apparmor profile libvirt-qemu is too permissive
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| AppArmor |
Opinion
|
Undecided
|
Unassigned | ||
| libvirt (Ubuntu) |
Opinion
|
Undecided
|
Unassigned | ||
Bug Description
The apparmor dynamic profile template for qemu/kvm virtual machines is too permissive, as it allow *any* guest r/w access to *any* UEFI nvram variable file.
The file /etc/apparmor.
# required for QEMU accessing UEFI nvram variables
owner /var/lib/
owner /var/lib/
This means a malicious guest escaping the virtualization layer can mess with other guests nvram files.
When launching a virtual machines with UEFI platform with default nvram file (ie: no file specified), the machines should only have access to /var/lib/
Interestingly, when specifying a nvram file via the <nvram> tag (ie: <nvram>
So, the best approach seems to:
- remove the wildcard allow from the abstraction/
- modify virt-aa-helper to always add the required file even if the <nvram> tag is not present in the guest definition (ie: allow the default path/file)
| information type: | Private Security → Public Security |
| tags: | added: server-triage-discuss |
| Mitchell Dzurick (mitchdz) wrote | #1 |
| tags: | removed: server-triage-discuss |
| Changed in libvirt (Ubuntu): | |
| status: | New → Opinion |
| Changed in apparmor: | |
| status: | New → Opinion |
| John Johansen (jjohansen) wrote | #2 |
| Mitchell Dzurick (mitchdz) wrote | #3 |
This bug seems to have been unfortunately lost to time, or there is discussion I am not aware of about it.
Gionatan, if there's still desire for this, I suggest making an upstream bug report[0], as these options are not changed by Ubuntu, but rather come from upstream.
I'm setting the bug to Opinion since I think it could be valuable to have a discussion, but ultimately I think these changes should be implemented upstream and then adopted by us.
[0] - https:/