2013-07-11 00:06:19 +02:00
|
|
|
Index: libvirt-1.1.0/examples/apparmor/Makefile.am
|
2011-08-08 23:26:58 +02:00
|
|
|
===================================================================
|
2013-07-11 00:06:19 +02:00
|
|
|
--- libvirt-1.1.0.orig/examples/apparmor/Makefile.am
|
|
|
|
+++ libvirt-1.1.0/examples/apparmor/Makefile.am
|
2013-06-05 00:48:46 +02:00
|
|
|
@@ -14,8 +14,45 @@
|
|
|
|
## License along with this library. If not, see
|
|
|
|
## <http://www.gnu.org/licenses/>.
|
2011-08-19 23:40:32 +02:00
|
|
|
|
|
|
|
-EXTRA_DIST= \
|
|
|
|
- TEMPLATE \
|
|
|
|
- libvirt-qemu \
|
|
|
|
- usr.lib.libvirt.virt-aa-helper \
|
|
|
|
- usr.sbin.libvirtd
|
|
|
|
+EXTRA_DIST= \
|
|
|
|
+ TEMPLATE \
|
2013-03-06 05:40:21 +01:00
|
|
|
+ libvirt-qemu.in \
|
2011-08-19 23:40:32 +02:00
|
|
|
+ usr.lib.libvirt.virt-aa-helper.in \
|
|
|
|
+ usr.sbin.libvirtd.in
|
2011-08-08 23:26:58 +02:00
|
|
|
+
|
|
|
|
+if WITH_SECDRIVER_APPARMOR
|
2011-08-19 23:40:32 +02:00
|
|
|
+
|
2013-03-06 05:40:21 +01:00
|
|
|
+libvirt-qemu: libvirt-qemu.in
|
|
|
|
+ sed \
|
|
|
|
+ -e 's![@]libdir[@]!$(libdir)!g' \
|
|
|
|
+ < $< > $@-t
|
|
|
|
+ mv $@-t $@
|
|
|
|
+
|
2011-08-19 23:40:32 +02:00
|
|
|
+usr.lib.libvirt.virt-aa-helper: usr.lib.libvirt.virt-aa-helper.in
|
|
|
|
+ sed \
|
|
|
|
+ -e 's![@]libdir[@]!$(libdir)!g' \
|
|
|
|
+ < $< > $@-t
|
|
|
|
+ mv $@-t $@
|
|
|
|
+
|
|
|
|
+usr.sbin.libvirtd: usr.sbin.libvirtd.in
|
|
|
|
+ sed \
|
|
|
|
+ -e 's![@]libdir[@]!$(libdir)!g' \
|
|
|
|
+ < $< > $@-t
|
|
|
|
+ mv $@-t $@
|
|
|
|
+
|
2013-03-06 05:40:21 +01:00
|
|
|
+install-data-local: libvirt-qemu usr.sbin.libvirtd usr.lib.libvirt.virt-aa-helper
|
2011-08-19 23:40:32 +02:00
|
|
|
+ mkdir -p $(DESTDIR)$(sysconfdir)/apparmor.d/
|
|
|
|
+ $(INSTALL_DATA) usr.lib.libvirt.virt-aa-helper $(DESTDIR)$(sysconfdir)/apparmor.d/usr.lib.libvirt.virt-aa-helper
|
|
|
|
+ $(INSTALL_DATA) usr.sbin.libvirtd $(DESTDIR)$(sysconfdir)/apparmor.d/usr.sbin.libvirtd
|
|
|
|
+ mkdir -p $(DESTDIR)$(sysconfdir)/apparmor.d/libvirt
|
|
|
|
+ $(INSTALL_DATA) TEMPLATE $(DESTDIR)$(sysconfdir)/apparmor.d/libvirt/TEMPLATE
|
|
|
|
+ mkdir -p $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions
|
|
|
|
+ $(INSTALL_DATA) libvirt-qemu $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/libvirt-qemu
|
|
|
|
+
|
|
|
|
+uninstall-local::
|
|
|
|
+ rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/usr.lib.libvirt.virt-aa-helper
|
|
|
|
+ rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/usr.sbin.libvirtd
