Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Alexander_Naumov:SLE12
libvirt
install-apparmor-profiles.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File install-apparmor-profiles.patch of Package libvirt
Index: libvirt-1.2.5/examples/apparmor/Makefile.am =================================================================== --- libvirt-1.2.5.orig/examples/apparmor/Makefile.am +++ libvirt-1.2.5/examples/apparmor/Makefile.am @@ -19,10 +19,22 @@ EXTRA_DIST= \ TEMPLATE.lxc \ libvirt-qemu \ libvirt-lxc \ - usr.lib.libvirt.virt-aa-helper \ - usr.sbin.libvirtd + usr.lib.libvirt.virt-aa-helper.in \ + usr.sbin.libvirtd.in if WITH_APPARMOR_PROFILES +usr.lib.libvirt.virt-aa-helper: usr.lib.libvirt.virt-aa-helper.in + sed \ + -e 's![@]libdir[@]!$(libdir)!g' \ + < $< > $@-t + mv $@-t $@ + +usr.sbin.libvirtd: usr.sbin.libvirtd.in + sed \ + -e 's![@]libdir[@]!$(libdir)!g' \ + < $< > $@-t + mv $@-t $@ + apparmordir = $(sysconfdir)/apparmor.d/ apparmor_DATA = \ usr.lib.libvirt.virt-aa-helper \ Index: libvirt-1.2.5/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in =================================================================== --- /dev/null +++ libvirt-1.2.5/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -0,0 +1,48 @@ +# Last Modified: Mon Apr 5 15:10:27 2010 +#include <tunables/global> + +@libdir@/libvirt/virt-aa-helper { + #include <abstractions/base> + + # needed for searching directories + capability dac_override, + capability dac_read_search, + + # needed for when disk is on a network filesystem + network inet, + + deny @{PROC}/[0-9]*/mounts r, + @{PROC}/[0-9]*/net/psched r, + owner @{PROC}/[0-9]*/status r, + @{PROC}/filesystems r, + + # for hostdev + /sys/devices/ r, + /sys/devices/** r, + + @libdir@/libvirt/virt-aa-helper mr, + /sbin/apparmor_parser Ux, + + /etc/apparmor.d/libvirt/* r, + /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + + # for backingstore -- allow access to non-hidden files in @{HOME} as well + # as storage pools + audit deny @{HOME}/.* mrwkl, + audit deny @{HOME}/.*/ rw, + audit deny @{HOME}/.*/** mrwkl, + audit deny @{HOME}/bin/ rw, + audit deny @{HOME}/bin/** mrwkl, + @{HOME}/ r, + @{HOME}/** r, + /var/lib/libvirt/images/ r, + /var/lib/libvirt/images/** r, + /{media,mnt,opt,srv}/** r, + + /**.img r, + /**.qcow{,2} r, + /**.qed r, + /**.vmdk r, + /**.[iI][sS][oO] r, + /**/disk{,.*} r, +} Index: libvirt-1.2.5/examples/apparmor/usr.sbin.libvirtd.in =================================================================== --- /dev/null +++ libvirt-1.2.5/examples/apparmor/usr.sbin.libvirtd.in @@ -0,0 +1,70 @@ +# Last Modified: Mon Apr 5 15:03:58 2010 +#include <tunables/global> +@{LIBVIRT}="libvirt" + +/usr/sbin/libvirtd { + #include <abstractions/base> + #include <abstractions/dbus> + + capability kill, + capability net_admin, + capability net_raw, + capability setgid, + capability sys_admin, + capability sys_module, + capability sys_ptrace, + capability sys_pacct, + capability sys_nice, + capability sys_chroot, + capability setuid, + capability dac_override, + capability dac_read_search, + capability fowner, + capability chown, + capability setpcap, + capability mknod, + capability fsetid, + capability audit_write, + capability ipc_lock, + + # Needed for vfio + capability sys_resource, + + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + network packet dgram, + network packet raw, + + # Very lenient profile for libvirtd since we want to first focus on confining + # the guests. Guests will have a very restricted profile. + / r, + /** rwmkl, + + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, + /usr/sbin/* PUx, + /lib/udev/scsi_id PUx, + /usr/lib/xen/bin/* Ux, + /usr/lib64/xen/bin/* Ux, + /usr/lib/polkit-1/polkit-agent-helper