public inbox for passt-dev@passt.top
 help / color / mirror / code / Atom feed
From: Stefano Brivio <sbrivio@redhat.com>
To: Andrea Bolognani <abologna@redhat.com>
Cc: Prafulla Giri <prafulla.giri@protonmail.com>,
	"passt-dev@passt.top" <passt-dev@passt.top>
Subject: Re: Apparmor (and other) Issues
Date: Tue, 4 Feb 2025 20:14:48 +0100	[thread overview]
Message-ID: <20250204201448.0bf3f7a3@elisabeth> (raw)
In-Reply-To: <CABJz62MeCkdxQh0j557EOvGEOJjiVr7ph9zPTK1vp=5vY9OBFA@mail.gmail.com>

On Tue, 4 Feb 2025 18:46:37 +0000
Andrea Bolognani <abologna@redhat.com> wrote:

> On Tue, Feb 04, 2025 at 05:22:42PM +0100, Stefano Brivio wrote:
> > On Tue, 4 Feb 2025 15:50:43 +0000 Andrea Bolognani <abologna@redhat.com> wrote:  
> > > The additional profiles (libvirt-1cdfdfd3-a020-45d9-8f88-8e0ce31745c4
> > > and its passt subprofile) are generated dynamically when the VM is
> > > started and the QEMU process gets the correct one assigned to it. So
> > > far so good.  
> >
> > Why do we need additional profiles, I wonder? Are we trying to
> > replicate the MCS (Multi-Category Security) stuff from SELinux?  
> 
> I'm not well-versed enough in SELinux to be able to answer the latter
> question, but I can answer the former. The per-VM profile is needed
> to ensure that each VM is only granted access to its own resources.
> 
>   $ sudo tail -4
> /etc/apparmor.d/libvirt/libvirt-1cdfdfd3-a020-45d9-8f88-8e0ce31745c4
>   profile libvirt-1cdfdfd3-a020-45d9-8f88-8e0ce31745c4
> flags=(attach_disconnected) {
>     #include <abstractions/libvirt-qemu>
>     #include if exists
> <libvirt/libvirt-1cdfdfd3-a020-45d9-8f88-8e0ce31745c4.files>
>   }
> 
>   $ sudo cat /etc/apparmor.d/libvirt/libvirt-1cdfdfd3-a020-45d9-8f88-8e0ce31745c4.files
>     "/var/log/libvirt/**/alpine.log" w,
>     "/var/lib/libvirt/qemu/domain-alpine/monitor.sock" rw,
>     "/var/lib/libvirt/qemu/domain-1-alpine/*" rw,
>     "/run/libvirt/**/alpine.pid" rwk,
>     "/run/libvirt/**/*.tunnelmigrate.dest.alpine" rw,
>     "/var/lib/libvirt/images/alpine.qcow2" rwk,
>     "/var/lib/libvirt/qemu/domain-1-alpine/{,**}" rwk,
>     "/run/libvirt/qemu/channel/1-alpine/{,**}" rwk,
>     "/var/lib/libvirt/qemu/domain-1-alpine/master-key.aes" rwk,
>     "/dev/userfaultfd" rwk,
> 
> The stuff in the libvirt-qemu abstraction is generic, all VMs get
> access to it. The stuff in .files is all specific to the VM.

Ah, thanks, it never occurred to me to look into that. So, yes,
essentially the same thing as it's done with MCS and SELinux.

> > > Do you have any ideas?  
> >
> > Probably you should ask somebody more familiar (openSUSE/Ubuntu
> > maintainers of libvirt, or the authors of the virt-aa-helper thing?),
> > but a couple of quick ideas:
> >
> > 1. user-specific subprofiles could be added at adduser time (is there a
> >    hook?) and libvirtd could use aa_change_hat(2) to select the
> >    appropriate one based on UID
> >
> > 2. (most reasonable I think) don't use per-VM profiles for the rootless
> >    case. Define a single "libvirt-user" (or "libvirt-session") profile
> >    and use that. We could copy it from the existing ones I suppose.  
> 
> Sounds to me like this would require granting the QEMU process access
> to roughly the entire filesystem? The disk image could live anywhere
> after all, and if we can't dynamically add a rule for the exact path
> the only way out is a free-for-all approach.

