[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH 0/4] Extend apparmor rules for libvirt 4.6

this is a summary of things I had to touch recently when working on 4.6.
The first two patches are re-submissions and modifications of last
year which were never totally challenged, but also not pushed yet (I had
no permissions yet back then).

The first was lost in a discussion about virt-aa-helper, whicih eventually
turned out to be clear that it could not help in that case.
  - https://www.redhat.com/archives/libvir-list/2017-February/msg01598.html
  - https://www.redhat.com/archives/libvir-list/2017-March/msg00052.html

The second even got a few Acks, but neither made it into upstream yet.
Parts of it where introduced already, in
  7edcbd02 apparmor: allow libvirt to send term signal to unconfined
  b482925c apparmor: support ptrace checks
But there are still signals blocked with those rules, so I resubmit the
remaining bit. Also I added the Acks to the resubmission.

The third change came in recently via various bug reports which I finally
wanted to adress - e.g. for ceph lib or smb. If we later on spot more
cases that have predictable safe paths under /tmp we can add those.

Finally the forth change was triggered by me testing libvirt 4.6 in
various conditions. Some of them were in containers, and the new libvirt
behavior to carry more mount points into the qemu namespace triggers the
need to rewrite the existing mount-moving rules that we added last year.

Christian Ehrhardt (4):
  apparmor: allow openGraphicsFD for virt manager >1.4
  apparmor: add mediation rules for unconfined guests
  apparmor: allow expected /tmp access patterns
  apparmor: allow to preserve /dev mountpoints into qemu namespaces

 examples/apparmor/libvirt-qemu      | 13 +++++++++++++
 examples/apparmor/usr.sbin.libvirtd | 24 +++++++++++++-----------
 2 files changed, 26 insertions(+), 11 deletions(-)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]