Px, + + # force the use of virt-aa-helper + audit deny /sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + @libdir@/libvirt/* PUxr, + /etc/libvirt/hooks/** rmix, + /etc/xen/scripts/** rmix, + @libdir@/libvirt/libvirt_parthelper Ux, + @libdir@/libvirt/libvirt_iohelper Ux, + + # allow changing to our UUID-based named profiles + change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, + +} Index: libvirt-1.2.5/examples/apparmor/usr.lib.libvirt.virt-aa-helper =================================================================== --- libvirt-1.2.5.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper +++ /dev/null @@ -1,48 +0,0 @@ -# Last Modified: Mon Apr 5 15:10:27 2010 -#include <tunables/global> - -/usr/lib/libvirt/virt-aa-helper { - #include <abstractions/base> - - # needed for searching directories - capability dac_override, - capability dac_read_search, - - # needed for when disk is on a network filesystem - network inet, - - deny @{PROC}/[0-9]*/mounts r, - @{PROC}/[0-9]*/net/psched r, - owner @{PROC}/[0-9]*/status r, - @{PROC}/filesystems r, - - # for hostdev - /sys/devices/ r, - /sys/devices/** r, - - /usr/lib/libvirt/virt-aa-helper mr, - /sbin/apparmor_parser Ux, - - /etc/apparmor.d/libvirt/* r, - /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, - - # for backingstore -- allow access to non-hidden files in @{HOME} as well - # as storage pools - audit deny @{HOME}/.* mrwkl, - audit deny @{HOME}/.*/ rw, - audit deny @{HOME}/.*/** mrwkl, - audit deny @{HOME}/bin/ rw, - audit deny @{HOME}/bin/** mrwkl, - @{HOME}/ r, - @{HOME}/** r, - /var/lib/libvirt/images/ r, - /var/lib/libvirt/images/** r, - /{media,mnt,opt,srv}/** r, - - /**.img r, - /**.qcow{,2} r, - /**.qed r, - /**.vmdk r, - /**.[iI][sS][oO] r, - /**/disk{,.*} r, -} Index: libvirt-1.2.5/examples/apparmor/usr.sbin.libvirtd =================================================================== --- libvirt-1.2.5.orig/examples/apparmor/usr.sbin.libvirtd +++ /dev/null @@ -1,63 +0,0 @@ -# Last Modified: Mon Apr 5 15:03:58 2010 -#include <tunables/global> -@{LIBVIRT}="libvirt" - -/usr/sbin/libvirtd { - #include <abstractions/base> - #include <abstractions/dbus> - - capability kill, - capability net_admin, - capability net_raw, - capability setgid, - capability sys_admin, - capability sys_module, - capability sys_ptrace, - capability sys_nice, - capability sys_chroot, - capability setuid, - capability dac_override, - capability dac_read_search, - capability fowner, - capability chown, - capability setpcap, - capability mknod, - capability fsetid, - capability audit_write, - - # Needed for vfio - capability sys_resource, - - network inet stream, - network inet dgram, - network inet6 stream, - network inet6 dgram, - network packet dgram, - - # Very lenient profile for libvirtd since we want to first focus on confining - # the guests. Guests will have a very restricted profile. - / r, - /** rwmkl, - - /bin/* PUx, - /sbin/* PUx, - /usr/bin/* PUx, - /usr/sbin/* PUx, - /lib/udev/scsi_id PUx, - /usr/lib/xen-common/bin/xen-toolstack PUx, - - # force the use of virt-aa-helper - audit deny /sbin/apparmor_parser rwxl, - audit deny /etc/apparmor.d/libvirt/** wxl, - audit deny /sys/kernel/security/apparmor/features rwxl, - audit deny /sys/kernel/security/apparmor/matching rwxl, - audit deny /sys/kernel/security/apparmor/.* rwxl, - /sys/kernel/security/apparmor/profiles r, - /usr/lib/libvirt/* PUxr, - /etc/libvirt/hooks/** rmix, - /etc/xen/scripts/** rmix, - - # allow changing to our UUID-based named profiles - change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, - -}
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor