On Mon, 2025-01-06 at 17:59 -0700, Jim Fehlig wrote:
> On 11/13/24 07:28, Georgia Garcia wrote:
> > There is a common misconception when writing AppArmor policy that
> > [0-9]* applies * to the [0-9] class, but that's not the case. For this
> > example, [0-9]* matches a single digit followed by any number of
> > characters except for /
> >
> > Create a UUID variable that uses the following format 8-4-4-4-12.
> >
> > Signed-off-by: Georgia Garcia <[email protected]>
> > ---
> > src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 5 ++++-
> > src/security/apparmor/usr.sbin.libvirtd.in | 7 +++++--
> > 2 files changed, 9 insertions(+), 3 deletions(-)
> >
> > diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> > b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> > index 44645c6989..90a8b7072c 100644
> > --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> > +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> > @@ -1,5 +1,8 @@
> > #include <tunables/global>
> >
> > +@{hextet}=[0-9a-f][0-9a-f][0-9a-f][0-9a-f]
> > +@{UUID}=@{hextet}@{hextet}-@{hextet}-@{hextet}-@{hextet}-@{hextet}@{hextet}@{hextet}
> > +
> > profile virt-aa-helper @libexecdir@/virt-aa-helper {
> > #include <abstractions/base>
> > #include <abstractions/openssl>
> > @@ -44,7 +47,7 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
> > /{usr/,}{s,}bin/apparmor_parser Ux,
> >
> > @sysconfdir@/apparmor.d/libvirt/* r,
> > -
> > @sysconfdir@/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*
> > rw,
> > + @sysconfdir@/apparmor.d/libvirt/libvirt-@{UUID}* rw,
> >
> > # for backingstore -- allow access to non-hidden files in @{HOME} as
> > well
> > # as storage pools
> > diff --git a/src/security/apparmor/usr.sbin.libvirtd.in
> > b/src/security/apparmor/usr.sbin.libvirtd.in
> > index 70e586895f..3659ddc219 100644
> > --- a/src/security/apparmor/usr.sbin.libvirtd.in
> > +++ b/src/security/apparmor/usr.sbin.libvirtd.in
>
> The changes here are also needed in usr.sbin.virtqemud.in.
>
Thanks for catching that!
> Regards,
> Jim
>
> > @@ -1,4 +1,7 @@
> > #include <tunables/global>
> > +
> > +@{hextet}=[0-9a-f][0-9a-f][0-9a-f][0-9a-f]
> > +@{UUID}=@{hextet}@{hextet}-@{hextet}-@{hextet}-@{hextet}-@{hextet}@{hextet}@{hextet}
> > @{LIBVIRT}="libvirt"
> >
> > profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
> > @@ -72,7 +75,7 @@ profile libvirtd @sbindir@/libvirtd
> > flags=(attach_disconnected) {
> > signal (send) set=("term") peer=libvirtd//qemu_bridge_helper,
> >
> > # allow connect with openGraphicsFD, direction reversed in newer
> > versions
> > - unix (send, receive) type=stream addr=none
> > peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
> > + unix (send, receive) type=stream addr=none peer=(label=libvirt-@{UUID}),
> > # unconfined also required if guests run without security module
> > unix (send, receive) type=stream addr=none peer=(label=unconfined),
> >
> > @@ -115,7 +118,7 @@ profile libvirtd @sbindir@/libvirtd
> > flags=(attach_disconnected) {
> > /etc/xen/scripts/** rmix,
> >
> > # allow changing to our UUID-based named profiles
> > - change_profile ->
> > @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
> > + change_profile -> @{LIBVIRT}-@{UUID},
> >
> > /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper Cx ->
> > qemu_bridge_helper,
> > # child profile for bridge helper process
>
