[libvirt] Resubmission: [PATCH 0/6] sVirt AppArmor security driver

Jamie Strandboge jamie at canonical.com
Tue Sep 8 21:17:26 UTC 2009 

Resubmitting based on feedback from this list. Notably, *alloc calls
have been removed and syntax-check completes without error for all
files.

Jamie

On Fri, 04 Sep 2009, Jamie Strandboge wrote:

> This patch series implements the AppArmor security driver for sVirt.
> This implementation was developed for the Ubuntu AppArmorLibvirtProfile
> specification[1], but is general enough for any AppArmor deployment
> (such as Ubuntu, *SUSE and Mandriva).
> 
> This patch has seen quite a bit of real world testing in Ubuntu 9.10
> (our development release) in our 0.7.0-1ubuntu3 package. I did make a
> few small changes after going through HACKING, but mostly I got the
> tests going and added documentation.
> 
> DESIGN
> ------
> When a virtual machine is started, determine if a profile is currently
> defined for the machine, and use it if available. If not, generate a new
> profile for the machine based on a template, which is by default a very
> restrictive profile allowing access to disk files, and anything else
> needed to run, such as the pid, monitor and log files.
> 
> Virtual machines should have a unique profile specific to that machine.
> To ensure uniqueness, the profile name will be derived from the UUID of
> the virtual machine. These profiles should be configurable, either by
> adjusting the profile template for new machines, creating/modifying the
> VM profile directly or through the use of AppArmor abstractions. This
> will allow for administrators to fine-tune confinement for individual
> machines if desired.
> 
> If enabled at compile time, the sVirt security model will be activated
> if AppArmor is available on the host OS and a profile for the libvirtd
> daemon is loaded when libvirtd is started.
> 
> libvirtd should not be allowed to create arbitrary profiles or modify
> profiles directly, so as to not allow libvirtd to potentially (ie via a
> security bug in libvirtd itself) bootstrap out of AppArmor confinement.
> 
> Because root privileges are needed to manipulate AppArmor profiles,
> qemu:///session will not be supported at this time, but the
> implementation must allow for a confined libvirtd with qemu:///session
> guests running unconfined. This can be revisited when AppArmor supports
> per-user profiles.
> 
> Please see the specification[1] for more details.
> 
> 
> PATCHES
> -------
> The patches are all against trunk as of yesterday. Testing was done on
> trunk and there seem to be no regressions over the the 0.7.0-1ubuntu3
> package in Ubuntu.
> 
> 
> [PATCH 1*]
> patch_1a_reenable-nonfile-labels.patch:
> When James Morris originally submitted his sVirt patches (as seen in
> libvirt 0.6.1), he did not require on disk labelling for
> virSecurityDomainRestoreImageLabel. A later commit[2] changed this
> behavior to assume on disk labelling, which halts implementations for
> path-based MAC systems such as AppArmor and TOMOYO where
> vm->def->seclabel is required to obtain the label. This patch simply
> adds the 'virDomainObjPtr vm' argument back to *RestoreImageLabel.
> 
> patch_1b_optional.patch:
> Due to the above change, 'make syntax-check' fails because
> SELinuxRestoreSecurityImageLabel() does not use the 'virDomainObjPtr
> vm'. patch_1b_optional.patch is a simple patch to fix this by checking
> if vm->def->seclabel == NULL and returns with error if it does. I
> realize this may not be desired in the long term, but it should be
> harmless enough to include.
> 
> 
> [PATCH 2]
> patch_2_security_c.patch:
> Updates src/security.c for AppArmor
> 
> 
> [PATCH 3]
> patch_3_security_apparmor.patch:
> Adds security_apparmor.c, security_apparmor.h, virt-aa-helper.c and
> updates po/POTFILES.in. virt-aa-helper.c is a new binary which is used
> exclusively by the AppArmor security driver to manipulate AppArmor.
> These files compile without warning and pass syntax-check.
> 
> 
> [PATCH 4]
> patch_4_tests.patch:
> Adds tests for virt-aa-helper and the security driver. secaatest.c is
> identical to seclabeltest.c except it initializes the 'apparmor' driver
> instead of 'selinux'. These tests are integrated into 'make check' and
> pass.
> 
> 
> [PATCH 5]
> patch_5_docs.patch:
> Updates docs/drvqemu.html.in for AppArmor and adds profile examples to
> examples/apparmor.
> 
> 
> [PATCH 6]
> patch_6_autoconf.patch:
> Updates Makefile.am and configure.in for AppArmor. It is based on and
> should operate the same as the SELinux configuration.
> 
> 
> Caveats and known issues:
> 1. it does not take advantage of the recent host device labelling
>    functionality yet
> 2. it does not properly handle hot-plugging of devices yet
> 3. qemu:///session runs unconfined (see above)
> 
> 
> Thanks!
> 
> Jamie (jdstrand on Freenode and OFTC)
> 
> [1] https://wiki.ubuntu.com/SecurityTeam/Specifications/AppArmorLibvirtProfile
> [2] http://libvirt.org/git/?p=libvirt.git;a=commit;h=c86afc85ee0d1ec6d76c2d254ba0730427360280
> 

-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20090908/5b936d67/attachment-0001.sig>

More information about the libvir-list mailing list