|
|
|
|
+ rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/libvirt-qemu
|
|
|
|
+ rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/libvirt/TEMPLATE
|
|
|
|
+
|
2011-08-08 23:26:58 +02:00
|
|
|
+endif
|
2013-07-11 00:06:19 +02:00
|
|
|
Index: libvirt-1.1.0/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
|
2011-08-19 23:40:32 +02:00
|
|
|
===================================================================
|
|
|
|
--- /dev/null
|
2013-07-11 00:06:19 +02:00
|
|
|
+++ libvirt-1.1.0/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
|
2011-08-19 23:40:32 +02:00
|
|
|
@@ -0,0 +1,40 @@
|
|
|
|
+# Last Modified: Fri Aug 19 11:21:48 2011
|
|
|
|
+#include <tunables/global>
|
|
|
|
+
|
|
|
|
+@libdir@/libvirt/virt-aa-helper {
|
|
|
|
+ #include <abstractions/base>
|
|
|
|
+
|
|
|
|
+ # needed for searching directories
|
|
|
|
+ capability dac_override,
|
|
|
|
+ capability dac_read_search,
|
|
|
|
+
|
|
|
|
+ # needed for when disk is on a network filesystem
|
|
|
|
+ network inet,
|
|
|
|
+
|
|
|
|
+ deny @{PROC}/[0-9]*/mounts r,
|
|
|
|
+ @{PROC}/filesystems r,
|
|
|
|
+
|
|
|
|
+ # for hostdev
|
|
|
|
+ /sys/devices/ r,
|
|
|
|
+ /sys/devices/** r,
|
|
|
|
+
|
|
|
|
+ @libdir@/libvirt/virt-aa-helper mr,
|
|
|
|
+ /sbin/apparmor_parser Ux,
|
|
|
|
+
|
|
|
|
+ /etc/apparmor.d/libvirt/* r,
|
|
|
|
+ /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
|
|
|
|
+
|
|
|
|
+ # for backingstore -- allow access to non-hidden files in @{HOME} as well
|
|
|
|
+ # as storage pools
|
|
|
|
+ audit deny @{HOME}/.* mrwkl,
|
|
|
|
+ audit deny @{HOME}/.*/ rw,
|
|
|
|
+ audit deny @{HOME}/.*/** mrwkl,
|
|
|
|
+ audit deny @{HOME}/bin/ rw,
|
|
|
|
+ audit deny @{HOME}/bin/** mrwkl,
|
|
|
|
+ @{HOME}/ r,
|
|
|
|
+ @{HOME}/** r,
|
|
|
|
+ /var/lib/libvirt/images/ r,
|
|
|
|
+ /var/lib/libvirt/images/** r,
|
|
|
|
+ /var/lib/kvm/images/ r,
|
|
|
|
+ /var/lib/kvm/images/** r,
|
|
|
|
+}
|
2013-07-11 00:06:19 +02:00
|
|
|
Index: libvirt-1.1.0/examples/apparmor/usr.lib.libvirt.virt-aa-helper
|
2011-08-19 23:40:32 +02:00
|
|
|
===================================================================
|
2013-07-11 00:06:19 +02:00
|
|
|
--- libvirt-1.1.0.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper
|
2011-08-19 23:40:32 +02:00
|
|
|
+++ /dev/null
|
|
|
|
@@ -1,38 +0,0 @@
|
|
|
|
-# Last Modified: Mon Apr 5 15:10:27 2010
|
|
|
|
-#include <tunables/global>
|
|
|
|
-
|
|
|
|
-/usr/lib/libvirt/virt-aa-helper {
|
|
|
|
