Attachment #407768 for bug #554628




	TEMPLATE.lxc			\
	libvirt-qemu			\
	libvirt-lxc 			\
	usr.libexec.virt-aa-helper	\
	usr.sbin.libvirtd

if WITH_APPARMOR_PROFILES
apparmordir = $(sysconfdir)/apparmor.d/
apparmor_DATA = \
	usr.libexec.virt-aa-helper \
	usr.sbin.libvirtd \
	$(NULL)





	TEMPLATE.lxc			\
	libvirt-qemu			\
	libvirt-lxc 			\
	usr.libexec.virt-aa-helper	\
	usr.sbin.libvirtd

@WITH_APPARMOR_PROFILES_TRUE@apparmordir = $(sysconfdir)/apparmor.d/
@WITH_APPARMOR_PROFILES_TRUE@apparmor_DATA = \
@WITH_APPARMOR_PROFILES_TRUE@	usr.libexec.virt-aa-helper \
@WITH_APPARMOR_PROFILES_TRUE@	usr.sbin.libvirtd \
@WITH_APPARMOR_PROFILES_TRUE@	$(NULL)





# Last Modified: Mon Apr  5 15:10:27 2010
#include <tunables/global>

profile virt-aa-helper /usr/libexec/virt-aa-helper {
  #include <abstractions/base>

  # needed for searching directories
  capability dac_override,
  capability dac_read_search,

  # needed for when disk is on a network filesystem
  network inet,

  deny @{PROC}/[0-9]*/mounts r,
  @{PROC}/[0-9]*/net/psched r,
  owner @{PROC}/[0-9]*/status r,
  @{PROC}/filesystems r,

  # for hostdev
  /sys/devices/ r,
  /sys/devices/** r,

  /usr/libexec/virt-aa-helper mr,
  /sbin/apparmor_parser Ux,

  /etc/apparmor.d/libvirt/* r,
  /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,

  # for backingstore -- allow access to non-hidden files in @{HOME} as well
  # as storage pools
  audit deny @{HOME}/.* mrwkl,
  audit deny @{HOME}/.*/ rw,
  audit deny @{HOME}/.*/** mrwkl,
  audit deny @{HOME}/bin/ rw,
  audit deny @{HOME}/bin/** mrwkl,
  @{HOME}/ r,
  @{HOME}/** r,
  /var/lib/libvirt/images/ r,
  /var/lib/libvirt/images/** r,
  /{media,mnt,opt,srv}/** r,

  /**.img r,
  /**.qcow{,2} r,
  /**.qed r,
  /**.vmdk r,
  /**.[iI][sS][oO] r,
  /**/disk{,.*} r,
}




# Last Modified: Mon Apr  5 15:10:27 2010
#include <tunables/global>

profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
  #include <abstractions/base>

  # needed for searching directories
  capability dac_override,
  capability dac_read_search,

  # needed for when disk is on a network filesystem
  network inet,

  deny @{PROC}/[0-9]*/mounts r,
  @{PROC}/[0-9]*/net/psched r,
  owner @{PROC}/[0-9]*/status r,
  @{PROC}/filesystems r,

  # for hostdev
  /sys/devices/ r,
  /sys/devices/** r,

  /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
  /sbin/apparmor_parser Ux,

  /etc/apparmor.d/libvirt/* r,
  /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,

  # for backingstore -- allow access to non-hidden files in @{HOME} as well
  # as storage pools
  audit deny @{HOME}/.* mrwkl,
  audit deny @{HOME}/.*/ rw,
  audit deny @{HOME}/.*/** mrwkl,
  audit deny @{HOME}/bin/ rw,
  audit deny @{HOME}/bin/** mrwkl,
  @{HOME}/ r,
  @{HOME}/** r,
  /var/lib/libvirt/images/ r,
  /var/lib/libvirt/images/** r,
  /{media,mnt,opt,srv}/** r,

  /**.img r,
  /**.qcow{,2} r,
  /**.qed r,
  /**.vmdk r,
  /**.[iI][sS][oO] r,
  /**/disk{,.*} r,
}

