AppArmor: add rules needed with additional mediation features brought by Linux 4.14.

author intrigeri <intrigeri+libvirt@boum.org>

Sun, 19 Nov 2017 14:57:33 +0000 (14:57 +0000)

committer Guido Günther <agx@sigxcpu.org>

Sun, 19 Nov 2017 18:16:27 +0000 (19:16 +0100)
author intrigeri <intrigeri+libvirt@boum.org>
Sun, 19 Nov 2017 14:57:33 +0000 (14:57 +0000)
committer Guido Günther <agx@sigxcpu.org>
Sun, 19 Nov 2017 18:16:27 +0000 (19:16 +0100)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu

index 064501f08ec65dd6eea9c51ac6d719badc22166b..73bdbae87253e1e6347805fa8c0ea4af10acb4f5 100644 (file)
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -16,6 +16,10 @@
    network inet stream,
    network inet6 stream,
  
+  ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
+
+  signal (receive) peer=/usr/sbin/libvirtd,
+
    /dev/net/tun rw,
    /dev/kvm rw,
    /dev/ptmx rw,
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd

index 819068ffc32b6c884b63ab6b04bfdee142d331c7..12b9d45bf0534a2bf2d2c68b56458fb76aa96d6e 100644 (file)
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -34,6 +34,7 @@
    network inet dgram,
    network inet6 stream,
    network inet6 dgram,
+  network netlink raw,
    network packet dgram,
    network packet raw,
  
@@ -42,6 +43,9 @@
    ptrace (trace) peer=/usr/sbin/dnsmasq,
    ptrace (trace) peer=libvirt-*,
  
+  signal (send) peer=/usr/sbin/dnsmasq,
+  signal (read, send) peer=libvirt-*,
+
    # Very lenient profile for libvirtd since we want to first focus on confining
    # the guests. Guests will have a very restricted profile.
    / r,
author	intrigeri <intrigeri+libvirt@boum.org>
	Sun, 19 Nov 2017 14:57:33 +0000 (14:57 +0000)
committer	Guido Günther <agx@sigxcpu.org>
	Sun, 19 Nov 2017 18:16:27 +0000 (19:16 +0100)
examples/apparmor/libvirt-qemu		patch \| blob \| blame \| history
examples/apparmor/usr.sbin.libvirtd		patch \| blob \| blame \| history