- #include <abstractions/base>
|
|
|
|
-
|
|
|
|
- # needed for searching directories
|
|
|
|
- capability dac_override,
|
|
|
|
- capability dac_read_search,
|
|
|
|
-
|
|
|
|
- # needed for when disk is on a network filesystem
|
|
|
|
- network inet,
|
|
|
|
-
|
|
|
|
- deny @{PROC}/[0-9]*/mounts r,
|
|
|
|
- @{PROC}/filesystems r,
|
|
|
|
-
|
|
|
|
- # for hostdev
|
|
|
|
- /sys/devices/ r,
|
|
|
|
- /sys/devices/** r,
|
|
|
|
-
|
|
|
|
- /usr/lib/libvirt/virt-aa-helper mr,
|
|
|
|
- /sbin/apparmor_parser Ux,
|
|
|
|
-
|
|
|
|
- /etc/apparmor.d/libvirt/* r,
|
|
|
|
- /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
|
|
|
|
-
|
|
|
|
- # for backingstore -- allow access to non-hidden files in @{HOME} as well
|
|
|
|
- # as storage pools
|
|
|
|
- audit deny @{HOME}/.* mrwkl,
|
|
|
|
- audit deny @{HOME}/.*/ rw,
|
|
|
|
- audit deny @{HOME}/.*/** mrwkl,
|
|
|
|
- audit deny @{HOME}/bin/ rw,
|
|
|
|
- audit deny @{HOME}/bin/** mrwkl,
|
|
|
|
- @{HOME}/ r,
|
|
|
|
- @{HOME}/** r,
|
|
|
|
- /var/lib/libvirt/images/ r,
|
|
|
|
- /var/lib/libvirt/images/** r,
|
|
|
|
-}
|
2013-07-11 00:06:19 +02:00
|
|
|
Index: libvirt-1.1.0/examples/apparmor/usr.sbin.libvirtd
|
2011-08-19 23:40:32 +02:00
|
|
|
===================================================================
|
2013-07-11 00:06:19 +02:00
|
|
|
--- libvirt-1.1.0.orig/examples/apparmor/usr.sbin.libvirtd
|
2011-08-19 23:40:32 +02:00
|
|
|
+++ /dev/null
|
|
|
|
@@ -1,52 +0,0 @@
|
|
|
|
-# Last Modified: Mon Apr 5 15:03:58 2010
|
|
|
|
-#include <tunables/global>
|
|
|
|
-@{LIBVIRT}="libvirt"
|
|
|
|
-
|
|
|
|
-/usr/sbin/libvirtd {
|
|
|
|
- #include <abstractions/base>
|
|
|
|
-
|
|
|
|
- capability kill,
|
|
|
|
- capability net_admin,
|
|
|
|
- capability net_raw,
|
|
|
|
- capability setgid,
|
|
|
|
- capability sys_admin,
|
|
|
|
- capability sys_module,
|
|
|
|
- capability sys_ptrace,
|
|
|
|
- capability sys_nice,
|
|
|
|
- capability sys_chroot,
|
|
|
|
- capability setuid,
|
|
|
|
- capability dac_override,
|
|
|
|
- capability dac_read_search,
|
|
|
|
- capability fowner,
|
|
|
|
- capability chown,
|
|
|
|
- capability setpcap,
|
|
|
|
- capability mknod,
|
|
|
|
- capability fsetid,
|
|
|
|
-
|
|
|
|
- network inet stream,
|
|
|
|
- network inet dgram,
|
|
|
|
- network inet6 stream,
|
|
|
|
- network inet6 dgram,
|
|
|
|
-
|
|
|
|
- # Very lenient profile for libvirtd since we want to first focus on confining
|
|
|
|
- # the guests. Guests will have a very restricted profile.
