I've ported and tested the libvirt AppArmor support from the Ubuntu package.
The only difference in the profiles is this addition to
usr.lib.libvirt.virt-aa-helper:
/etc/libnl-[0-9]/classid r,
It can be enabled by setting this in /etc/libvirt/qemu.conf:
security_driver = "apparmor"
Cheers,
Felix
PS: Could you please enable parallel building: dh $@
--builddirectory=$(DEB_BUILDDIR) --parallel.
That makes test-building so much more fun ;)
diff -Nru libvirt-1.2.0/debian/apparmor/libvirt-qemu
libvirt-1.2.0/debian/apparmor/libvirt-qemu
--- libvirt-1.2.0/debian/apparmor/libvirt-qemu 1970-01-01 01:00:00.000000000
+0100
+++ libvirt-1.2.0/debian/apparmor/libvirt-qemu 2013-11-12 18:47:24.000000000
+0100
@@ -0,0 +1,140 @@
+# Last Modified: Wed Jul 8 09:57:41 2009
+
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+
+ # required for reading disk images
+ capability dac_override,
+ capability dac_read_search,
+ capability chown,
+
+ # needed to drop privileges
+ capability setgid,
+ capability setuid,
+
+ # this is needed with libcap-ng support, however it breaks a lot of things
+ # atm, so just silence the denial until libcap-ng works right. LP: #522845
+ deny capability setpcap,
+
+ network inet stream,
+ network inet6 stream,
+
+ /dev/net/tun rw,
+ /dev/tap* rw,
+ /dev/kvm rw,
+ /dev/ptmx rw,
+ /dev/kqemu rw,
+ @{PROC}/*/status r,
+ owner @{PROC}/*/auxv r,
+ @{PROC}/sys/vm/overcommit_memory r,
+
+ # For hostdev access. The actual devices will be added dynamically
+ /sys/bus/usb/devices/ r,
+ /sys/devices/**/usb[0-9]*/** r,
+
+ # WARNING: this gives the guest direct access to host hardware and specific
+ # portions of shared memory. This is required for sound using ALSA with kvm,
+ # but may constitute a security risk. If your environment does not require
+ # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
+ # the rules for files in /dev.
+ /{dev,run}/shm r,
+ /{dev,run}/shmpulse-shm* r,
+ /{dev,run}/shmpulse-shm* rwk,
+ /dev/snd/* rw,
+ capability ipc_lock,
+ # spice
+ /usr/bin/qemu-system-i386-spice rmix,
+ /usr/bin/qemu-system-x86_64-spice rmix,
+ /run/shm/ r,
+ owner /run/shm/spice.* rw,
+ # 'kill' is not required for sound and is a security risk. Do not enable
+ # unless you absolutely need it.
+ deny capability kill,
+
+ # Uncomment the following if you need access to /dev/fb*
+ #/dev/fb* rw,
+
+ /etc/pulse/client.conf r,
+ @{HOME}/.pulse-cookie rwk,
+ owner /root/.pulse-cookie rwk,
+ owner /root/.pulse/ rw,
+ owner /root/.pulse/* rw,
+ /usr/share/alsa/** r,
+ owner /tmp/pulse-*/ rw,
+ owner /tmp/pulse-*/* rw,
+ /var/lib/dbus/machine-id r,
+
+ # access to firmware's etc
