[libvirt] [PATCH v2] apparmor: QEMU bridge helper policy updates
Jamie Strandboge
jamie at canonical.com
Tue Mar 13 19:02:23 UTC 2012
On Tue, 2012-03-13 at 08:42 -0400, Corey Bryant wrote:
> This patch provides AppArmor policy updates for the QEMU bridge helper.
> The QEMU bridge helper is a SUID executable exec'd by QEMU that drops
> capabilities to CAP_NET_ADMIN and adds a tap device to a network
> bridge. For more details on the helper, please refer to:
>
> http://lists.gnu.org/archive/html/qemu-devel/2012-01/msg03562.html
>
> Signed-off-by: Corey Bryant <coreyb at linux.vnet.ibm.com>
> ---
> examples/apparmor/libvirt-qemu | 22 +++++++++++++++++++++-
> 1 files changed, 21 insertions(+), 1 deletions(-)
>
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index 10cdd36..c5a11b6 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -1,4 +1,4 @@
> -# Last Modified: Mon Apr 5 15:11:27 2010
> +# Last Modified: Fri Mar 9 14:43:22 2012
>
> #include <abstractions/base>
> #include <abstractions/consoles>
> @@ -108,3 +108,23 @@
> /bin/dash rmix,
> /bin/dd rmix,
> /bin/cat rmix,
> +
> + /usr/libexec/qemu-bridge-helper Cx,
> +
> + # child profile for bridge helper process
> + profile /usr/libexec/qemu-bridge-helper {
> + #include <abstractions/base>
> +
> + capability setuid,
> + capability setgid,
> + capability setpcap,
> + capability net_admin,
> +
> + network inet stream,
> +
> + /dev/net/tun rw,
> + /etc/qemu/** r,
> + owner @{PROC}/*/status r,
> +
> + /usr/libexec/qemu-bridge-helper rmix,
> + }
The policy looks good to me. Thanks! It might make more sense to have
this committed when libvirt has qemu-bridge-helper, but others can
decide on that.
Acked-By: Jamie Strandboge <jamie at canonical.com>
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20120313/e73bc9b8/attachment-0001.sig>
More information about the libvir-list
mailing list