|
|
|
|
- /** rwmkl,
|
|
|
|
-
|
|
|
|
- /bin/* Ux,
|
|
|
|
- /sbin/* Ux,
|
|
|
|
- /usr/bin/* Ux,
|
|
|
|
- /usr/sbin/* Ux,
|
|
|
|
-
|
|
|
|
- # force the use of virt-aa-helper
|
|
|
|
- audit deny /sbin/apparmor_parser rwxl,
|
|
|
|
- audit deny /etc/apparmor.d/libvirt/** wxl,
|
|
|
|
- audit deny /sys/kernel/security/apparmor/features rwxl,
|
|
|
|
- audit deny /sys/kernel/security/apparmor/matching rwxl,
|
|
|
|
- audit deny /sys/kernel/security/apparmor/.* rwxl,
|
|
|
|
- /sys/kernel/security/apparmor/profiles r,
|
|
|
|
- /usr/lib/libvirt/* PUxr,
|
|
|
|
-
|
|
|
|
- # allow changing to our UUID-based named profiles
|
|
|
|
- change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
|
|
|
|
-
|
|
|
|
-}
|
2013-07-11 00:06:19 +02:00
|
|
|
Index: libvirt-1.1.0/examples/apparmor/usr.sbin.libvirtd.in
|
2011-08-19 23:40:32 +02:00
|
|
|
===================================================================
|
|
|
|
--- /dev/null
|
2013-07-11 00:06:19 +02:00
|
|
|
+++ libvirt-1.1.0/examples/apparmor/usr.sbin.libvirtd.in
|
2013-03-08 20:47:00 +01:00
|
|
|
@@ -0,0 +1,58 @@
|
2011-08-19 23:40:32 +02:00
|
|
|
+# Last Modified: Fri Aug 19 11:20:36 2011
|
|
|
|
+#include <tunables/global>
|
|
|
|
+@{LIBVIRT}="libvirt"
|
|
|
|
+
|
|
|
|
+/usr/sbin/libvirtd {
|
|
|
|
+ #include <abstractions/base>
|
|
|
|
+
|
|
|
|
+ capability kill,
|
|
|
|
+ capability net_admin,
|
|
|
|
+ capability net_raw,
|
|
|
|
+ capability setgid,
|
|
|
|
+ capability sys_admin,
|
|
|
|
+ capability sys_module,
|
|
|
|
+ capability sys_ptrace,
|
|
|
|
+ capability sys_nice,
|
|
|
|
+ capability sys_chroot,
|
|
|
|
+ capability setuid,
|
|
|
|
+ capability dac_override,
|
|
|
|
+ capability dac_read_search,
|
|
|
|
+ capability fowner,
|
|
|
|
+ capability chown,
|
|
|
|
+ capability setpcap,
|
|
|
|
+ capability mknod,
|
|
|
|
+ capability fsetid,
|
2012-02-08 19:38:09 +01:00
|
|
|
+ capability ipc_lock,
|
2011-08-19 23:40:32 +02:00
|
|
|
+
|
|
|
|
+ network inet stream,
|
|
|
|
+ network inet dgram,
|
|
|
|
+ network inet6 stream,
|
|
|
|
+ network inet6 dgram,
|
2013-03-08 20:47:00 +01:00
|
|
|
+ network packet dgram,
|
2011-08-19 23:40:32 +02:00
|
|
|
+
|
|
|
|
+ # Very lenient profile for libvirtd since we want to first focus on confining
|
|
|
|
+ # the guests. Guests will have a very restricted profile.
|
|
|
|
+ /** rwmkl,
|
|
|
|
+
|
|
|
|
+ /bin/* Ux,
|
|
|
|
+ /sbin/* Ux,
|
|
|
|
+ /usr/bin/* Ux,
|
|
|
|
+ /usr/sbin/* Ux,
|
2012-02-08 19:38:09 +01:00
|
|
|
+ /usr/lib/xen/bin/qemu-dm Ux,
|
|
|
|
+ /usr/lib/PolicyKit/polkit-read-auth-helper Px,
|
2011-08-19 23:40:32 +02:00
|
|
|
+
|
|
|
|
+ # force the use of virt-aa-helper
|
|
|
|
+ audit deny /sbin/apparmor_parser rwxl,
