libvirt/install-apparmor-profiles.patch

277 lines
7.5 KiB
Diff
Raw Normal View History

Index: libvirt-1.2.8/examples/apparmor/Makefile.am
===================================================================
--- libvirt-1.2.8.orig/examples/apparmor/Makefile.am
+++ libvirt-1.2.8/examples/apparmor/Makefile.am
@@ -19,10 +19,22 @@ EXTRA_DIST= \
TEMPLATE.lxc \
libvirt-qemu \
libvirt-lxc \
- usr.lib.libvirt.virt-aa-helper \
- usr.sbin.libvirtd
+ usr.lib.libvirt.virt-aa-helper.in \
+ usr.sbin.libvirtd.in
if WITH_APPARMOR_PROFILES
+usr.lib.libvirt.virt-aa-helper: usr.lib.libvirt.virt-aa-helper.in
+ sed \
+ -e 's![@]libdir[@]!$(libdir)!g' \
+ < $< > $@-t
+ mv $@-t $@
+
+usr.sbin.libvirtd: usr.sbin.libvirtd.in
+ sed \
+ -e 's![@]libdir[@]!$(libdir)!g' \
+ < $< > $@-t
+ mv $@-t $@
+
apparmordir = $(sysconfdir)/apparmor.d/
apparmor_DATA = \
usr.lib.libvirt.virt-aa-helper \
Index: libvirt-1.2.8/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
===================================================================
--- /dev/null
+++ libvirt-1.2.8/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -0,0 +1,48 @@
+# Last Modified: Mon Apr 5 15:10:27 2010
+#include <tunables/global>
+
+@libdir@/libvirt/virt-aa-helper {
+ #include <abstractions/base>
+
+ # needed for searching directories
+ capability dac_override,
+ capability dac_read_search,
+
+ # needed for when disk is on a network filesystem
+ network inet,
+
+ deny @{PROC}/[0-9]*/mounts r,
+ @{PROC}/[0-9]*/net/psched r,
+ owner @{PROC}/[0-9]*/status r,
+ @{PROC}/filesystems r,
+
+ # for hostdev
+ /sys/devices/ r,
+ /sys/devices/** r,
+
+ @libdir@/libvirt/virt-aa-helper mr,
+ /sbin/apparmor_parser Ux,
+
+ /etc/apparmor.d/libvirt/* r,
+ /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+
+ # for backingstore -- allow access to non-hidden files in @{HOME} as well
+ # as storage pools
+ audit deny @{HOME}/.* mrwkl,
+ audit deny @{HOME}/.*/ rw,
+ audit deny @{HOME}/.*/** mrwkl,
+ audit deny @{HOME}/bin/ rw,
+ audit deny @{HOME}/bin/** mrwkl,
+ @{HOME}/ r,
+ @{HOME}/** r,
+ /var/lib/libvirt/images/ r,
+ /var/lib/libvirt/images/** r,
+ /{media,mnt,opt,srv}/** r,
+
+ /**.img r,
+ /**.qcow{,2} r,
+ /**.qed r,
+ /**.vmdk r,
+ /**.[iI][sS][oO] r,
+ /**/disk{,.*} r,
+}
Index: libvirt-1.2.8/examples/apparmor/usr.sbin.libvirtd.in
===================================================================
--- /dev/null
+++ libvirt-1.2.8/examples/apparmor/usr.sbin.libvirtd.in
@@ -0,0 +1,68 @@
+# Last Modified: Mon Apr 5 15:03:58 2010
+#include <tunables/global>
+@{LIBVIRT}="libvirt"
+
+/usr/sbin/libvirtd {
+ #include <abstractions/base>
+ #include <abstractions/dbus>
+
+ capability kill,
+ capability net_admin,
+ capability net_raw,
+ capability setgid,
+ capability sys_admin,
+ capability sys_module,
+ capability sys_ptrace,
+ capability sys_nice,
+ capability sys_chroot,
+ capability setuid,
+ capability dac_override,
+ capability dac_read_search,
+ capability fowner,
+ capability chown,
+ capability setpcap,
+ capability mknod,
+ capability fsetid,
+ capability audit_write,
+
+ # Needed for vfio
+ capability sys_resource,
+
+ network inet stream,
+ network inet dgram,
+ network inet6 stream,
+ network inet6 dgram,
+ network packet dgram,
+ network packet raw,
+
+ # Very lenient profile for libvirtd since we want to first focus on confining
+ # the guests. Guests will have a very restricted profile.
