Hi Felix,
On Fri, Jan 03, 2014 at 10:58:14PM +0100, Felix Geyer wrote:
> I've ported and tested the libvirt AppArmor support from the Ubuntu package.
>
> The only difference in the profiles is this addition to
> usr.lib.libvirt.virt-aa-helper:
> /etc/libnl-[0-9]/classid r,
>
> It can be enabled by setting this in /etc/libvirt/qemu.conf:
> security_driver = "apparmor"
Can you please work on upsreaming this? I don't see why this should be
in the Debian package. Who is going to maintain this policies in the
future?
Cheers,
-- Guido
>
> Cheers,
> Felix
>
> PS: Could you please enable parallel building: dh $@
> --builddirectory=$(DEB_BUILDDIR) --parallel.
> That makes test-building so much more fun ;)
> diff -Nru libvirt-1.2.0/debian/apparmor/libvirt-qemu
> libvirt-1.2.0/debian/apparmor/libvirt-qemu
> --- libvirt-1.2.0/debian/apparmor/libvirt-qemu 1970-01-01
> 01:00:00.000000000 +0100
> +++ libvirt-1.2.0/debian/apparmor/libvirt-qemu 2013-11-12
> 18:47:24.000000000 +0100
> @@ -0,0 +1,140 @@
> +# Last Modified: Wed Jul 8 09:57:41 2009
> +
> + #include <abstractions/base>
> + #include <abstractions/consoles>
> + #include <abstractions/nameservice>
> +
> + # required for reading disk images
> + capability dac_override,
> + capability dac_read_search,
> + capability chown,
> +
> + # needed to drop privileges
> + capability setgid,
> + capability setuid,
> +
> + # this is needed with libcap-ng support, however it breaks a lot of things
> + # atm, so just silence the denial until libcap-ng works right. LP: #522845
> + deny capability setpcap,
> +
> + network inet stream,
> + network inet6 stream,
> +
> + /dev/net/tun rw,
> + /dev/tap* rw,
> + /dev/kvm rw,
> + /dev/ptmx rw,
> + /dev/kqemu rw,
> + @{PROC}/*/status r,
> + owner @{PROC}/*/auxv r,
> + @{PROC}/sys/vm/overcommit_memory r,
> +
> + # For hostdev access. The actual devices will be added dynamically
> + /sys/bus/usb/devices/ r,
> + /sys/devices/**/usb[0-9]*/** r,
> +
> + # WARNING: this gives the guest direct access to host hardware and specific
> + # portions of shared memory. This is required for sound using ALSA with
> kvm,
> + # but may constitute a security risk. If your environment does not require
> + # the use of sound in your VMs, feel free to comment out or prepend 'deny'
> to
> + # the rules for files in /dev.
> + /{dev,run}/shm r,
> + /{dev,run}/shmpulse-shm* r,
> + /{dev,run}/shmpulse-shm* rwk,
> + /dev/snd/* rw,
> + capability ipc_lock,
> + # spice
> + /usr/bin/qemu-system-i386-spice rmix,
> + /usr/bin/qemu-system-x86_64-spice rmix,
> + /run/shm/ r,
> + owner /run/shm/spice.* rw,
> + # 'kill' is not required for sound and is a security risk. Do not enable
> + # unless you absolutely need it.
