From c7cf156de96633c189b2920422368aed10857a2f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 25 Mar 2023 15:54:20 +0000 Subject: [PATCH] feat(profiles): add most virtio related profiles. --- apparmor.d/groups/virt/virtinterfaced | 41 ++++++++++++++ apparmor.d/groups/virt/virtiofsd | 61 +++++++++++++------- apparmor.d/groups/virt/virtlockd | 16 ++++++ apparmor.d/groups/virt/virtnetworkd | 36 ++++++++++++ apparmor.d/groups/virt/virtnodedevd | 80 +++++++++++++++++++++++++++ apparmor.d/groups/virt/virtsecretd | 34 ++++++++++++ apparmor.d/groups/virt/virtstoraged | 47 ++++++++++++++++ dists/flags/main.flags | 6 ++ 8 files changed, 300 insertions(+), 21 deletions(-) create mode 100644 apparmor.d/groups/virt/virtinterfaced create mode 100644 apparmor.d/groups/virt/virtlockd create mode 100644 apparmor.d/groups/virt/virtnetworkd create mode 100644 apparmor.d/groups/virt/virtnodedevd create mode 100644 apparmor.d/groups/virt/virtsecretd create mode 100644 apparmor.d/groups/virt/virtstoraged diff --git a/apparmor.d/groups/virt/virtinterfaced b/apparmor.d/groups/virt/virtinterfaced new file mode 100644 index 00000000..6ad01f9b --- /dev/null +++ b/apparmor.d/groups/virt/virtinterfaced @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{s,}bin/virtinterfaced +profile virtinterfaced @{exec_path} flags=(attach_disconnected) { + include + include + include + + network netlink raw, + + @{exec_path} mr, + + /{usr/,}lib/gconv/gconv-modules rm, + /{usr/,}lib/gconv/gconv-modules.d/{,*} r, + + @{run}/systemd/inhibit/*.ref rw, + owner @{run}/user/@{uid}/libvirt/common/system.token rwk, + owner @{run}/user/@{uid}/libvirt/interface/ rw, + owner @{run}/user/@{uid}/libvirt/interface/run rw, + owner @{run}/user/@{uid}/libvirt/interface/run/* rwk, + owner @{run}/user/@{uid}/libvirt/secrets/run/driver.pid rw, + owner @{run}/user/@{uid}/libvirt/virtinterfaced* rwk, + + @{run}/utmp rk, + + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/net/ r, + @{sys}/devices/pci[0-9]*/**/net/{,**} r, + @{sys}/devices/virtual/net/{,**} r, + + owner @{PROC}/@{pids}/stat r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/virt/virtiofsd b/apparmor.d/groups/virt/virtiofsd index b6f83d53..3642ae1c 100644 --- a/apparmor.d/groups/virt/virtiofsd +++ b/apparmor.d/groups/virt/virtiofsd @@ -1,44 +1,63 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /{,usr/}lib/qemu/virtiofsd -profile virtiofsd @{exec_path} flags=(attach_disconnected) { +@{exec_path} = /{usr/,}lib/qemu/virtiofsd /{usr/,}{s,}bin/virtiofsd +profile virtiofsd @{exec_path} { include - capability setgid, - capability setuid, + capability chown, + capability dac_override, + capability dac_read_search, capability fowner, capability fsetid, - capability sys_resource, - capability sys_admin, + capability mknod, + capability setfcap, + capability setgid, capability setpcap, - capability dac_read_search, - capability dac_override, - capability chown, + capability setuid, + capability sys_admin, + capability sys_resource, + + mount options=(rw, bind) @{PROC}/1/fd/ -> @{PROC}, + mount options=(rw, nosuid, nodev, noexec, relatime) -> @{PROC}, + mount options=(rw, rslave) -> /, + + mount options=(rw, rbind) -> @{user_publicshare_dirs}/, + mount options=(rw, rbind) -> @{user_vm_dirs}/, + mount options=(rw, rbind) -> @{user_vm_shares}/, + + umount /, + + pivot_root @{user_publicshare_dirs}/, # TODO: -> pivoted, + pivot_root @{user_vm_dirs}/, + pivot_root @{user_vm_shares}/, + + signal (receive) set=term peer=libvirtd, unix (send, receive) type=stream