+ / r,
+ /** rwmkl,
+
+ /bin/* PUx,
+ /sbin/* PUx,
+ /usr/bin/* PUx,
+ /usr/sbin/* PUx,
+ /lib/udev/scsi_id PUx,
+ /usr/lib/xen/bin/* Ux,
+ /usr/lib64/xen/bin/* Ux,
+ /usr/lib/polkit-1/polkit-agent-helper Px,
+
+ # force the use of virt-aa-helper
+ audit deny /sbin/apparmor_parser rwxl,
+ audit deny /etc/apparmor.d/libvirt/** wxl,
+ audit deny /sys/kernel/security/apparmor/features rwxl,
+ audit deny /sys/kernel/security/apparmor/matching rwxl,
+ audit deny /sys/kernel/security/apparmor/.* rwxl,
+ /sys/kernel/security/apparmor/profiles r,
+ @libdir@/libvirt/* PUxr,
+ /etc/libvirt/hooks/** rmix,
+ /etc/xen/scripts/** rmix,
+ @libdir@/libvirt/libvirt_parthelper Ux,
+ @libdir@/libvirt/libvirt_iohelper Ux,
+
+ # allow changing to our UUID-based named profiles
+ change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+
+}
Index: libvirt-1.2.8/examples/apparmor/usr.lib.libvirt.virt-aa-helper
===================================================================
--- libvirt-1.2.8.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ /dev/null
@@ -1,48 +0,0 @@
-# Last Modified: Mon Apr 5 15:10:27 2010
-#include <tunables/global>
-
-/usr/lib/libvirt/virt-aa-helper {
- #include <abstractions/base>
-
- # needed for searching directories
- capability dac_override,
- capability dac_read_search,
-
- # needed for when disk is on a network filesystem
- network inet,
-
- deny @{PROC}/[0-9]*/mounts r,
- @{PROC}/[0-9]*/net/psched r,
- owner @{PROC}/[0-9]*/status r,
- @{PROC}/filesystems r,
-
- # for hostdev
- /sys/devices/ r,
- /sys/devices/** r,
-
- /usr/lib/libvirt/virt-aa-helper mr,
- /sbin/apparmor_parser Ux,
-
- /etc/apparmor.d/libvirt/* r,
- /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
-
- # for backingstore -- allow access to non-hidden files in @{HOME} as well
- # as storage pools
- audit deny @{HOME}/.* mrwkl,
- audit deny @{HOME}/.*/ rw,
- audit deny @{HOME}/.*/** mrwkl,
- audit deny @{HOME}/bin/ rw,
- audit deny @{HOME}/bin/** mrwkl,
- @{HOME}/ r,
- @{HOME}/** r,
- /var/lib/libvirt/images/ r,
- /var/lib/libvirt/images/** r,
- /{media,mnt,opt,srv}/** r,
-
- /**.img r,
- /**.qcow{,2} r,
- /**.qed r,
- /**.vmdk r,
- /**.[iI][sS][oO] r,
- /**/disk{,.*} r,
-}
Index: libvirt-1.2.8/examples/apparmor/usr.sbin.libvirtd
===================================================================
--- libvirt-1.2.8.orig/examples/apparmor/usr.sbin.libvirtd
+++ /dev/null
@@ -1,63 +0,0 @@
-# Last Modified: Mon Apr 5 15:03:58 2010
-#include <tunables/global>
-@{LIBVIRT}="libvirt"
-
-/usr/sbin/libvirtd {
- #include <abstractions/base>
- #include <abstractions/dbus>
-
- capability kill,
- capability net_admin,
- capability net_raw,
- capability setgid,
- capability sys_admin,
- capability sys_module,
- capability sys_ptrace,
- capability sys_nice,
- capability sys_chroot,
- capability setuid,
- capability dac_override,
- capability dac_read_search,
- capability fowner,
- capability chown,
- capability setpcap,
- capability mknod,
- capability fsetid,
- capability audit_write,
-
- # Needed for vfio
- capability sys_resource,
-
- network inet stream,
- network inet dgram,
- network inet6 stream,
- network inet6 dgram,
- network packet dgram,
-
- # Very lenient profile for libvirtd since we want to first focus on confining
- # the guests. Guests will have a very restricted profile.
- / r,
- /** rwmkl,
-
- /bin/* PUx,
- /sbin/* PUx,
- /usr/bin/* PUx,
- /usr/sbin/* PUx,
- /lib/udev/scsi_id PUx,
- /usr/lib/xen-common/bin/xen-toolstack PUx,
-
- # force the use of virt-aa-helper
- audit deny /sbin/apparmor_parser rwxl,
- audit deny /etc/apparmor.d/libvirt/** wxl,
- audit deny /sys/kernel/security/apparmor/features rwxl,
- audit deny /sys/kernel/security/apparmor/matching rwxl,
- audit deny /sys/kernel/security/apparmor/.* rwxl,
- /sys/kernel/security/apparmor/profiles r,
- /usr/lib/libvirt/* PUxr,
- /etc/libvirt/hooks/** rmix,
- /etc/xen/scripts/** rmix,
-
- # allow changing to our UUID-based named profiles
- change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
-
-}