Right. That's what we did for libguestfs as well, the image can be
*almost* anywhere. But it's not free-for-all: you're just granting
*limited* filesystem access (not to sysfs, not to /etc, and so on).

And I had to build a *very* loose profile for libguestfs because that
applies to root as well, but for rootless libvirtd, it might even make
sense to restrict access to just @{HOME}/** and /tmp/** (that's what I
did for stand-alone passt, for example).

> > I think that MCS-equivalent functionality is anyway much less critical
> > if guests are started as unprivileged users because you have a strong
> > separation given by the fact that guests are started as different users.
> >
> > If all the guests are started as root, and multiple users have access
> > to that facility, user separation is much more seriously endangered,
> > hence a stronger need for per-VM profiles.  
> 
> Ideally you'd still want to isolate unprivileged VMs from each other.
> If you don't, what's the point of using AppArmor in the first place?

Well, you are still restricting them significantly, for example they
can't run random binaries, send arbitrary signals to other processes
or to each other, and access a ton of places on the filesystem.

Perhaps that's even more important than curbing filesystem access,
because that should already be significantly restricted.

> > I can try to work on this but I'm really a bit too busy right now. If
> > you can, great, otherwise, let me know. On the other hand this feels
> > pretty urgent. :(  
> 
> I'm afraid I have neither the time nor the expertise to work on this
> myself.

I'll try to submit a pull request at least for Debian in a couple of
days. I guess it would be nice if you could ask other maintainers
meanwhile.

-- 
Stefano


  reply	other threads:[~2025-02-04 19:14 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <gfnJ5_aKhxXif2AlacEZIAO3UgiyKhgfDhlg7-FWBbkXttL891Y9k0zClSeYZiLN8JkMF9Z_pprz9f3w88cjZTkHL42cjar9boCCIuS6B08=@protonmail.com>
2025-01-29  9:41 ` Apparmor (and other) Issues Stefano Brivio
2025-01-29 18:10   ` Prafulla Giri
2025-01-29 18:48     ` Stefano Brivio
2025-01-30 10:05       ` Prafulla Giri
2025-01-31 20:20         ` Stefano Brivio
     [not found]           ` <NNMPy6qrSrpU0VFxOsd8tUnJFDsz_Ychl7WAxOB1aYfyRCjzTG4uzNEGZLkHUa_NnxCEAL_X1lhnySdZ_1i2ZMxuVK0zDHa-YLex3O5fhRw=@protonmail.com>
2025-02-02 14:40             ` Prafulla Giri
2025-02-03  8:35             ` Stefano Brivio
     [not found]               ` <0gHPSAbajW7n2zyIE-8k2vez7nkpAHQOnP4p6yfc6i5v948AExss0zBAYKF-92Yqf90DhAg3Xx9u19aw4TtSQLnpNgvCEa--wkPTL0PDdnM=@protonmail.com>
2025-02-04  8:50                 ` Stefano Brivio
2025-02-04  9:50                   ` Andrea Bolognani
2025-02-04 10:17                     ` Stefano Brivio
2025-02-04 15:50                       ` Andrea Bolognani
2025-02-04 16:22                         ` Stefano Brivio
2025-02-04 18:46                           ` Andrea Bolognani
2025-02-04 19:14                             ` Stefano Brivio [this message]
2025-02-04 22:19                               ` Andrea Bolognani
2025-02-04 22:34                                 ` Stefano Brivio
2025-02-05  7:40                                   ` Prafulla Giri
2025-02-05 10:16                                     ` Stefano Brivio
2025-02-07  6:49                                       ` Prafulla Giri
2025-02-07  9:16                                         ` Stefano Brivio

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250204201448.0bf3f7a3@elisabeth \
    --to=sbrivio@redhat.com \
    --cc=abologna@redhat.com \
    --cc=passt-dev@passt.top \
    --cc=prafulla.giri@protonmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
Code repositories for project(s) associated with this public inbox

	https://passt.top/passt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).