aboutgitcodebugslistschat
path: root/contrib/apparmor
diff options
context:
space:
mode:
authorStefano Brivio <sbrivio@redhat.com>2023-09-06 22:55:22 +0200
committerStefano Brivio <sbrivio@redhat.com>2023-09-07 00:31:35 +0200
commit63a8302961a421a67d38c52285be3c2ef149e6cc (patch)
tree384ac04edfece1f9622faad94be6801afbb21e23 /contrib/apparmor
parentabf5ef6c22d2e6fce0f0abe398a2c18b70ca6290 (diff)
downloadpasst-63a8302961a421a67d38c52285be3c2ef149e6cc.tar
passt-63a8302961a421a67d38c52285be3c2ef149e6cc.tar.gz
passt-63a8302961a421a67d38c52285be3c2ef149e6cc.tar.bz2
passt-63a8302961a421a67d38c52285be3c2ef149e6cc.tar.lz
passt-63a8302961a421a67d38c52285be3c2ef149e6cc.tar.xz
passt-63a8302961a421a67d38c52285be3c2ef149e6cc.tar.zst
passt-63a8302961a421a67d38c52285be3c2ef149e6cc.zip
apparmor: Add pasta's own profile
If pasta and pasta.avx2 are hard links to passt and passt.avx2, AppArmor will attach their own profiles on execution, and we can restrict passt's profile to what it actually needs. Note that pasta needs to access all the resources that passt needs, so the pasta abstraction still includes passt's one. I plan to push the adaptation required for the Debian package in commit 5bb812e79143 ("debian/rules: Override pasta symbolic links with hard links"), on Salsa. If other distributions need to support AppArmor profiles they can follow a similar approach. The profile itself will be installed, there, via dh_apparmor, in a separate commit, b52557fedcb1 ("debian/rules: Install new pasta profile using dh_apparmor"). Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'contrib/apparmor')
-rw-r--r--contrib/apparmor/abstractions/pasta2
-rw-r--r--contrib/apparmor/usr.bin.passt12
-rw-r--r--contrib/apparmor/usr.bin.pasta27
3 files changed, 31 insertions, 10 deletions
diff --git a/contrib/apparmor/abstractions/pasta b/contrib/apparmor/abstractions/pasta
index 05c5d46..a890391 100644
--- a/contrib/apparmor/abstractions/pasta
+++ b/contrib/apparmor/abstractions/pasta
@@ -40,3 +40,5 @@
owner @{PROC}/sys/net/ipv4/ping_group_range w, # pasta_spawn_cmd(), pasta.c
/{usr/,}bin/** Ux,
+
+ /usr/bin/pasta.avx2 ix, # arch_avx2_exec(), arch.c
diff --git a/contrib/apparmor/usr.bin.passt b/contrib/apparmor/usr.bin.passt
index 652051d..564f82f 100644
--- a/contrib/apparmor/usr.bin.passt
+++ b/contrib/apparmor/usr.bin.passt
@@ -6,7 +6,7 @@
# PASTA - Pack A Subtle Tap Abstraction
# for network namespace/tap device mode
#
-# contrib/apparmor/usr.bin.passt - AppArmor profile for passt(1) and pasta(1)
+# contrib/apparmor/usr.bin.passt - AppArmor profile for passt(1)
#
# Copyright (c) 2022 Red Hat GmbH
# Author: Stefano Brivio <sbrivio@redhat.com>
@@ -15,13 +15,7 @@ abi <abi/3.0>,
include <tunables/global>
-profile passt /usr/bin/passt{,.avx2} flags=(attach_disconnected) {
- ### TODO: AppArmor doesn't give us the chance to attach a separate profile
- ### depending on the executable symlink. That's possible with SELinux. Two
- ### alternatives: implement that in AppArmor, or consider aa_change_hat(2).
- ### With this, rules for passt(1) could be restricted significantly. Note that
- ### the attach_disconnected flag is not needed for passt(1).
-
+profile passt /usr/bin/passt{,.avx2} {
include <abstractions/passt>
# Alternatively: include <abstractions/user-tmp>
@@ -30,6 +24,4 @@ profile passt /usr/bin/passt{,.avx2} flags=(attach_disconnected) {
# logfile_init()
owner @{HOME}/** w, # pcap(), write_pidfile()
-
- include <abstractions/pasta>
}
diff --git a/contrib/apparmor/usr.bin.pasta b/contrib/apparmor/usr.bin.pasta
new file mode 100644
index 0000000..e5ee4df
--- /dev/null
+++ b/contrib/apparmor/usr.bin.pasta
@@ -0,0 +1,27 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+# PASST - Plug A Simple Socket Transport
+# for qemu/UNIX domain socket mode
+#
+# PASTA - Pack A Subtle Tap Abstraction
+# for network namespace/tap device mode
+#
+# contrib/apparmor/usr.bin.pasta - AppArmor profile for pasta(1)
+#
+# Copyright (c) 2022 Red Hat GmbH
+# Author: Stefano Brivio <sbrivio@redhat.com>
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile pasta /usr/bin/pasta{,.avx2} flags=(attach_disconnected) {
+ include <abstractions/pasta>
+
+ # Alternatively: include <abstractions/user-tmp>
+ owner /tmp/** w, # tap_sock_unix_init(), pcap(),
+ # write_pidfile(),
+ # logfile_init()
+
+ owner @{HOME}/** w, # pcap(), write_pidfile()
+}