|
|
|
|
+ audit deny /etc/apparmor.d/libvirt/** wxl,
|
|
|
|
+ audit deny /sys/kernel/security/apparmor/features rwxl,
|
|
|
|
+ audit deny /sys/kernel/security/apparmor/matching rwxl,
|
|
|
|
+ audit deny /sys/kernel/security/apparmor/.* rwxl,
|
|
|
|
+ /sys/kernel/security/apparmor/profiles r,
|
|
|
|
+ @libdir@/libvirt/* Pxr,
|
2011-11-28 23:00:45 +01:00
|
|
|
+ @libdir@/libvirt/libvirt_parthelper Ux,
|
|
|
|
+ @libdir@/libvirt/libvirt_iohelper Ux,
|
2011-08-19 23:40:32 +02:00
|
|
|
+
|
|
|
|
+ # allow changing to our UUID-based named profiles
|
|
|
|
+ change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
|
|
|
|
+
|
|
|
|
+}
|
2013-07-11 00:06:19 +02:00
|
|
|
Index: libvirt-1.1.0/examples/apparmor/libvirt-qemu
|
2011-08-19 23:40:32 +02:00
|
|
|
===================================================================
|
2013-07-11 00:06:19 +02:00
|
|
|
--- libvirt-1.1.0.orig/examples/apparmor/libvirt-qemu
|
2013-03-06 05:40:21 +01:00
|
|
|
+++ /dev/null
|
|
|
|
@@ -1,129 +0,0 @@
|
|
|
|
-# Last Modified: Fri Mar 9 14:43:22 2012
|
|
|
|
-
|
|
|
|
- #include <abstractions/base>
|
|
|
|
- #include <abstractions/consoles>
|
|
|
|
- #include <abstractions/nameservice>
|
|
|
|
-
|
|
|
|
- # required for reading disk images
|
|
|
|
- capability dac_override,
|
|
|
|
- capability dac_read_search,
|
|
|
|
- capability chown,
|
|
|
|
-
|
|
|
|
- network inet stream,
|
|
|
|
- network inet6 stream,
|
|
|
|
-
|
|
|
|
- /dev/net/tun rw,
|
|
|
|
- /dev/kvm rw,
|
|
|
|
- /dev/ptmx rw,
|
|
|
|
- /dev/kqemu rw,
|
|
|
|
- @{PROC}/*/status r,
|
|
|
|
-
|
|
|
|
- # For hostdev access. The actual devices will be added dynamically
|
|
|
|
- /sys/bus/usb/devices/ r,
|
|
|
|
- /sys/devices/*/*/usb[0-9]*/** r,
|
|
|
|
-
|
|
|
|
- # WARNING: this gives the guest direct access to host hardware and specific
|
|
|
|
- # portions of shared memory. This is required for sound using ALSA with kvm,
|
|
|
|
- # but may constitute a security risk. If your environment does not require
|
|
|
|
- # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
|
|
|
|
- # the rules for files in /dev.
|
|
|
|
- /{dev,run}/shm r,
|
|
|
|
- /{dev,run}/shmpulse-shm* r,
|
|
|
|
- /{dev,run}/shmpulse-shm* rwk,
|
|
|
|
- /dev/snd/* rw,
|
|
|
|
- capability ipc_lock,
|
|
|
|
- # 'kill' is not required for sound and is a security risk. Do not enable
|
|
|
|
- # unless you absolutely need it.
|
|
|
|
- deny capability kill,
|
|
|
|
-
|
|
|
|
- # Uncomment the following if you need access to /dev/fb*
|
|
|
|
- #/dev/fb* rw,
|
|
|
|
-
|
|
|
|
- /etc/pulse/client.conf r,
|
|
|
|
- @{HOME}/.pulse-cookie rwk,
|
|
|
|
- owner /root/.pulse-cookie rwk,
|
|
|
|
- owner /root/.pulse/ rw,
