[PATCH V2 0/4] Apparmor: Add profiles for hypervisor daemons
Jim Fehlig
jfehlig at suse.com
Tue Jun 22 23:27:43 UTC 2021
and other improvements. V2 of
https://listman.redhat.com/archives/libvir-list/2021-June/msg00456.html
Changes since V1:
Removed many unneeded capabilities. I used the 'audit' qualifier as suggested
by cboltz to verify which capabilities were actually used. It's a difficult
task though, as it is nearly impossible for one person to exercise a driver
in all the ways thousands of users will push it :-). I was able to whittle
the virtxend profile quite a bit since xen doesn't need a lot in the way of
host capabilities.
Removed patch containing the virtlxcd profile since I'm unable to start any
lxc domains with virtlxcd.
Added patches to squelch denial messages from the virt-aa-helper profile.
Jim Fehlig (4):
Apparmor: Add profile for virtqemud
Apparmor: Add profile for virtxend
Apparmor: Allow reading libnl's classid file
Apparmor: Allow reading /etc/ssl/openssl.cnf
src/security/apparmor/libvirt-qemu | 5 +
src/security/apparmor/meson.build | 2 +
.../usr.lib.libvirt.virt-aa-helper.in | 4 +-
src/security/apparmor/usr.sbin.virtqemud.in | 135 ++++++++++++++++++
src/security/apparmor/usr.sbin.virtxend.in | 53 +++++++
5 files changed, 198 insertions(+), 1 deletion(-)
create mode 100644 src/security/apparmor/usr.sbin.virtqemud.in
create mode 100644 src/security/apparmor/usr.sbin.virtxend.in
--
2.31.1
More information about the libvir-list
mailing list