+ /usr/share/kvm/** r,
+ /usr/share/qemu/** r,
+ /usr/share/bochs/** r,
+ /usr/share/openbios/** r,
+ /usr/share/openhackware/** r,
+ /usr/share/proll/** r,
+ /usr/share/vgabios/** r,
+ /usr/share/seabios/** r,
+ /usr/share/ovmf/** r,
+
+ # access PKI infrastructure
+ /etc/pki/libvirt-vnc/** r,
+
+ # the various binaries
+ /usr/bin/kvm rmix,
+ /usr/bin/qemu rmix,
+ /usr/bin/qemu-system-arm rmix,
+ /usr/bin/qemu-system-cris rmix,
+ /usr/bin/qemu-system-i386 rmix,
+ /usr/bin/qemu-system-m68k rmix,
+ /usr/bin/qemu-system-mips rmix,
+ /usr/bin/qemu-system-mips64 rmix,
+ /usr/bin/qemu-system-mips64el rmix,
+ /usr/bin/qemu-system-mipsel rmix,
+ /usr/bin/qemu-system-ppc rmix,
+ /usr/bin/qemu-system-ppc64 rmix,
+ /usr/bin/qemu-system-ppcemb rmix,
+ /usr/bin/qemu-system-sh4 rmix,
+ /usr/bin/qemu-system-sh4eb rmix,
+ /usr/bin/qemu-system-sparc rmix,
+ /usr/bin/qemu-system-sparc64 rmix,
+ /usr/bin/qemu-system-x86_64 rmix,
+ /usr/bin/qemu-system-x86_64-spice rmix,
+ /usr/bin/qemu-alpha rmix,
+ /usr/bin/qemu-arm rmix,
+ /usr/bin/qemu-armeb rmix,
+ /usr/bin/qemu-cris rmix,
+ /usr/bin/qemu-i386 rmix,
+ /usr/bin/qemu-m68k rmix,
+ /usr/bin/qemu-mips rmix,
+ /usr/bin/qemu-mipsel rmix,
+ /usr/bin/qemu-ppc rmix,
+ /usr/bin/qemu-ppc64 rmix,
+ /usr/bin/qemu-ppc64abi32 rmix,
+ /usr/bin/qemu-sh4 rmix,
+ /usr/bin/qemu-sh4eb rmix,
+ /usr/bin/qemu-sparc rmix,
+ /usr/bin/qemu-sparc64 rmix,
+ /usr/bin/qemu-sparc32plus rmix,
+ /usr/bin/qemu-sparc64 rmix,
+ /usr/bin/qemu-x86_64 rmix,
+
+ # for save and resume
+ /bin/dash rmix,
+ /bin/dd rmix,
+ /bin/cat rmix,
+ /etc/pki/CA/ r,
+ /etc/pki/CA/* r,
+ /etc/pki/libvirt/ r,
+ /etc/pki/libvirt/** r,
+
+ # for rbd
+ /etc/ceph/ceph.conf r,
+
+ # for access to hugepages
+ owner "/run/hugepages/kvm/libvirt/qemu/**" rw,
+
+ # for usb access
+ /dev/bus/usb/ r,
+ /etc/udev/udev.conf r,
+ /sys/bus/ r,
+ /sys/class/ r,
diff -Nru libvirt-1.2.0/debian/apparmor/local-usr.sbin.libvirtd
libvirt-1.2.0/debian/apparmor/local-usr.sbin.libvirtd
--- libvirt-1.2.0/debian/apparmor/local-usr.sbin.libvirtd 1970-01-01
01:00:00.000000000 +0100
+++ libvirt-1.2.0/debian/apparmor/local-usr.sbin.libvirtd 2012-12-05
23:37:34.000000000 +0100
@@ -0,0 +1,2 @@
+# Site-specific additions and overrides for usr.sbin.libvirtd.
+# For more details, please see /etc/apparmor.d/local/README.
diff -Nru libvirt-1.2.0/debian/apparmor/TEMPLATE
libvirt-1.2.0/debian/apparmor/TEMPLATE
--- libvirt-1.2.0/debian/apparmor/TEMPLATE 1970-01-01 01:00:00.000000000
+0100
+++ libvirt-1.2.0/debian/apparmor/TEMPLATE 2012-12-05 23:37:34.000000000
+0100
@@ -0,0 +1,9 @@
+#
+# This profile is for the domain whose UUID matches this file.