|
|
|
|
- owner /root/.pulse/* rw,
|
|
|
|
- /usr/share/alsa/** r,
|
|
|
|
- owner /tmp/pulse-*/ rw,
|
|
|
|
- owner /tmp/pulse-*/* rw,
|
|
|
|
- /var/lib/dbus/machine-id r,
|
|
|
|
-
|
|
|
|
- # access to firmware's etc
|
|
|
|
- /usr/share/kvm/** r,
|
|
|
|
- /usr/share/qemu/** r,
|
|
|
|
- /usr/share/bochs/** r,
|
|
|
|
- /usr/share/openbios/** r,
|
|
|
|
- /usr/share/openhackware/** r,
|
|
|
|
- /usr/share/proll/** r,
|
|
|
|
- /usr/share/vgabios/** r,
|
|
|
|
- /usr/share/seabios/** r,
|
|
|
|
-
|
|
|
|
- # access PKI infrastructure
|
|
|
|
- /etc/pki/libvirt-vnc/** r,
|
|
|
|
-
|
|
|
|
- # the various binaries
|
|
|
|
- /usr/bin/kvm rmix,
|
|
|
|
- /usr/bin/qemu rmix,
|
|
|
|
- /usr/bin/qemu-system-arm rmix,
|
|
|
|
- /usr/bin/qemu-system-cris rmix,
|
|
|
|
- /usr/bin/qemu-system-i386 rmix,
|
|
|
|
- /usr/bin/qemu-system-m68k rmix,
|
|
|
|
- /usr/bin/qemu-system-microblaze rmix,
|
|
|
|
- /usr/bin/qemu-system-microblazeel rmix,
|
|
|
|
- /usr/bin/qemu-system-mips rmix,
|
|
|
|
- /usr/bin/qemu-system-mips64 rmix,
|
|
|
|
- /usr/bin/qemu-system-mips64el rmix,
|
|
|
|
- /usr/bin/qemu-system-mipsel rmix,
|
|
|
|
- /usr/bin/qemu-system-ppc rmix,
|
|
|
|
- /usr/bin/qemu-system-ppc64 rmix,
|
|
|
|
- /usr/bin/qemu-system-ppcemb rmix,
|
|
|
|
- /usr/bin/qemu-system-sh4 rmix,
|
|
|
|
- /usr/bin/qemu-system-sh4eb rmix,
|
|
|
|
- /usr/bin/qemu-system-sparc rmix,
|
|
|
|
- /usr/bin/qemu-system-sparc64 rmix,
|
|
|
|
- /usr/bin/qemu-system-x86_64 rmix,
|
|
|
|
- /usr/bin/qemu-alpha rmix,
|
|
|
|
- /usr/bin/qemu-arm rmix,
|
|
|
|
- /usr/bin/qemu-armeb rmix,
|
|
|
|
- /usr/bin/qemu-cris rmix,
|
|
|
|
- /usr/bin/qemu-i386 rmix,
|
|
|
|
- /usr/bin/qemu-m68k rmix,
|
|
|
|
- /usr/bin/qemu-microblaze rmix,
|
|
|
|
- /usr/bin/qemu-microblazeel rmix,
|
|
|
|
- /usr/bin/qemu-mips rmix,
|
|
|
|
- /usr/bin/qemu-mipsel rmix,
|
|
|
|
- /usr/bin/qemu-ppc rmix,
|
|
|
|
- /usr/bin/qemu-ppc64 rmix,
|
|
|
|
- /usr/bin/qemu-ppc64abi32 rmix,
|
|
|
|
- /usr/bin/qemu-sh4 rmix,
|
|
|
|
- /usr/bin/qemu-sh4eb rmix,
|
|
|
|
- /usr/bin/qemu-sparc rmix,
|
|
|
|
- /usr/bin/qemu-sparc64 rmix,
|
|
|
|
- /usr/bin/qemu-sparc32plus rmix,
|
|
|
|
- /usr/bin/qemu-sparc64 rmix,
|
|
|
|
- /usr/bin/qemu-x86_64 rmix,
|
|
|
|
-
|
|
|
|
- # for save and resume
|
|
|
|
- /bin/dash rmix,
|
|
|
|
- /bin/dd rmix,
|
|
|
|
- /bin/cat rmix,
|
|
|
|
-
|
|
|
|
- /usr/libexec/qemu-bridge-helper Cx,
|
|
|
|
- # child profile for bridge helper process
|
|
|
|
- profile /usr/libexec/qemu-bridge-helper {
|
|
|
|
- #include <abstractions/base>
|
|
|
|
-
|
|
|
|
- capability setuid,
|
|
|
|
- capability setgid,
|
|
|
|
- capability setpcap,
|
|
|
|
- capability net_admin,
|
|
|
|
-
|
|
|
|
