemu/*.pid rw,

-  /var/lib/libvirt/qemu/*/fs[0-9]*-fs.sock rw,
+  @{PROC}/ r,
+  @{PROC}/sys/fs/file-max r,

-  # shared folders
-  mount options=(rw, rbind) -> @{user_vm_shares}/,
-  pivot_root @{user_vm_shares}/,
-  @{user_vm_shares}/ r,
+  # profile pivoted {
+  #   /{,**} rwl,
+  # }

  include if exists <local/virtiofsd>
-}
+}
--- a/apparmor.d/groups/virt/virtlockd
+++ b/apparmor.d/groups/virt/virtlockd
@ -0,0 +1,16 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/virtlockd
+profile virtlockd @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  include if exists <local/virtlockd>
+}
--- a/apparmor.d/groups/virt/virtnetworkd
+++ b/apparmor.d/groups/virt/virtnetworkd
@ -0,0 +1,36 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/virtnetworkd
+profile virtnetworkd @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/openssl>
+  include <abstractions/nameservice-strict>
+
+  network netlink raw,
+
+  ptrace (read) peer=virtqemud,
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/dnsmasq rPx,
+
+        @{run}/utmp rk,
+        @{run}/systemd/inhibit/*.ref rw,
+  owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
+  owner @{run}/user/@{uid}/libvirt/network/{,**} rwk,
+  owner @{run}/user/@{uid}/libvirt/virtnetworkd* rwk,
+
+  @{sys}/devices/system/node/ r,
+  @{sys}/devices/system/node/node[0-9]*/meminfo r,
+
+  owner @{PROC}/@{pid}/stat r,
+  owner @{PROC}/@{pids}/fd/ r,
+
+  include if exists <local/virtnetworkd>
+}
--- a/apparmor.d/groups/virt/virtnodedevd
+++ b/apparmor.d/groups/virt/virtnodedevd
@ -0,0 +1,80 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/virtnodedevd
+profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/devices-usb>
+  include <abstractions/disks-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/mdevctl rPx,
+
+  /usr/share/hwdata/pnp.ids r,
+
+  /etc/mdevctl.d/{,**} r,
+
+        @{run}/systemd/inhibit/*.ref rw,
+  owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
+  owner @{run}/user/@{uid}/libvirt/nodedev/{,**} rwk,
+  owner @{run}/user/@{uid}/libvirt/virtnodedevd* rwk,
+
+  @{run}/utmp rk,
+
+  @{run}/udev/data/+backlight:* r,
+  @{run}/udev/data/+bluetooth:* r,
+  @{run}/udev/data/+dmi:id r,
+  @{run}/udev/data/+drm:*      r,       # For screen outputs
+  @{run}/udev/data/+input* r,           # for mouse, keyboard, touchpad
+  @{run}/udev/data/+leds:* r,
+  @{run}/udev/data/+pci* r,
+  @{run}/udev/data/+platform* r,
+  @{run}/udev/data/+sound:* r,
+  @{run}/udev/data/+thunderbolt:* r,
+  @{run}/udev/data/+rfkill:* r,
+
+  @{run}/udev/data/c1:[0-9]* r,         # For RAM disk
+  @{run}/udev/data/c10:[0-9]* r,        # For non-serial mice, misc features
+  @{run}/udev/data/c13:[0-9]* r,        # for /dev/input/*
+  @{run}/udev/data/c90:[0-9]* r,        # For RAM, ROM, Flash
+  @{run}/udev/data/c116:[0-9]* r,       # For ALSA
+  @{run}/udev/data/c226:[0-9]* r,       # For /dev/dri/card[0-9]*
+  @{run}/udev/data/c23[4-9]:[0-9]* r,   # For dynamic assignment range 234 to 254
+  @{run}/udev/data/c24[0-9]:[0-9]* r,
+  @{run}/udev/data/c25[0-4]:[0-9]* r,
+  @{run}/udev/data/c3[0-9]*:[0-9]* r,   # For dynamic assignment range 384 to 511
+  @{run}/udev/data/c4[0-9]*:[0-9]* r,
+  @{run}/udev/data/c5[0-9]*:[0-9]* r,
+  @{run}/udev/data/n[0-9]* r,
+
+  @{sys}/**/ r,