+#
+
+#include <tunables/global>
+
+profile LIBVIRT_TEMPLATE {
+ #include <abstractions/libvirt-qemu>
+}
diff -Nru libvirt-1.2.0/debian/apparmor/usr.lib.libvirt.virt-aa-helper
libvirt-1.2.0/debian/apparmor/usr.lib.libvirt.virt-aa-helper
--- libvirt-1.2.0/debian/apparmor/usr.lib.libvirt.virt-aa-helper
1970-01-01 01:00:00.000000000 +0100
+++ libvirt-1.2.0/debian/apparmor/usr.lib.libvirt.virt-aa-helper
2014-01-03 22:13:41.000000000 +0100
@@ -0,0 +1,65 @@
+# Last Modified: Mon Jul 06 17:22:37 2009
+#include <tunables/global>
+
+/usr/lib/libvirt/virt-aa-helper {
+ #include <abstractions/base>
+ #include <abstractions/user-tmp>
+
+ # needed for searching directories
+ capability dac_override,
+ capability dac_read_search,
+
+ # needed for when disk is on a network filesystem
+ network inet,
+
+ deny @{PROC}/[0-9]*/mounts r,
+ @{PROC}/[0-9]*/net/psched r,
+ owner @{PROC}/[0-9]*/status r,
+ @{PROC}/filesystems r,
+
+ /etc/libnl-[0-9]/classid r,
+
+ # for hostdev
+ /sys/devices/ r,
+ /sys/devices/** r,
+ /sys/bus/usb/devices/ r,
+ /sys/bus/usb/devices/** r,
+ deny /dev/sd* r,
+ deny /dev/dm-* r,
+ deny /dev/mapper/ r,
+ deny /dev/mapper/* r,
+
+ /usr/lib/libvirt/virt-aa-helper mr,
+ /sbin/apparmor_parser Ux,
+
+ /etc/apparmor.d/libvirt/* r,
+
/etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*
rw,
+
+ # For backingstore, virt-aa-helper needs to peek inside the disk image, so
+ # allow access to non-hidden files in @{HOME} as well as storage pools, and
+ # removable media and filesystems, and certain file extentions. A
+ # virt-aa-helper failure when checking a disk for backinsgstore is non-fatal
+ # (but obviously the backingstore won't be added).
+ audit deny @{HOME}/.* mrwkl,
+ audit deny @{HOME}/.*/ rw,
+ audit deny @{HOME}/.*/** mrwkl,
+ @{HOME}/ r,
+ @{HOME}/** r,
+ @{HOME}/.Private/** mrwlk,
+ @{HOMEDIRS}/.ecryptfs/*/.Private/** mrwlk,
+
+ /var/lib/libvirt/images/ r,
+ /var/lib/libvirt/images/** r,
+ /var/lib/nova/images/** r,
+ /var/lib/nova/instances/_base/** r,
+ /var/lib/eucalyptus/instances/**/disk* r,
+ /var/lib/eucalyptus/instances/**/loader* r,
+ /{media,mnt,opt,srv}/** r,
+
+ /**.img r,
+ /**.qcow{,2} r,
+ /**.qed r,
+ /**.vmdk r,
+ /**.[iI][sS][oO] r,
+ /**/disk{,.*} r,
+}
diff -Nru libvirt-1.2.0/debian/apparmor/usr.sbin.libvirtd
libvirt-1.2.0/debian/apparmor/usr.sbin.libvirtd
--- libvirt-1.2.0/debian/apparmor/usr.sbin.libvirtd 1970-01-01
01:00:00.000000000 +0100
+++ libvirt-1.2.0/debian/apparmor/usr.sbin.libvirtd 2013-10-23
21:08:59.000000000 +0200
@@ -0,0 +1,67 @@
+# Last Modified: Mon Jul 6 17:23:58 2009
+#include <tunables/global>
+@{LIBVIRT}="libvirt"
+
+/usr/sbin/libvirtd {
+ #include <abstractions/base>
+ #include <abstractions/dbus>
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.libvirtd>
+
+ capability kill,
+ capability net_admin,
+ capability net_raw,
+ capability setgid,
+ capability sys_admin,
+ capability sys_module,
+ capability sys_ptrace,
+ capability sys_nice,
+ capability sys_chroot,
+ capability setuid,
+ capability dac_override,
+ capability dac_read_search,
+ capability fowner,
+ capability chown,
+ capability setpcap,
+ capability mknod,
+ capability fsetid,
+ capability ipc_lock,
+ capability audit_write,
+
+ network inet stream,
+ network inet dgram,
+ network inet6 stream,
+ network inet6 dgram,
+ network packet dgram,
+
+ # for now, use a very lenient profile since we want to first focus on
+ # confining the guests
+ / r,
+ /** rwmkl,
+
+ /bin/* PUx,
+ /sbin/* PUx,
+ /usr/bin/* PUx,
+ /usr/sbin/* PUx,
+ /lib/udev/scsi_id PUx,
+ /usr/lib/xen-common/bin/xen-toolstack PUx,
+
+ # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
+ # write and run an ebtables script.
