[libvirt] PATCH 3/4: AppArmor updates

Fri, 13 Aug 2010 15:08:23 -0700 

Attached is 0003-apparmor-examples.patch

-- 
Jamie Strandboge             | http://www.canonical.com

diff -Naurp libvirt.orig/examples/apparmor/libvirt-qemu libvirt/examples/apparmor/libvirt-qemu
--- libvirt.orig/examples/apparmor/libvirt-qemu	2010-04-06 16:14:52.000000000 -0500
+++ libvirt/examples/apparmor/libvirt-qemu	2010-08-13 16:46:34.000000000 -0500
@@ -1,4 +1,4 @@
-# Last Modified: Mon Apr  5 15:11:27 2010
+# Last Modified: Fri Aug 13 16:38:32 2010
 
   #include <abstractions/base>
   #include <abstractions/consoles>
@@ -9,6 +9,10 @@
   capability dac_read_search,
   capability chown,
 
+  # needed to drop privileges
+  capability setgid,
+  capability setuid,
+
   network inet stream,
   network inet6 stream,
 
diff -Naurp libvirt.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper libvirt/examples/apparmor/usr.lib.libvirt.virt-aa-helper
--- libvirt.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper	2010-04-06 16:14:52.000000000 -0500
+++ libvirt/examples/apparmor/usr.lib.libvirt.virt-aa-helper	2010-08-13 16:44:01.000000000 -0500
@@ -1,8 +1,9 @@
-# Last Modified: Mon Apr  5 15:10:27 2010
+# Last Modified: Fri Aug 13 16:38:32 2010
 #include <tunables/global>
 
 /usr/lib/libvirt/virt-aa-helper {
   #include <abstractions/base>
+  #include <abstractions/user-tmp>
 
   # needed for searching directories
   capability dac_override,
@@ -12,11 +13,16 @@
   network inet,
 
   deny @{PROC}/[0-9]*/mounts r,
+  @{PROC}/[0-9]*/net/psched r,
   @{PROC}/filesystems r,
 
   # for hostdev
   /sys/devices/ r,
   /sys/devices/** r,
+  /sys/bus/usb/devices/ r,
+  deny /dev/sd* r,
+  deny /dev/mapper/ r,
+  deny /dev/mapper/* r,
 
   /usr/lib/libvirt/virt-aa-helper mr,
   /sbin/apparmor_parser Ux,
@@ -24,8 +30,11 @@
   /etc/apparmor.d/libvirt/* r,
   /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
 
-  # for backingstore -- allow access to non-hidden files in @{HOME} as well
-  # as storage pools
+  # For backingstore, virt-aa-helper may need to peek inside the disk image, so
+  # allow access to non-hidden files in @{HOME} as well as storage pools, and
+  # removable media and filesystems, and certain file extentions. A
+  # virt-aa-helper failure when checking a disk for backinsgstore is non-fatal
+  # (but obviously the backingstore won't be added).
   audit deny @{HOME}/.* mrwkl,
   audit deny @{HOME}/.*/ rw,
   audit deny @{HOME}/.*/** mrwkl,

Attachment: signature.asc
Description: This is a digitally signed message part

--
libvir-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to