> + deny capability kill,
> +
> + # Uncomment the following if you need access to /dev/fb*
> + #/dev/fb* rw,
> +
> + /etc/pulse/client.conf r,
> + @{HOME}/.pulse-cookie rwk,
> + owner /root/.pulse-cookie rwk,
> + owner /root/.pulse/ rw,
> + owner /root/.pulse/* rw,
> + /usr/share/alsa/** r,
> + owner /tmp/pulse-*/ rw,
> + owner /tmp/pulse-*/* rw,
> + /var/lib/dbus/machine-id r,
> +
> + # access to firmware's etc
> + /usr/share/kvm/** r,
> + /usr/share/qemu/** r,
> + /usr/share/bochs/** r,
> + /usr/share/openbios/** r,
> + /usr/share/openhackware/** r,
> + /usr/share/proll/** r,
> + /usr/share/vgabios/** r,
> + /usr/share/seabios/** r,
> + /usr/share/ovmf/** r,
> +
> + # access PKI infrastructure
> + /etc/pki/libvirt-vnc/** r,
> +
> + # the various binaries
> + /usr/bin/kvm rmix,
> + /usr/bin/qemu rmix,
> + /usr/bin/qemu-system-arm rmix,
> + /usr/bin/qemu-system-cris rmix,
> + /usr/bin/qemu-system-i386 rmix,
> + /usr/bin/qemu-system-m68k rmix,
> + /usr/bin/qemu-system-mips rmix,
> + /usr/bin/qemu-system-mips64 rmix,
> + /usr/bin/qemu-system-mips64el rmix,
> + /usr/bin/qemu-system-mipsel rmix,
> + /usr/bin/qemu-system-ppc rmix,
> + /usr/bin/qemu-system-ppc64 rmix,
> + /usr/bin/qemu-system-ppcemb rmix,
> + /usr/bin/qemu-system-sh4 rmix,
> + /usr/bin/qemu-system-sh4eb rmix,
> + /usr/bin/qemu-system-sparc rmix,
> + /usr/bin/qemu-system-sparc64 rmix,
> + /usr/bin/qemu-system-x86_64 rmix,
> + /usr/bin/qemu-system-x86_64-spice rmix,
> + /usr/bin/qemu-alpha rmix,
> + /usr/bin/qemu-arm rmix,
> + /usr/bin/qemu-armeb rmix,
> + /usr/bin/qemu-cris rmix,
> + /usr/bin/qemu-i386 rmix,
> + /usr/bin/qemu-m68k rmix,
> + /usr/bin/qemu-mips rmix,
> + /usr/bin/qemu-mipsel rmix,
> + /usr/bin/qemu-ppc rmix,
> + /usr/bin/qemu-ppc64 rmix,
> + /usr/bin/qemu-ppc64abi32 rmix,
> + /usr/bin/qemu-sh4 rmix,
> + /usr/bin/qemu-sh4eb rmix,
> + /usr/bin/qemu-sparc rmix,
> + /usr/bin/qemu-sparc64 rmix,
> + /usr/bin/qemu-sparc32plus rmix,
> + /usr/bin/qemu-sparc64 rmix,
> + /usr/bin/qemu-x86_64 rmix,
> +
> + # for save and resume
> + /bin/dash rmix,
> + /bin/dd rmix,
> + /bin/cat rmix,
> + /etc/pki/CA/ r,
> + /etc/pki/CA/* r,
> + /etc/pki/libvirt/ r,
> + /etc/pki/libvirt/** r,
> +
> + # for rbd
> + /etc/ceph/ceph.conf r,
> +
> + # for access to hugepages
> + owner "/run/hugepages/kvm/libvirt/qemu/**" rw,
> +
> + # for usb access
> + /dev/bus/usb/ r,
> + /etc/udev/udev.conf r,
> + /sys/bus/ r,
> + /sys/class/ r,
> diff -Nru libvirt-1.2.0/debian/apparmor/local-usr.sbin.libvirtd
> libvirt-1.2.0/debian/apparmor/local-usr.sbin.libvirtd
> --- libvirt-1.2.0/debian/apparmor/local-usr.sbin.libvirtd 1970-01-01
> 01:00:00.000000000 +0100
> +++ libvirt-1.2.0/debian/apparmor/local-usr.sbin.libvirtd 2012-12-05
> 23:37:34.000000000 +0100
> @@ -0,0 +1,2 @@
> +# Site-specific additions and overrides for usr.sbin.libvirtd.
> +# For more details, please see /etc/apparmor.d/local/README.
> diff -Nru libvirt-1.2.0/debian/apparmor/TEMPLATE
> libvirt-1.2.0/debian/apparmor/TEMPLATE
> --- libvirt-1.2.0/debian/apparmor/TEMPLATE 1970-01-01 01:00:00.000000000
> +0100
> +++ libvirt-1.2.0/debian/apparmor/TEMPLATE 2012-12-05 23:37:34.000000000
> +0100
> @@ -0,0 +1,9 @@
> +#
> +# This profile is for the domain whose UUID matches this file.
> +#
> +
> +#include <tunables/global>
> +
> +profile LIBVIRT_TEMPLATE {
> + #include <abstractions/libvirt-qemu>
> +}
> diff -Nru libvirt-1.2.0/debian/apparmor/usr.lib.libvirt.virt-aa-helper
> libvirt-1.2.0/debian/apparmor/usr.lib.libvirt.virt-aa-helper
> --- libvirt-1.2.0/debian/apparmor/usr.lib.libvirt.virt-aa-helper
> 1970-01-01 01:00:00.000000000 +0100
> +++ libvirt-1.2.0/debian/apparmor/usr.lib.libvirt.virt-aa-helper
> 2014-01-03 22:13:41.000000000 +0100
> @@ -0,0 +1,65 @@
> +# Last Modified: Mon Jul 06 17:22:37 2009
> +#include <tunables/global>
> +
> +/usr/lib/libvirt/virt-aa-helper {
> + #include <abstractions/base>
> + #include <abstractions/user-tmp>
> +
> + # needed for searching directories
> + capability dac_override,
> + capability dac_read_search,
> +
> + # needed for when disk is on a network filesystem
> + network inet,
> +
> + deny @{PROC}/[0-9]*/mounts r,
> + @{PROC}/[0-9]*/net/psched r,
> + owner @{PROC}/[0-9]*/status r,
> + @{PROC}/filesystems r,
> +
> + /etc/libnl-[0-9]/classid r,
> +
> + # for hostdev
> + /sys/devices/ r,
> + /sys/devices/** r,
> + /sys/bus/usb/devices/ r,
> + /sys/bus/usb/devices/** r,
> + deny /dev/sd* r,
> + deny /dev/dm-* r,
> + deny /dev/mapper/ r,
> + deny /dev/mapper/* r,
> +
> + /usr/lib/libvirt/virt-aa-helper mr,
> + /sbin/apparmor_parser Ux,
> +
> + /etc/apparmor.d/libvirt/* r,
> +
> /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*
> rw,
> +
> + # For backingstore, virt-aa-helper needs to peek inside the disk image, so
> + # allow access to non-hidden files in @{HOME} as well as storage pools, and
> + # removable media and filesystems, and certain file extentions. A
> + # virt-aa-helper failure when checking a disk for backinsgstore is
> non-fatal
> + # (but obviously the backingstore won't be added).
> + audit deny @{HOME}/.* mrwkl,
> + audit deny @{HOME}/.*/ rw,
> + audit deny @{HOME}/.*/** mrwkl,
> + @{HOME}/ r,
> + @{HOME}/** r,
> + @{HOME}/.Private/** mrwlk,
> + @{HOMEDIRS}/.ecryptfs/*/.Private/** mrwlk,
> +
> + /var/lib/libvirt/images/ r,
> + /var/lib/libvirt/images/** r,
> + /var/lib/nova/images/** r,
> + /var/lib/nova/instances/_base/** r,
> + /var/lib/eucalyptus/instances/**/disk* r,
> + /var/lib/eucalyptus/instances/**/loader* r,
> + /{media,mnt,opt,srv}/** r,
> +
> + /**.img r,
> + /**.qcow{,2} r,
> + /**.qed r,
> + /**.vmdk r,
> + /**.[iI][sS][oO] r,
> + /**/disk{,.*} r,
> +}
> diff -Nru libvirt-1.2.0/debian/apparmor/usr.sbin.libvirtd
> libvirt-1.2.0/debian/apparmor/usr.sbin.libvirtd
> --- libvirt-1.2.0/debian/apparmor/usr.sbin.libvirtd 1970-01-01
> 01:00:00.000000000 +0100
> +++ libvirt-1.2.0/debian/apparmor/usr.sbin.libvirtd 2013-10-23
> 21:08:59.000000000 +0200
> @@ -0,0 +1,67 @@
> +# Last Modified: Mon Jul 6 17:23:58 2009
> +#include <tunables/global>
> +@{LIBVIRT}="libvirt"
> +
> +/usr/sbin/libvirtd {
> + #include <abstractions/base>
> + #include <abstractions/dbus>
> + # Site-specific additions and overrides. See local/README for details.
> + #include <local/usr.sbin.libvirtd>
> +
> + capability kill,
> + capability net_admin,
> + capability net_raw,
> + capability setgid,
> + capability sys_admin,
> + capability sys_module,
> + capability sys_ptrace,
> + capability sys_nice,
> + capability sys_chroot,
> + capability setuid,
> + capability dac_override,
> + capability dac_read_search,
> + capability fowner,
> + capability chown,
> + capability setpcap,
> + capability mknod,
> + capability fsetid,
> + capability ipc_lock,
> + capability audit_write,
> +
> + network inet stream,
> + network inet dgram,
> + network inet6 stream,
> + network inet6 dgram,
> + network packet dgram,
> +
> + # for now, use a very lenient profile since we want to first focus on
> + # confining the guests
> + / r,
> + /** rwmkl,
> +
> + /bin/* PUx,
> + /sbin/* PUx,
> + /usr/bin/* PUx,
> + /usr/sbin/* PUx,
> + /lib/udev/scsi_id PUx,
> + /usr/lib/xen-common/bin/xen-toolstack PUx,
> +
> + # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
> + # write and run an ebtables script.
