diff options
| author |   Jamie Strandboge <jamie@ubuntu.com> | 2010-04-06 22:56:07 +0200 |
|---|---|---|
| committer |   Daniel Veillard <veillard@redhat.com> | 2010-04-06 23:01:24 +0200 |
| commit | 2df320609acc9d2dd79665b16381257bdaf92aef (patch) | |
| tree | 33395c4f53a948946290405028b3f7e665e4aa36 /examples | |
| parent | Improve virt-aa-helper to handle SDL graphics and cleanups (diff) | |
| download | libvirt-2df320609acc9d2dd79665b16381257bdaf92aef.tar.gz libvirt-2df320609acc9d2dd79665b16381257bdaf92aef.tar.bz2 libvirt-2df320609acc9d2dd79665b16381257bdaf92aef.zip | |
Improve the apparmor example
* examples/apparmor/libvirt-qemu examples/apparmor/usr.sbin.libvirtd
examples/apparmor/usr.lib.libvirt.virt-aa-helper: Update the examples
Diffstat (limited to 'examples')
| -rw-r--r-- | examples/apparmor/libvirt-qemu | 27 | ||||
| -rw-r--r-- | examples/apparmor/usr.lib.libvirt.virt-aa-helper | 18 | ||||
| -rw-r--r-- | examples/apparmor/usr.sbin.libvirtd | 6 |
3 files changed, 32 insertions, 19 deletions
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index a8c4a84a0..faf86363c 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -1,4 +1,4 @@ -# Last Modified: Fri Nov 6 16:41:59 2009 +# Last Modified: Mon Apr 5 15:11:27 2010 #include <abstractions/base> #include <abstractions/consoles> @@ -16,13 +16,11 @@ /dev/kvm rw, /dev/ptmx rw, /dev/kqemu rw, + @{PROC}/*/status r, - # WARNING: uncommenting these gives the guest direct access to host hardware. - # This is required for USB pass through but is a security risk. You have been - # warned. - #/sys/bus/usb/devices/ r, - #/sys/devices/*/*/usb[0-9]*/** r, - #/dev/bus/usb/*/[0-9]* rw, + # For hostdev access. The actual devices will be added dynamically + /sys/bus/usb/devices/ r, + /sys/devices/*/*/usb[0-9]*/** r, # WARNING: this gives the guest direct access to host hardware and specific # portions of shared memory. This is required for sound using ALSA with kvm, @@ -38,6 +36,9 @@ # unless you absolutely need it. deny capability kill, + # Uncomment the following if you need access to /dev/fb* + #/dev/fb* rw, + /etc/pulse/client.conf r, @{HOME}/.pulse-cookie rwk, owner /root/.pulse-cookie rwk, @@ -56,6 +57,10 @@ /usr/share/openhackware/** r, /usr/share/proll/** r, /usr/share/vgabios/** r, + /usr/share/seabios/** r, + + # access PKI infrastructure + /etc/pki/libvirt-vnc/** r, # the various binaries /usr/bin/kvm rmix, @@ -99,11 +104,3 @@ /bin/dash rmix, /bin/dd rmix, /bin/cat rmix, - - # The svirt driver does not relabel the state file - # (https://bugzilla.redhat.com/show_bug.cgi?id=529363) resulting in denied - # messages. Uncommenting these lines can work around this somewhat by - # allowing users to save state files in the specified directory. We use - # 'owner' to make sure we don't overwrite the user's files. - #owner @{HOME}/libvirt-state-files/ r, - #owner @{HOME}/libvirt-state-files/** rw, diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper index 096b6753f..94bf3599a 100644 --- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper +++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper @@ -1,4 +1,4 @@ -# Last Modified: Mon Jul 06 17:22:37 2009 +# Last Modified: Mon Apr 5 15:10:27 2010 #include <tunables/global> /usr/lib/libvirt/virt-aa-helper { @@ -14,9 +14,25 @@ deny @{PROC}/[0-9]*/mounts r, @{PROC}/filesystems r, + # for hostdev + /sys/devices/ r, + /sys/devices/** r, + /usr/lib/libvirt/virt-aa-helper mr, /sbin/apparmor_parser Ux, /etc/apparmor.d/libvirt/* r, /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + + # for backingstore -- allow access to non-hidden files in @{HOME} as well + # as storage pools + audit deny @{HOME}/.* mrwkl, + audit deny @{HOME}/.*/ rw, + audit deny @{HOME}/.*/** mrwkl, + audit deny @{HOME}/bin/ rw, + audit deny @{HOME}/bin/** mrwkl, + @{HOME}/ r, + @{HOME}/** r, + /var/lib/libvirt/images/ r, + /var/lib/libvirt/images/** r, } diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 5f9fd53ca..1b2483552 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -1,4 +1,4 @@ -# Last Modified: Wed Sep 23 23:23:58 2009 +# Last Modified: Mon Apr 5 15:03:58 2010 #include <tunables/global> @{LIBVIRT}="libvirt" @@ -21,6 +21,7 @@ capability chown, capability setpcap, capability mknod, + capability fsetid, network inet stream, network inet dgram, @@ -35,7 +36,6 @@ /sbin/* Ux, /usr/bin/* Ux, /usr/sbin/* Ux, - /usr/lib/libvirt/* Ux, # force the use of virt-aa-helper audit deny /sbin/apparmor_parser rwxl, @@ -44,7 +44,7 @@ audit deny /sys/kernel/security/apparmor/matching rwxl, audit deny /sys/kernel/security/apparmor/.* rwxl, /sys/kernel/security/apparmor/profiles r, - /usr/lib/libvirt/virt-aa-helper Pxr, + /usr/lib/libvirt/* PUxr, # allow changing to our UUID-based named profiles change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, |