apparmor profile libvirt-qemu is too permissive
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Opinion
|
Undecided
|
Unassigned | ||
libvirt (Ubuntu) |
Opinion
|
Undecided
|
Unassigned |
Bug Description
The apparmor dynamic profile template for qemu/kvm virtual machines is too permissive, as it allow *any* guest r/w access to *any* UEFI nvram variable file.
The file /etc/apparmor.
# required for QEMU accessing UEFI nvram variables
owner /var/lib/
owner /var/lib/
This means a malicious guest escaping the virtualization layer can mess with other guests nvram files.
When launching a virtual machines with UEFI platform with default nvram file (ie: no file specified), the machines should only have access to /var/lib/
Interestingly, when specifying a nvram file via the <nvram> tag (ie: <nvram>
So, the best approach seems to:
- remove the wildcard allow from the abstraction/
- modify virt-aa-helper to always add the required file even if the <nvram> tag is not present in the guest definition (ie: allow the default path/file)
information type: | Private Security → Public Security |
tags: | added: server-triage-discuss |
This bug seems to have been unfortunately lost to time, or there is discussion I am not aware of about it.
Gionatan, if there's still desire for this, I suggest making an upstream bug report[0], as these options are not changed by Ubuntu, but rather come from upstream.
I'm setting the bug to Opinion since I think it could be valuable to have a discussion, but ultimately I think these changes should be implemented upstream and then adopted by us.
[0] - https:/ /gitlab. com/groups/ libvirt/ -/issues