[RFC] apparmor: add subprofile for virtiofsd
Daniel P. Berrangé
berrange at redhat.com
Thu Aug 27 11:45:10 UTC 2020
On Wed, Aug 26, 2020 at 10:41:15AM +0200, Christian Ehrhardt wrote:
> This is a continuation of
> https://www.redhat.com/archives/libvir-list/2020-August/msg00804.html
> https://www.redhat.com/archives/libvir-list/2020-August/msg00922.html
>
> It still has too many weak points left, but should be great as an RFC
> already. virtiofsd works for me using that profile, but we need to:
> - agree on common paths to expect for virtiofsd
When you say "common paths", I presume you're referring to paths
that users can export to the guests ?
If so, I fear that is an unsolvable problem if the goal is to define
a static policy ahead of time. Apps can use pretty much arbitrary
dirs in their guest config.
We do have a /var/lib/libvirt/filesystems dir but I'm not convinced
any apps actually use it in practice.
Long term, I think we need an approach like the one we use for QEMU,
where we generate a dynamic polocy based on the guest config (apparmor),
or dynamic file lalbelling baed on guest config (selinux).
> - get the post pivot_root rules under control
>
> ---
>
> virtiofsd runs as root and is reachable from the guest, to limit
> the exploit potential this adds a apparmor subprofile to virtiofsd
> as spawned by libvirt to limit it.
>
> Known TODOs:
> - rules after pivot_root need not to allow everything
> - settle on common paths with the community
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> ---
> src/security/apparmor/libvirt-qemu | 3 ++
> src/security/apparmor/usr.sbin.libvirtd.in | 46 ++++++++++++++++++++++
> 2 files changed, 49 insertions(+)
>
> diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
> index a03e9e2c94..668fc72f27 100644
> --- a/src/security/apparmor/libvirt-qemu
> +++ b/src/security/apparmor/libvirt-qemu
> @@ -221,6 +221,9 @@
> unix (send, receive) type=stream addr=none peer=(label=libvirtd),
> unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
>
> + # allow to connect to virtiofsd
> + unix (send, receive) type=stream addr=none peer=(label=libvirtd//virtiofsd),
> +
> # for gathering information about available host resources
> /sys/devices/system/cpu/ r,
> /sys/devices/system/node/ r,
> diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
> index 4518e8f865..f878398b4b 100644
> --- a/src/security/apparmor/usr.sbin.libvirtd.in
> +++ b/src/security/apparmor/usr.sbin.libvirtd.in
> @@ -133,4 +133,50 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
>
> /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
> }
> +
> + # child profile for virtiofsd helper process
> + /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd Cx -> virtiofsd,
> + profile virtiofsd flags=(attach_disconnected) {
> + #include <abstractions/base>
> + #include <abstractions/libvirt-qemu>
> +
> + capability sys_admin,
> + capability sys_resource,
> +
> + # init phase
> + / r,
> + mount options=(rw, rslave) -> /,
> + umount /,
> + mount options=(rw, nosuid, nodev, noexec, relatime) -> @{PROC},
> + owner /proc/sys/fs/file-max r,
> +
> + # For communication/control from libvirtd
> + unix (send, receive) type=stream addr=none peer=(label=libvirtd),
> + signal (receive) set=("term") peer=/usr/sbin/libvirtd,
> + signal (receive) set=("term") peer=libvirtd,
> + owner /var/lib/libvirt/qemu/domain-*/fs[0-9]{[0-9],}-fs.pid w,
> + /var/lib/libvirt/qemu/domain-*/fs[0-9]{[0-9],}-fs.sock rw,
> + /var/lib/libvirt/qemu/ram/*/ram-node[0-9]{[0-9],} rw,
> +
> + # For communication with confined and unconfined guests
> + unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
> + unix (send, receive) type=stream addr=none peer=(label=unconfined),
> +
> + /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd rmix,
> +
> + # Common host paths to share from are allowed by default
> + # Further paths should be added as local override
> + # TODO - community to settle on a list of common paths to allow
> + owner /var/lib/libvirt/virtiofsd/*/ r,
> + mount options=(rw, bind) -> /var/lib/libvirt/virtiofsd/*/,
> + pivot_root /var/lib/libvirt/virtiofsd/*/,
> +
> + # TODO - after pivot_root the rules for the actual file access by the guest
> + # through virtiofsd would need to start with / which is too open
> + /** rw,
> +
> + # Site-specific additions and overrides. See local/README for details.
> + #include <local/usr.lib.qemu.virtiofsd>
> + }
> +
> }
> --
> 2.28.0
>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list