> + /var/lib/libvirt/virtd* ixr,
> +
> + # force the use of virt-aa-helper
> + audit deny /sbin/apparmor_parser rwxl,
> + audit deny /etc/apparmor.d/libvirt/** wxl,
> + audit deny /sys/kernel/security/apparmor/features rwxl,
> + audit deny /sys/kernel/security/apparmor/matching rwxl,
> + audit deny /sys/kernel/security/apparmor/.* rwxl,
> + /sys/kernel/security/apparmor/profiles r,
> + /usr/lib/libvirt/* PUxr,
> + /etc/libvirt/hooks/** rmix,
> + /etc/xen/scripts/** rmix,
> +
> + # allow changing to our UUID-based named profiles
> + change_profile ->
> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
> +
> +}
> diff -Nru libvirt-1.2.0/debian/control libvirt-1.2.0/debian/control
> --- libvirt-1.2.0/debian/control 2013-12-28 11:30:35.000000000 +0100
> +++ libvirt-1.2.0/debian/control 2014-01-03 20:51:20.000000000 +0100
> @@ -37,6 +37,7 @@
> libsanlock-dev [linux-any],
> libaudit-dev [linux-any],
> libselinux1-dev (>= 2.0.82) [linux-any],
> + libapparmor-dev [linux-any],
> systemtap-sdt-dev [amd64 armel armhf i386 ia64 powerpc s390],
> # for --with-storage-sheepdog
> sheepdog [linux-any],
> @@ -76,7 +77,7 @@
> iproute,
> parted,
> pm-utils
> -Suggests: policykit-1, radvd, auditd, systemtap, systemd
> +Suggests: policykit-1, radvd, auditd, systemtap, systemd, apparmor
> Breaks: avahi-daemon (<< 0.6.31-3~)
> Description: programs for the libvirt library
> Libvirt is a C toolkit to interact with the virtualization capabilities
> diff -Nru libvirt-1.2.0/debian/libvirt-bin.cron.daily
> libvirt-1.2.0/debian/libvirt-bin.cron.daily
> --- libvirt-1.2.0/debian/libvirt-bin.cron.daily 1970-01-01
> 01:00:00.000000000 +0100
> +++ libvirt-1.2.0/debian/libvirt-bin.cron.daily 2012-12-05
> 23:37:34.000000000 +0100
> @@ -0,0 +1,38 @@
> +#!/bin/sh
> +#
> +# clean out AppArmor profiles for virtual machines that no longer exist
> +#
> +set -e
> +
> +PROFILES_DIR="/etc/apparmor.d/libvirt"
> +AA_PROFILES="/sys/kernel/security/apparmor/profiles"
> +
> +uuids=""
> +remove_if_unused() {
> + uuid=`basename "$1" | sed 's/libvirt-//' | egrep
> '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'` || return
> +
> + # don't remove a profile for an existing VM
> + echo "$uuids" | grep -q "$uuid" && return
> +
> + # don't remove a loaded profile
> + if [ -e "$AA_PROFILES" ] && grep -q "$uuid" "$AA_PROFILES" ; then
> + return
> + fi
> +
> + find $PROFILES_DIR -name "libvirt-${uuid}*" -prune -type f -exec rm -f
> -- '{}' \;
> +}
> +
> +# read in all existing uuids
> +for i in /etc/libvirt/qemu/*.xml ; do
> + if [ -r "$i" ]; then
> + uuid=`grep '<uuid>' "$i" | sed 's#.*<uuid>\(.*\)</uuid>.*#\1#'`
> + uuids="$uuids $uuid"
> + fi
> +done
> +
> +for i in "$PROFILES_DIR"/libvirt-* ; do
> + if [ -r "$i" ]; then
> + basename "$i" | egrep -q '\.' && continue
> + remove_if_unused "$i" || true
> + fi
> +done
> diff -Nru libvirt-1.2.0/debian/libvirt-bin.postinst
> libvirt-1.2.0/debian/libvirt-bin.postinst
> --- libvirt-1.2.0/debian/libvirt-bin.postinst 2013-12-17 23:14:46.000000000
> +0100
> +++ libvirt-1.2.0/debian/libvirt-bin.postinst 2014-01-03 19:08:53.000000000
> +0100
> @@ -123,6 +123,13 @@
> for dir in qemu uml lxc; do
> touch /var/log/libvirt/"${dir}"/.placeholder
> done
> +
> + for p in usr.sbin.libvirtd usr.lib.libvirt.virt-aa-helper ; do
> + profile="/etc/apparmor.d/$p"