+ /var/lib/libvirt/virtd* ixr,
+
+ # force the use of virt-aa-helper
+ audit deny /sbin/apparmor_parser rwxl,
+ audit deny /etc/apparmor.d/libvirt/** wxl,
+ audit deny /sys/kernel/security/apparmor/features rwxl,
+ audit deny /sys/kernel/security/apparmor/matching rwxl,
+ audit deny /sys/kernel/security/apparmor/.* rwxl,
+ /sys/kernel/security/apparmor/profiles r,
+ /usr/lib/libvirt/* PUxr,
+ /etc/libvirt/hooks/** rmix,
+ /etc/xen/scripts/** rmix,
+
+ # allow changing to our UUID-based named profiles
+ change_profile ->
@{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+
+}
diff -Nru libvirt-1.2.0/debian/control libvirt-1.2.0/debian/control
--- libvirt-1.2.0/debian/control 2013-12-28 11:30:35.000000000 +0100
+++ libvirt-1.2.0/debian/control 2014-01-03 20:51:20.000000000 +0100
@@ -37,6 +37,7 @@
libsanlock-dev [linux-any],
libaudit-dev [linux-any],
libselinux1-dev (>= 2.0.82) [linux-any],
+ libapparmor-dev [linux-any],
systemtap-sdt-dev [amd64 armel armhf i386 ia64 powerpc s390],
# for --with-storage-sheepdog
sheepdog [linux-any],
@@ -76,7 +77,7 @@
iproute,
parted,
pm-utils
-Suggests: policykit-1, radvd, auditd, systemtap, systemd
+Suggests: policykit-1, radvd, auditd, systemtap, systemd, apparmor
Breaks: avahi-daemon (<< 0.6.31-3~)
Description: programs for the libvirt library
Libvirt is a C toolkit to interact with the virtualization capabilities
diff -Nru libvirt-1.2.0/debian/libvirt-bin.cron.daily
libvirt-1.2.0/debian/libvirt-bin.cron.daily
--- libvirt-1.2.0/debian/libvirt-bin.cron.daily 1970-01-01 01:00:00.000000000
+0100
+++ libvirt-1.2.0/debian/libvirt-bin.cron.daily 2012-12-05 23:37:34.000000000
+0100
@@ -0,0 +1,38 @@
+#!/bin/sh
+#
+# clean out AppArmor profiles for virtual machines that no longer exist
+#
+set -e
+
+PROFILES_DIR="/etc/apparmor.d/libvirt"
+AA_PROFILES="/sys/kernel/security/apparmor/profiles"
+
+uuids=""
+remove_if_unused() {
+ uuid=`basename "$1" | sed 's/libvirt-//' | egrep
'[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'` || return
+
+ # don't remove a profile for an existing VM
+ echo "$uuids" | grep -q "$uuid" && return
+
+ # don't remove a loaded profile
+ if [ -e "$AA_PROFILES" ] && grep -q "$uuid" "$AA_PROFILES" ; then
+ return
+ fi
+
+ find $PROFILES_DIR -name "libvirt-${uuid}*" -prune -type f -exec rm -f --
'{}' \;
+}
+
+# read in all existing uuids
+for i in /etc/libvirt/qemu/*.xml ; do
+ if [ -r "$i" ]; then
+ uuid=`grep '<uuid>' "$i" | sed 's#.*<uuid>\(.*\)</uuid>.*#\1#'`
+ uuids="$uuids $uuid"
+ fi
+done
+
+for i in "$PROFILES_DIR"/libvirt-* ; do
+ if [ -r "$i" ]; then
+ basename "$i" | egrep -q '\.' && continue
+ remove_if_unused "$i" || true
+ fi
+done
diff -Nru libvirt-1.2.0/debian/libvirt-bin.postinst
libvirt-1.2.0/debian/libvirt-bin.postinst
--- libvirt-1.2.0/debian/libvirt-bin.postinst 2013-12-17 23:14:46.000000000
+0100
+++ libvirt-1.2.0/debian/libvirt-bin.postinst 2014-01-03 19:08:53.000000000
+0100
@@ -123,6 +123,13 @@
for dir in qemu uml lxc; do
touch /var/log/libvirt/"${dir}"/.placeholder
