qemu#1169
Conversation
Signed-off-by: Russell Coker <russell@coker.com.au>
| optional_policy(` | ||
| qemu_domain(virt_bridgehelper_t) | ||
| ') |
There was a problem hiding this comment.
This should instead be a run interface provided by the virt module.
There was a problem hiding this comment.
I don't think the role matters. If a role is not authorized to associate with qemu_t then it should also not be authorized to associate with virt_bridgehelper_t because let's face it: it only makes sense for qemu to ever run that helper.
There was a problem hiding this comment.
I'm not sure I understand this comment. It sounds like you're agreeing with me?. The point of the run interface is to pass the qemu roles down to virt_bridgehelper_t.
There was a problem hiding this comment.
I'm not sure I understand this comment. It sounds like you're agreeing with me?. The point of the run interface is to pass the qemu roles down to virt_bridgehelper_t.
Yes. Sorry.
| kernel_read_network_state(virt_bridgehelper_t) | ||
| kernel_read_system_state(virt_bridgehelper_t) | ||
|
|
||
| dev_read_sysfs(virt_bridgehelper_t) |
There was a problem hiding this comment.
What entries are read? Please add a comment in the policy with that info.
|
|
||
| dev_read_sysfs(qemu_t) | ||
|
|
||
| allow qemu_t self:anon_inode { create map read write }; |
There was a problem hiding this comment.
Probably can fully upgrade to mmap_manage_file_perms.
| optional_policy(` | ||
| qemu_role(sysadm_r, sysadm_t) | ||
| ') |
|
|
||
| dev_read_sysfs(qemu_t) | ||
|
|
||
| allow qemu_t self:anon_inode { create map read write }; |
There was a problem hiding this comment.
I would not use "self" for anon_inode because then you lose control over the various kinds like uffd, io_uring, perf_event, secretmem etc.
In the case of qemu you would allow excessive permissions because afaik qemu only leverages io_uring and uffd anon_inodes
Here is how i deal with anon_inodes:
https://git.defensec.nl/forge/defensec/dssp5/src/branch/dssp5-debian/src/anoninode.cil
https://git.defensec.nl/forge/defensec/dssp5/src/branch/dssp5-debian/src/anoninode
There was a problem hiding this comment.
root@nimbus:~# sesearch -A -s qemu.guest.subj -c anon_inode
allow qemu.guest.subj qemu.guest.iouring.anon_inode:anon_inode { append create getattr ioctl link lock map open read rename setattr unlink write };
allow qemu.guest.subj qemu.guest.uffd.anon_inode:anon_inode { append create getattr ioctl link lock open read rename setattr unlink write };
There was a problem hiding this comment.
root@nimbus:~# sesearch -T -s qemu.guest.subj -c anon_inode
type_transition qemu.guest.subj qemu.guest.subj:anon_inode qemu.guest.iouring.anon_inode [io_uring];
type_transition qemu.guest.subj qemu.guest.subj:anon_inode qemu.guest.uffd.anon_inode [userfaultfd];
No description provided.