> + if [ -f "$profile" ] && aa-status --enabled 2>/dev/null; then
> + apparmor_parser -r "$profile" || true
> + fi
> + done
> ;;
>
> abort-upgrade|abort-remove|abort-deconfigure)
> diff -Nru libvirt-1.2.0/debian/libvirt-bin.postrm
> libvirt-1.2.0/debian/libvirt-bin.postrm
> --- libvirt-1.2.0/debian/libvirt-bin.postrm 2013-12-17 23:14:46.000000000
> +0100
> +++ libvirt-1.2.0/debian/libvirt-bin.postrm 2014-01-03 16:57:29.000000000
> +0100
> @@ -34,6 +34,11 @@
> fi
>
> rm -rf /var/log/libvirt
> +
> + for f in usr.sbin.libvirtd usr.lib.libvirt.virt-aa-helper ; do
> + rm -f /etc/apparmor.d/force-complain/$f >/dev/null 2>&1 || true
> + rm -f /etc/apparmor.d/disable/$f >/dev/null 2>&1 || true
> + done
> ;;
> remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
> ;;
> diff -Nru libvirt-1.2.0/debian/rules libvirt-1.2.0/debian/rules
> --- libvirt-1.2.0/debian/rules 2013-12-28 11:27:15.000000000 +0100
> +++ libvirt-1.2.0/debian/rules 2014-01-03 20:53:21.000000000 +0100
> @@ -30,6 +30,7 @@
> WITH_INIT_SCRIPT = --with-init-script=systemd
> WITH_AUDIT = --with-audit
> WITH_SELINUX = --with-selinux --with-secdriver-selinux
> + WITH_APPARMOR = --with-apparmor --with-secdriver-apparmor
> ifneq (,$(findstring $(DEB_HOST_ARCH), amd64 armel armhf i386 ia64 powerpc
> s390))
> WITH_DTRACE = --with-dtrace
> else
> @@ -63,6 +64,7 @@
> WITH_INIT_SCRIPT = --with-init-script=none
> WITH_AUDIT = --without-audit
> WITH_SELINUX = --without-selinux
> + WITH_APPARMOR = --without-apparmor
> WITH_DTRACE = --without-dtrace
> WITH_XEN = --without-xen
> WITH_LIBXL = --without-libxl
> @@ -91,6 +93,7 @@
> $(WITH_INIT_SCRIPT) \
> $(WITH_NUMA) \
> $(WITH_SELINUX) \
> + $(WITH_APPARMOR) \
> --without-esx \
> --without-phyp \
> $(WITH_CAPNG) \
> @@ -110,6 +113,8 @@
> LOGROTATE = $(basename $(basename $(notdir $(wildcard
> daemon/libvirtd*.logrotate.in))))
> EXAMPLES_DIR =
> $(CURDIR)/debian/libvirt-doc/usr/share/doc/libvirt-doc/examples/
>
> +DEB_HOST_ARCH_OS ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)
> +
> %:
> dh $@ --builddirectory=$(DEB_BUILDDIR)
>
> @@ -150,6 +155,17 @@
> # Don't ship api files in the daemon package
> rm -r debian/libvirt-bin/usr/share/libvirt/api/
>
> +ifeq ($(DEB_HOST_ARCH_OS),linux)
> + cp debian/tmp/usr/lib/libvirt/virt-aa-helper
> debian/libvirt-bin/usr/lib/libvirt
> + mkdir -p debian/libvirt-bin/etc/apparmor.d/abstractions
> debian/libvirt-bin/etc/apparmor.d/libvirt
> + mkdir -p debian/libvirt-bin/etc/apparmor.d/local
> + cp debian/apparmor/libvirt-qemu
> debian/libvirt-bin/etc/apparmor.d/abstractions
> + cp debian/apparmor/usr.lib.libvirt.virt-aa-helper
> debian/libvirt-bin/etc/apparmor.d
> + cp debian/apparmor/usr.sbin.libvirtd debian/libvirt-bin/etc/apparmor.d
> + cp debian/apparmor/local-usr.sbin.libvirtd
> debian/libvirt-bin/etc/apparmor.d/local/usr.sbin.libvirtd
> + cp debian/apparmor/TEMPLATE debian/libvirt-bin/etc/apparmor.d/libvirt
> +endif
> +
> override_dh_installinit:
> dh_systemd_enable
> dh_installinit --name=libvirt-bin --no-restart-on-upgrade -- defaults
> 28 72
> _______________________________________________
> Pkg-libvirt-maintainers mailing list
> pkg-libvirt-maintain...@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-libvirt-maintainers
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