done
+
+ for p in usr.sbin.libvirtd usr.lib.libvirt.virt-aa-helper ; do
+ profile="/etc/apparmor.d/$p"
+ if [ -f "$profile" ] && aa-status --enabled 2>/dev/null; then
+ apparmor_parser -r "$profile" || true
+ fi
+ done
;;
abort-upgrade|abort-remove|abort-deconfigure)
diff -Nru libvirt-1.2.0/debian/libvirt-bin.postrm
libvirt-1.2.0/debian/libvirt-bin.postrm
--- libvirt-1.2.0/debian/libvirt-bin.postrm 2013-12-17 23:14:46.000000000
+0100
+++ libvirt-1.2.0/debian/libvirt-bin.postrm 2014-01-03 16:57:29.000000000
+0100
@@ -34,6 +34,11 @@
fi
rm -rf /var/log/libvirt
+
+ for f in usr.sbin.libvirtd usr.lib.libvirt.virt-aa-helper ; do
+ rm -f /etc/apparmor.d/force-complain/$f >/dev/null 2>&1 || true
+ rm -f /etc/apparmor.d/disable/$f >/dev/null 2>&1 || true
+ done
;;
remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
;;
diff -Nru libvirt-1.2.0/debian/rules libvirt-1.2.0/debian/rules
--- libvirt-1.2.0/debian/rules 2013-12-28 11:27:15.000000000 +0100
+++ libvirt-1.2.0/debian/rules 2014-01-03 20:53:21.000000000 +0100
@@ -30,6 +30,7 @@
WITH_INIT_SCRIPT = --with-init-script=systemd
WITH_AUDIT = --with-audit
WITH_SELINUX = --with-selinux --with-secdriver-selinux
+ WITH_APPARMOR = --with-apparmor --with-secdriver-apparmor
ifneq (,$(findstring $(DEB_HOST_ARCH), amd64 armel armhf i386 ia64 powerpc
s390))
WITH_DTRACE = --with-dtrace
else
@@ -63,6 +64,7 @@
WITH_INIT_SCRIPT = --with-init-script=none
WITH_AUDIT = --without-audit
WITH_SELINUX = --without-selinux
+ WITH_APPARMOR = --without-apparmor
WITH_DTRACE = --without-dtrace
WITH_XEN = --without-xen
WITH_LIBXL = --without-libxl
@@ -91,6 +93,7 @@
$(WITH_INIT_SCRIPT) \
$(WITH_NUMA) \
$(WITH_SELINUX) \
+ $(WITH_APPARMOR) \
--without-esx \
--without-phyp \
$(WITH_CAPNG) \
@@ -110,6 +113,8 @@
LOGROTATE = $(basename $(basename $(notdir $(wildcard
daemon/libvirtd*.logrotate.in))))
EXAMPLES_DIR = $(CURDIR)/debian/libvirt-doc/usr/share/doc/libvirt-doc/examples/
+DEB_HOST_ARCH_OS ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)
+
%:
dh $@ --builddirectory=$(DEB_BUILDDIR)
@@ -150,6 +155,17 @@
# Don't ship api files in the daemon package
rm -r debian/libvirt-bin/usr/share/libvirt/api/
+ifeq ($(DEB_HOST_ARCH_OS),linux)
+ cp debian/tmp/usr/lib/libvirt/virt-aa-helper
debian/libvirt-bin/usr/lib/libvirt
+ mkdir -p debian/libvirt-bin/etc/apparmor.d/abstractions
debian/libvirt-bin/etc/apparmor.d/libvirt
+ mkdir -p debian/libvirt-bin/etc/apparmor.d/local
+ cp debian/apparmor/libvirt-qemu
debian/libvirt-bin/etc/apparmor.d/abstractions
+ cp debian/apparmor/usr.lib.libvirt.virt-aa-helper
debian/libvirt-bin/etc/apparmor.d
+ cp debian/apparmor/usr.sbin.libvirtd debian/libvirt-bin/etc/apparmor.d
+ cp debian/apparmor/local-usr.sbin.libvirtd
debian/libvirt-bin/etc/apparmor.d/local/usr.sbin.libvirtd
+ cp debian/apparmor/TEMPLATE debian/libvirt-bin/etc/apparmor.d/libvirt
+endif
+
override_dh_installinit:
dh_systemd_enable
dh_installinit --name=libvirt-bin --no-restart-on-upgrade -- defaults
28 72