+  @{sys}/devices/**/{class,revision,subsystem_vendor,subsystem_device} r,
+  @{sys}/devices/**/{config,device,vendor} r,
+  @{sys}/devices/**/uevent r,
+  @{sys}/devices/pci[0-9]*/**/net/{,**} r,
+  @{sys}/devices/pci[0-9]*/**/net/*/{duplex,address,speed,operstate} r,
+  @{sys}/devices/pci[0-9]*/**/numa_node r,
+  @{sys}/devices/pci[0-9]*/**/sriov_totalvfs r,
+  @{sys}/devices/system/node/ r,
+  @{sys}/devices/system/node/node[0-9]*/meminfo r,
+  @{sys}/devices/virtual/dmi/id/{product_name,sys_vendor,board_vendor,bios_vendor,bios_date} r,
+  @{sys}/devices/virtual/net/{,**} r,
+  @{sys}/kernel/iommu_groups/ r,
+  @{sys}/kernel/iommu_groups/[0-9]*/devices/ r,
+
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/stat r,
+
+  include if exists <local/virtnodedevd>
+}
--- a/apparmor.d/groups/virt/virtsecretd
+++ b/apparmor.d/groups/virt/virtsecretd
@ -0,0 +1,34 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/virtsecretd
+profile virtsecretd @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+
+  network netlink raw,
+
+  @{exec_path} mr,
+
+        @{run}/systemd/inhibit/*.ref rw,
+  owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
+  owner @{run}/user/@{uid}/libvirt/secrets/ rw,
+  owner @{run}/user/@{uid}/libvirt/secrets/run rw,
+  owner @{run}/user/@{uid}/libvirt/secrets/run/* rwk,
+  owner @{run}/user/@{uid}/libvirt/virtsecretd* rwk,
+
+  @{run}/utmp rk,
+
+  @{sys}/devices/system/node/ r,
+  @{sys}/devices/system/node/node[0-9]*/meminfo r,
+
+  owner @{PROC}/@{pids}/stat r,
+
+  include if exists <local/virtsecretd>
+}
--- a/apparmor.d/groups/virt/virtstoraged
+++ b/apparmor.d/groups/virt/virtstoraged
@ -0,0 +1,47 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# TODO: Similar with virtqemud. Could be merged?
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/virtstoraged
+profile virtstoraged @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+
+  network netlink raw,
+
+  ptrace (read) peer=virtqemud,
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/qemu-system*  rUx, # TODO: Integration with virt-aa-helper
+  /{usr/,}bin/qemu-img      rUx, # TODO: Integration with virt-aa-helper
+
+  owner @{user_config_dirs}/libvirt/storage/{,**} rw,
+
+  owner @{user_share_dirs}/gnome-boxes/images/{,*} rw,
+  owner @{user_share_dirs}/images/{,*} rw,
+
+  owner @{run}/user/@{uid}/libvirt/common/ rw,
+  owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
+  owner @{run}/user/@{uid}/libvirt/virtstoraged* w,
+  owner @{run}/user/@{uid}/libvirt/virtstoraged.pid rwk,
+  owner @{run}/user/@{uid}/libvirt/storage/{,**} rwk,
+
+  @{run}/systemd/inhibit/[0-9]*.ref rw,
+  @{run}/utmp rwk,
+
+  @{sys}/devices/system/node/ r,
+  @{sys}/devices/system/node/node[0-9]*/meminfo r,
+
+  owner @{PROC}/@{pids}/stat r,
+  owner @{PROC}/@{pids}/fd/ r,
+
+  include if exists <local/virtstoraged>
+}
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@ -257,7 +257,13 @@ update-grub complain
 update-secureboot-policy complain
 userdbctl complain
 virt-manager attach_disconnected,complain
+virtinterfaced attach_disconnected,complain
 virtiofsd complain,attach_disconnected
+virtlockd complain
+virtnetworkd complain
+virtnodedevd complain
+virtsecretd complain
+virtstoraged attach_disconnected,complain
 wg complain
 wg-quick complain
 xdg-dbus-proxy attach_disconnected,complain