Lines 60-65 Link Here

(-)libvirt-1.2.17-orig/examples/apparmor/usr.sbin.libvirtd (+1 lines)
60	/usr/{lib,lib64}/libvirt/* PUxr,	60	/usr/{lib,lib64}/libvirt/* PUxr,
61	/usr/{lib,lib64}/libvirt/libvirt_parthelper ix,	61	/usr/{lib,lib64}/libvirt/libvirt_parthelper ix,
62	/usr/{lib,lib64}/libvirt/libvirt_iohelper ix,	62	/usr/{lib,lib64}/libvirt/libvirt_iohelper ix,
		63	/usr/libexec/libvirt_iohelper ix,
63	/etc/libvirt/hooks/** rmix,	64	/etc/libvirt/hooks/** rmix,
64	/etc/xen/scripts/** rmix,	65	/etc/xen/scripts/** rmix,
65		66

Return to bug 554628

Lines 1762-1773 Link Here

(-)libvirt-1.2.17-orig/examples/apparmor/Makefile.in (-2 / +2 lines)
1762	TEMPLATE.lxc \	1762	TEMPLATE.lxc \
1763	libvirt-qemu \	1763	libvirt-qemu \
1764	libvirt-lxc \	1764	libvirt-lxc \
1765	usr.lib.libvirt.virt-aa-helper \	1765	usr.libexec.virt-aa-helper \
1766	usr.sbin.libvirtd	1766	usr.sbin.libvirtd
1767		1767
1768	@WITH_APPARMOR_PROFILES_TRUE@apparmordir = $(sysconfdir)/apparmor.d/	1768	@WITH_APPARMOR_PROFILES_TRUE@apparmordir = $(sysconfdir)/apparmor.d/
1769	@WITH_APPARMOR_PROFILES_TRUE@apparmor_DATA = \	1769	@WITH_APPARMOR_PROFILES_TRUE@apparmor_DATA = \
1770	@WITH_APPARMOR_PROFILES_TRUE@ usr.lib.libvirt.virt-aa-helper \	1770	@WITH_APPARMOR_PROFILES_TRUE@ usr.libexec.virt-aa-helper \
1771	@WITH_APPARMOR_PROFILES_TRUE@ usr.sbin.libvirtd \	1771	@WITH_APPARMOR_PROFILES_TRUE@ usr.sbin.libvirtd \
1772	@WITH_APPARMOR_PROFILES_TRUE@ $(NULL)	1772	@WITH_APPARMOR_PROFILES_TRUE@ $(NULL)
1773		1773

Line 0 Link Here

(-)libvirt-1.2.17-orig/examples/apparmor/usr.libexec.virt-aa-helper (+48 lines)
	1	# Last Modified: Mon Apr 5 15:10:27 2010
	2	#include <tunables/global>
	3
	4	profile virt-aa-helper /usr/libexec/virt-aa-helper {
	5	#include <abstractions/base>
	6
	7	# needed for searching directories
	8	capability dac_override,
	9	capability dac_read_search,
	10
	11	# needed for when disk is on a network filesystem
	12	network inet,
	13
	14	deny @{PROC}/[0-9]*/mounts r,
	15	@{PROC}/[0-9]*/net/psched r,
	16	owner @{PROC}/[0-9]*/status r,
	17	@{PROC}/filesystems r,
	18
	19	# for hostdev
	20	/sys/devices/ r,
	21	/sys/devices/** r,
	22
	23	/usr/libexec/virt-aa-helper mr,
	24	/sbin/apparmor_parser Ux,
	25
	26	/etc/apparmor.d/libvirt/* r,
	27	/etc/apparmor.d/libvirt/libvirt-[0-9a-f]-[0-9a-f]-[0-9a-f]-[0-9a-f]-[0-9a-f]* rw,
	28
	29	# for backingstore -- allow access to non-hidden files in @{HOME} as well
	30	# as storage pools
	31	audit deny @{HOME}/.* mrwkl,
	32	audit deny @{HOME}/.*/ rw,
	33	audit deny @{HOME}/./* mrwkl,
	34	audit deny @{HOME}/bin/ rw,
	35	audit deny @{HOME}/bin/** mrwkl,
	36	@{HOME}/ r,
	37	@{HOME}/** r,
	38	/var/lib/libvirt/images/ r,
	39	/var/lib/libvirt/images/** r,
	40	/{media,mnt,opt,srv}/** r,
	41
	42	/**.img r,
	43	/**.qcow{,2} r,
	44	/**.qed r,
	45	/**.vmdk r,
	46	/**.[iI][sS][oO] r,
	47	/*/disk{,.} r,
	48	}