On Tue, 12 Nov 2024 15:10:38 +0000 "Richard W.M. Jones" <rjo...@redhat.com> wrote:
> On Tue, Nov 12, 2024 at 03:29:11PM +0100, Stefano Brivio wrote: > > On Tue, 12 Nov 2024 13:52:43 +0000 > > "Richard W.M. Jones" <rjo...@redhat.com> wrote: > > > https://issues.redhat.com/browse/RHEL-65502 > > > > That's not a public link, > > Annoying. I should have made it public now. Sorry for the delay, it's public now. In any case, that has nothing to do with this issue: there, we had accesses to passwd(5) not covered by the SELinux policy, and it's fixed by: https://passt.top/passt/commit/?id=5e2446667729d01ef8208d0e7e866cee09c8a3fb in the AppArmor policy, we are already including the appropriate abstraction (<abstractions/nameservice>) for that. Back to the topic at hand: I started playing with an AppArmor profile for guestfs-tools. For example, for virt-sysprep, this works at least for basic operation: -- abi <abi/3.0>, include <tunables/global> profile guestfs-tools /usr/bin/virt-sysprep { include <abstractions/base> include <abstractions/consoles> include <abstractions/nameservice> /** mrixwlk, unix, signal (receive) peer=/usr/bin/virt-sysprep, signal (receive) peer=virt-sysprep, /usr/bin/passt Cx -> passt, profile passt { /usr/bin/passt r, signal (receive) set=("term") peer=/usr/bin/virt-sysprep, signal (receive) set=("term") peer=virt-sysprep, owner @{run}/user/[0-9]*/libguestfs*/passt.sock rw, owner @{run}/user/[0-9]*/libguestfs*/passt[0-9]*.pid rw, owner @{run}/libguestfs*/passt.sock rw, include if exists <abstractions/passt> } } -- But I have a question, mostly for Andrea. A reasonably complete profile for most guestfs-tools would, to some extent, look like a copy and paste of abstractions/libvirt-qemu, which, however, we shouldn't directly include here because of a few reasons: - it allows (of course) things that guestfs-tools will never need, ranging from '/dev/net/tun rw' to '/usr/share/alsa/** r' - we can include it only 'if exists', and libvirt shouldn't certainly be a dependency of guestfs-tools So it might be convenient to split abstractions/libvirt-qemu into a further abstraction, say, abstractions/qemu, including stuff such as (at least): -- /usr/bin/kvm rmix, /usr/bin/kvm-spice rmix, /usr/bin/qemu rmix, /usr/bin/qemu-aarch64 rmix, /usr/bin/qemu-alpha rmix, /usr/bin/qemu-arm rmix, # [...] /usr/share/AAVMF/** rk, /usr/share/bochs/** r, /usr/share/edk2-ovmf/** rk, /usr/share/kvm/** r, # [...] -- and then include that from both abstractions/libvirt-qemu and from the profile for guestfs-tools. Or I can just go ahead and copy and paste what's needed. Any preference or other suggestion? Thanks. -- Stefano
