[PATCH 0/3] Apparmor: Add profiles for hypervisor daemons

Jim Fehlig jfehlig at suse.com
Wed Jun 16 03:41:01 UTC 2021 

This series is a first attempt at creating apparmor profiles for the
modular daemons. It introduces profiles for virt{lxc,qemu,xen}d, which
AFAIK are the only hypervisors supported by apparmor. The profiles are
copies of the libvirtd profile, with all the non hypervisor-specific
rules removed. E.g. qemu related rules removed from the virtxend
profile and vice versa. Likely more rules could be trimmed from the
xen and lxc profiles. I'll need to investigate how the apparmor tools
can help identify such rules.

So far things look okay with apparmor and modular daemons. One issue I
have yet to resolve is interaction between dnsmasq and
libvirt_leaseshelper. Trying to start e.g. the default network results
in the following apparmor denial

type=AVC msg=audit(1623791662.885:655): apparmor="DENIED" operation="exec" profile="/usr/sbin/dnsmasq" name="/usr/lib/libvirt_leaseshelper" pid=8154 comm="sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

Perhaps some apparmor experts can make better sense of that error than
me :-). It would be nice to avoid adjusting the dnsmasq profile, which
is not in the libvirt project, if possible.

I noticed a few more denial messages that I _think_ are unrelated to
modular daemons, which also need further investigation

type=AVC msg=audit(1623797296.856:593): apparmor="DENIED" operation="open" profile="virt-aa-helper" name="/etc/ssl/openssl.cnf" pid=6511 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1623797296.856:594): apparmor="DENIED" operation="open" profile="virt-aa-helper" name="/etc/libnl/classid" pid=6511 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
t
type=AVC msg=audit(1623797297.732:623): apparmor="DENIED" operation="open" profile="libvirt-481c2d22-76d5-404b-a4b0-dc2069c7e19e" name="/etc/libnl/classid" pid=6539 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=107 ouid=0


Jim Fehlig (3):
  Apparmor: Add profile for virtqemud
  Apparmor: Add profile for virtlxcd
  Apparmor: Add profile for virtxend

 src/security/apparmor/libvirt-lxc           |   4 +-
 src/security/apparmor/libvirt-qemu          |   6 +
 src/security/apparmor/meson.build           |   3 +
 src/security/apparmor/usr.sbin.virtlxcd.in  |  89 +++++++++++++
 src/security/apparmor/usr.sbin.virtqemud.in | 135 ++++++++++++++++++++
 src/security/apparmor/usr.sbin.virtxend.in  |  78 +++++++++++
 6 files changed, 314 insertions(+), 1 deletion(-)
 create mode 100644 src/security/apparmor/usr.sbin.virtlxcd.in
 create mode 100644 src/security/apparmor/usr.sbin.virtqemud.in
 create mode 100644 src/security/apparmor/usr.sbin.virtxend.in

-- 
2.31.1

More information about the libvir-list mailing list