peer=(addr=none, label=libvirt-@{uuid}), - mount options=(rw, rslave) -> /, - umount /, - mount options=(rw, nosuid, nodev, noexec, relatime) -> @{PROC}, - mount options=(rw, bind) @{PROC}/1/fd/ -> @{PROC}, + @{exec_path} mr, - @{exec_path} r, + / r, + /var/lib/libvirt/qemu/*/fs[0-9]*-fs.sock rw, - @{PROC}/sys/fs/file-max r, + @{user_publicshare_dirs}/{,**} r, + @{user_vm_dirs}/{,**} r, + @{user_vm_shares}/{,**} r, owner @{run}/libvirt/qemu/*.pid rw, - /var/lib/libvirt/qemu/*/fs[0-9]*-fs.sock rw, + @{PROC}/ r, + @{PROC}/sys/fs/file-max r, - # shared folders - mount options=(rw, rbind) -> @{user_vm_shares}/, - pivot_root @{user_vm_shares}/, - @{user_vm_shares}/ r, + # profile pivoted { + # /{,**} rwl, + # } include if exists -} +} \ No newline at end of file diff --git a/apparmor.d/groups/virt/virtlockd b/apparmor.d/groups/virt/virtlockd new file mode 100644 index 00000000..b75c92a1 --- /dev/null +++ b/apparmor.d/groups/virt/virtlockd @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/virtlockd +profile virtlockd @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/virt/virtnetworkd b/apparmor.d/groups/virt/virtnetworkd new file mode 100644 index 00000000..e2cac0f3 --- /dev/null +++ b/apparmor.d/groups/virt/virtnetworkd @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/virtnetworkd +profile virtnetworkd @{exec_path} flags=(attach_disconnected) { + include + include + include + + network netlink raw, + + ptrace (read) peer=virtqemud, + + @{exec_path} mr, + + /{usr/,}bin/dnsmasq rPx, + + @{run}/utmp rk, + @{run}/systemd/inhibit/*.ref rw, + owner @{run}/user/@{uid}/libvirt/common/system.token rwk, + owner @{run}/user/@{uid}/libvirt/network/{,**} rwk, + owner @{run}/user/@{uid}/libvirt/virtnetworkd* rwk, + + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/meminfo r, + + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pids}/fd/ r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd new file mode 100644 index 00000000..120e1457 --- /dev/null +++ b/apparmor.d/groups/virt/virtnodedevd @@ -0,0 +1,80 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/virtnodedevd +profile virtnodedevd @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + network netlink raw, + + @{exec_path} mr, + + /{usr/,}bin/mdevctl rPx, + + /usr/share/hwdata/pnp.ids r, + + /etc/mdevctl.d/{,**} r, + + @{run}/systemd/inhibit/*.ref rw, + owner @{run}/user/@{uid}/libvirt/common/system.token rwk, + owner @{run}/user/@{uid}/libvirt/nodedev/{,**} rwk, + owner @{run}/user/@{uid}/libvirt/virtnodedevd* rwk, + + @{run}/utmp rk, + + @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+dmi:id r, + @{run}/udev/data/+drm:* r, # For screen outputs + @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad + @{run}/udev/data/+leds:* r, + @{run}/udev/data/+pci* r, + @{run}/udev/data/+platform* r, + @{run}/udev/data/+sound:* r, + @{run}/udev/data/+thunderbolt:* r, + @{run}/udev/data/+rfkill:* r, + + @{run}/udev/data/c1:[0-9]* r, # For RAM disk + @{run}/udev/data/c10:[0-9]* r, # For non-serial mice, misc features + @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* + @{run}/udev/data/c90:[0-9]* r, # For RAM, ROM, Flash + @{run}/udev/data/c116:[0-9]* r, # For ALSA + @{run}/udev/data/c226:[0-9]* r, # For /dev/dri/card[0-9]* + @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 + @{run}/udev/data/c24[0-9]:[0-9]* r, + @{run}/udev/data/c25[0-4]:[0-9]* r, + @{run}/udev/data/c3[0-9]*:[0-9]* r, # For dynamic assignment range 384 to 511 + @{run}/udev/data/c4[0-9]*:[0-9]* r, + @{run}/udev/data/c5[0-9]*:[0-9]* r, + @{run}/udev/data/n[0-9]* r, + + @{sys}/**/ r, + @{sys}/devices/**/{class,revision,subsystem_vendor,subsystem_device} r, + @{sys}/devices/**/{config,device,vendor} r, + @{sys}/devices/**/uevent r, + @{sys}/devices/pci[0-9]*/**/net/{,**} r, + @{sys}/devices/pci[0-9]*/**/net/*/{duplex,address,speed,operstate} r, + @{sys}/devices/pci[0-9]*/**/numa_node r, + @{sys}/devices/pci[0-9]*/**/sriov_totalvfs r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/meminfo r, + @{sys}/devices/virtual/dmi/id/{product_name,sys_vendor,board_vendor,bios_vendor,bios_date} r, + @{sys}/devices/virtual/net/{,**} r, + @{sys}/kernel/iommu_groups/ r, + @{sys}/kernel/iommu_groups/[0-9]*/devices/ r, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/stat r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/virt/virtsecretd b/apparmor.d/groups/virt/virtsecretd new file mode 100644 index 00000000..a2491549 --- /dev/null +++ b/apparmor.d/groups/virt/virtsecretd @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{s,}bin/virtsecretd +profile virtsecretd @{exec_path} flags=(attach_disconnected) { + include + include + include + + network netlink raw, + + @{exec_path} mr, + + @{run}/systemd/inhibit/*.ref rw, + owner @{run}/user/@{uid}/libvirt/common/system.token rwk, + owner @{run}/user/@{uid}/libvirt/secrets/ rw, + owner @{run}/user/@{uid}/libvirt/secrets/run rw, + owner @{run}/user/@{uid}/libvirt/secrets/run/* rwk, + owner @{run}/user/@{uid}/libvirt/virtsecretd* rwk, + + @{run}/utmp rk, + + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/meminfo r, + + owner @{PROC}/@{pids}/stat r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/virt/virtstoraged b/apparmor.d/groups/virt/virtstoraged new file mode 100644 index 00000000..6aaba4f9 --- /dev/null +++ b/apparmor.d/groups/virt/virtstoraged @@ -0,0 +1,47 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# TODO: Similar with virtqemud. Could be merged? + +abi , + +include + +@{exec_path} = /{usr/,}bin/virtstoraged +profile virtstoraged @{exec_path} flags=(attach_disconnected) { + include + include + include + + network netlink raw, + + ptrace (read) peer=virtqemud, + + @{exec_path} mr, + + /{usr/,}bin/qemu-system* rUx, # TODO: Integration with virt-aa-helper + /{usr/,}bin/qemu-img rUx, # TODO: Integration with virt-aa-helper + + owner @{user_config_dirs}/libvirt/storage/{,**} rw, + + owner @{user_share_dirs}/gnome-boxes/images/{,*} rw, + owner @{user_share_dirs}/images/{,*} rw, + + owner @{run}/user/@{uid}/libvirt/common/ rw, + owner @{run}/user/@{uid}/libvirt/common/system.token rwk, + owner @{run}/user/@{uid}/libvirt/virtstoraged* w, + owner @{run}/user/@{uid}/libvirt/virtstoraged.pid rwk, + owner @{run}/user/@{uid}/libvirt/storage/{,**} rwk, + + @{run}/systemd/inhibit/[0-9]*.ref rw, + @{run}/utmp rwk, + + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/meminfo r, + + owner @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pids}/fd/ r, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 28949ece..bf059154 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -257,7 +257,13 @@ update-grub complain update-secureboot-policy complain userdbctl complain virt-manager attach_disconnected,complain +virtinterfaced attach_disconnected,complain virtiofsd complain,attach_disconnected +virtlockd complain +virtnetworkd complain +virtnodedevd complain +virtsecretd complain +virtstoraged attach_disconnected,complain wg complain wg-quick complain xdg-dbus-proxy attach_disconnected,complain