- network inet stream,
|
|
|
|
-
|
|
|
|
- /dev/net/tun rw,
|
|
|
|
- /etc/qemu/** r,
|
|
|
|
- owner @{PROC}/*/status r,
|
|
|
|
-
|
|
|
|
- /usr/libexec/qemu-bridge-helper rmix,
|
|
|
|
- }
|
2013-07-11 00:06:19 +02:00
|
|
|
Index: libvirt-1.1.0/examples/apparmor/libvirt-qemu.in
|
2013-03-06 05:40:21 +01:00
|
|
|
===================================================================
|
|
|
|
--- /dev/null
|
2013-07-11 00:06:19 +02:00
|
|
|
+++ libvirt-1.1.0/examples/apparmor/libvirt-qemu.in
|
2013-03-08 20:47:00 +01:00
|
|
|
@@ -0,0 +1,132 @@
|
2013-03-06 05:40:21 +01:00
|
|
|
+# Last Modified: Fri Mar 9 14:43:22 2012
|
|
|
|
+
|
|
|
|
+ #include <abstractions/base>
|
|
|
|
+ #include <abstractions/consoles>
|
|
|
|
+ #include <abstractions/nameservice>
|
|
|
|
+
|
|
|
|
+ # required for reading disk images
|
|
|
|
+ capability dac_override,
|
|
|
|
+ capability dac_read_search,
|
|
|
|
+ capability chown,
|
2013-03-08 20:47:00 +01:00
|
|
|
+ capability setgid,
|
2013-03-06 05:40:21 +01:00
|
|
|
+
|
|
|
|
+ network inet stream,
|
|
|
|
+ network inet6 stream,
|
|
|
|
+
|
|
|
|
+ /dev/net/tun rw,
|
|
|
|
+ /dev/kvm rw,
|
|
|
|
+ /dev/ptmx rw,
|
|
|
|
+ /dev/kqemu rw,
|
|
|
|
+ @{PROC}/*/status r,
|
|
|
|
+
|
|
|
|
+ # For hostdev access. The actual devices will be added dynamically
|
|
|
|
+ /sys/bus/usb/devices/ r,
|
|
|
|
+ /sys/devices/*/*/usb[0-9]*/** r,
|
|
|
|
+
|
|
|
|
+ # WARNING: this gives the guest direct access to host hardware and specific
|
|
|
|
+ # portions of shared memory. This is required for sound using ALSA with kvm,
|
|
|
|
+ # but may constitute a security risk. If your environment does not require
|
|
|
|
+ # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
|
|
|
|
+ # the rules for files in /dev.
|
|
|
|
+ /{dev,run}/shm r,
|
|
|
|
+ /{dev,run}/shmpulse-shm* r,
|
|
|
|
+ /{dev,run}/shmpulse-shm* rwk,
|
|
|
|
+ /dev/snd/* rw,
|
|
|
|
+ capability ipc_lock,
|
|
|
|
+ # 'kill' is not required for sound and is a security risk. Do not enable
|
|
|
|
+ # unless you absolutely need it.
|
|
|
|
+ deny capability kill,
|
|
|
|
+
|
|
|
|
+ # Uncomment the following if you need access to /dev/fb*
|
|
|
|
+ #/dev/fb* rw,
|
|
|
|
+
|
|
|
|
+ /etc/pulse/client.conf r,
|
|
|
|
+ @{HOME}/.pulse-cookie rwk,
|
|
|
|
+ owner /root/.pulse-cookie rwk,
|
|
|
|
+ owner /root/.pulse/ rw,
|
|
|
|
+ owner /root/.pulse/* rw,
|
|
|
|
+ /usr/share/alsa/** r,
|
|
|
|
+ owner /tmp/pulse-*/ rw,
|
|
|
|
+ owner /tmp/pulse-*/* rw,
|
|
|
|
+ /var/lib/dbus/machine-id r,
|
|
|
|
+
|
|
|
|
+ # access to firmware's etc
|
|
|
|
+ /usr/share/kvm/** r,
|
|
|
|
+ /usr/share/qemu/** r,
|
2011-08-19 23:40:32 +02:00
|
|
|
+ /usr/share/qemu-kvm/** r,
|
