apparmor: allow expected /tmp access patterns

Several cases were found needing /tmp, for example ceph will try to list /tmp
This is a compromise of security and usability:
 - we only allow generally enumerating the base dir
 - enumerating anything deeper in the dir is at least guarded by the
   "owner" restriction, but while that protects files of other services
   it won't protect qemu instances against each other as they usually run
   with the same user.
 - even with the owner restriction we only allow read for the wildcard
   path

Acked-by: Jamie Strandboge <jamie@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 5caf14e418aeddecf65da3c6f451974a4c05c1f0..eaa5167525a2167075d10797c619dcbdda110732 100644 (file)
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -180,6 +180,19 @@
   # for rbd
   /etc/ceph/ceph.conf r,
 
+  # Various functions will need to enumerate /tmp (e.g. ceph), allow the base
+  # dir and a few known functions like samba support.
+  # We want to avoid to give blanket rw permission to everything under /tmp,
+  # users are expected to add site specific addons for more uncommon cases.
+  # Qemu processes usually all run as the same users, so the "owner"
+  # restriction prevents access to other services files, but not across
+  # different instances.
+  # This is a tradeoff between usability and security - if paths would be more
+  # predictable that would be preferred - at least for write rules we would
+  # want more unique paths per rule.
+  /{,var/}tmp/ r,
+  owner /{,var/}tmp/**/ r,
+
   # for file-posix getting limits since 9103f1ce
   /sys/devices/**/block/*/queue/max_segments r,