[libvirt] [PATCH v2 0/5] Extend apparmor rules for libvirt 4.6

Christian Ehrhardt christian.ehrhardt at canonical.com
Thu Aug 16 11:13:35 UTC 2018 

Ok, with acks of last year and new ones in and no other feedback nor any
Freeze atm I'm pushing these changes any minute.
The qemu-smb related one will be dropped, the others pushed with the latest
cleanups as discussed in the per-patch threads.
Thanks everybody for your participation!

On Tue, Aug 14, 2018 at 8:18 AM Christian Ehrhardt <
christian.ehrhardt at canonical.com> wrote:

> Hi,
> this is a summary of things I had to touch recently for libvirt 4.6.
> The first two patches are re-submissions and modifications of last
> year which were never totally challenged, but also not pushed.
>
> The first was lost in a discussion about virt-aa-helper, whicih eventually
> turned out to be clear that it could not help in that case.
>   -
> https://www.redhat.com/archives/libvir-list/2017-February/msg01598.html
>   - https://www.redhat.com/archives/libvir-list/2017-March/msg00052.html
>
> The second even got a few Acks, but neither made it into upstream yet.
> Parts of it where introduced already, in
>   7edcbd02 apparmor: allow libvirt to send term signal to unconfined
>   b482925c apparmor: support ptrace checks
> But there are still signals blocked with those rules, so I resubmit the
> remaining bit. Also I added the Acks to the resubmission.
>
> The third&fourth change came in recently via various bug reports which I
> finally wanted to adress - e.g. for ceph lib or smb. If we later on spot
> more cases that have predictable safe paths under /tmp we can add those.
>
> Finally the fifth change was triggered by me testing libvirt 4.6 in
> various conditions. Some of them were in containers, and the new libvirt
> behavior to carry more mount points into the qemu namespace triggers the
> need to rewrite the existing mount-moving rules that we added last year.
>
> *Updates in V2*
> - added Acks to path #1
> - split former patch #3 into #3/#4 to discuss /tmp access and qemu-smd
>   individually
> - rewrote reasoning and concerns as well as TODOs to improve later in
>   regard to the /tmp related commits #3/#4
> - Updated the rule since the trailing {,/} is not needed after **
>
> Christian Ehrhardt (5):
>   apparmor: allow openGraphicsFD for virt manager >1.4
>   apparmor: add mediation rules for unconfined guests
>   apparmor: allow expected /tmp access patterns
>   apparmor: allow qemu-smb access in /tmp
>   apparmor: allow to preserve /dev mountpoints into qemu namespaces
>
>  examples/apparmor/libvirt-qemu      | 20 ++++++++++++++++++++
>  examples/apparmor/usr.sbin.libvirtd | 24 +++++++++++++-----------
>  2 files changed, 33 insertions(+), 11 deletions(-)
>
> --
> 2.17.1
>
>

-- 
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20180816/769e5ac8/attachment-0001.htm>

More information about the libvir-list mailing list