2013-03-06 05:40:21 +01:00
|
|
|
+ /usr/share/bochs/** r,
|
|
|
|
+ /usr/share/openbios/** r,
|
|
|
|
+ /usr/share/openhackware/** r,
|
|
|
|
+ /usr/share/proll/** r,
|
|
|
|
+ /usr/share/vgabios/** r,
|
|
|
|
+ /usr/share/seabios/** r,
|
|
|
|
+
|
|
|
|
+ # access PKI infrastructure
|
|
|
|
+ /etc/pki/libvirt-vnc/** r,
|
|
|
|
+
|
|
|
|
+ # the various binaries
|
|
|
|
+ /usr/bin/kvm rmix,
|
|
|
|
+ /usr/bin/qemu rmix,
|
2011-08-19 23:40:32 +02:00
|
|
|
+ /usr/bin/qemu-kvm rmix,
|
2013-03-06 05:40:21 +01:00
|
|
|
+ /usr/bin/qemu-system-arm rmix,
|
|
|
|
+ /usr/bin/qemu-system-cris rmix,
|
|
|
|
+ /usr/bin/qemu-system-i386 rmix,
|
|
|
|
+ /usr/bin/qemu-system-m68k rmix,
|
|
|
|
+ /usr/bin/qemu-system-microblaze rmix,
|
|
|
|
+ /usr/bin/qemu-system-microblazeel rmix,
|
|
|
|
+ /usr/bin/qemu-system-mips rmix,
|
|
|
|
+ /usr/bin/qemu-system-mips64 rmix,
|
|
|
|
+ /usr/bin/qemu-system-mips64el rmix,
|
|
|
|
+ /usr/bin/qemu-system-mipsel rmix,
|
|
|
|
+ /usr/bin/qemu-system-ppc rmix,
|
|
|
|
+ /usr/bin/qemu-system-ppc64 rmix,
|
|
|
|
+ /usr/bin/qemu-system-ppcemb rmix,
|
|
|
|
+ /usr/bin/qemu-system-sh4 rmix,
|
|
|
|
+ /usr/bin/qemu-system-sh4eb rmix,
|
|
|
|
+ /usr/bin/qemu-system-sparc rmix,
|
|
|
|
+ /usr/bin/qemu-system-sparc64 rmix,
|
|
|
|
+ /usr/bin/qemu-system-x86_64 rmix,
|
|
|
|
+ /usr/bin/qemu-alpha rmix,
|
|
|
|
+ /usr/bin/qemu-arm rmix,
|
|
|
|
+ /usr/bin/qemu-armeb rmix,
|
|
|
|
+ /usr/bin/qemu-cris rmix,
|
|
|
|
+ /usr/bin/qemu-i386 rmix,
|
|
|
|
+ /usr/bin/qemu-m68k rmix,
|
|
|
|
+ /usr/bin/qemu-microblaze rmix,
|
|
|
|
+ /usr/bin/qemu-microblazeel rmix,
|
|
|
|
+ /usr/bin/qemu-mips rmix,
|
|
|
|
+ /usr/bin/qemu-mipsel rmix,
|
|
|
|
+ /usr/bin/qemu-ppc rmix,
|
|
|
|
+ /usr/bin/qemu-ppc64 rmix,
|
|
|
|
+ /usr/bin/qemu-ppc64abi32 rmix,
|
|
|
|
+ /usr/bin/qemu-sh4 rmix,
|
|
|
|
+ /usr/bin/qemu-sh4eb rmix,
|
|
|
|
+ /usr/bin/qemu-sparc rmix,
|
|
|
|
+ /usr/bin/qemu-sparc64 rmix,
|
|
|
|
+ /usr/bin/qemu-sparc32plus rmix,
|
|
|
|
+ /usr/bin/qemu-sparc64 rmix,
|
|
|
|
+ /usr/bin/qemu-x86_64 rmix,
|
|
|
|
+
|
|
|
|
+ # for save and resume
|
|
|
|
+ /bin/dash rmix,
|
|
|
|
+ /bin/dd rmix,
|
|
|
|
+ /bin/cat rmix,
|
|
|
|
+
|
|
|
|
+ @libdir@/qemu-bridge-helper Cx,
|
|
|
|
+ # child profile for bridge helper process
|
|
|
|
+ profile @libdir@/qemu-bridge-helper {
|
|
|
|
+ #include <abstractions/base>
|
|
|
|
+
|
|
|
|
+ capability setuid,
|
|
|
|
+ capability setgid,
|
|
|
|
+ capability setpcap,
|
|
|
|
+ capability net_admin,
|
|
|
|
+
|
|
|
|
+ network inet stream,
|
|
|
|
+
|
|
|
|
+ /dev/net/tun rw,
|
|
|
|
+ /etc/qemu/** r,
|
|
|
|
+ owner @{PROC}/*/status r,
|
|
|
|
+
|
|
|
|
+ @libdir@/qemu-bridge-helper rmix,
|
|
|
|
+ }
|