apparmor, virt-aa-helper: Explicit denies for host devices

author Felix Geyer <fgeyer@debian.org>

Thu, 18 May 2017 08:53:43 +0000 (10:53 +0200)

committer Guido Günther <agx@sigxcpu.org>

Fri, 19 May 2017 07:48:23 +0000 (09:48 +0200)
author Felix Geyer <fgeyer@debian.org>
Thu, 18 May 2017 08:53:43 +0000 (10:53 +0200)
committer Guido Günther <agx@sigxcpu.org>
Fri, 19 May 2017 07:48:23 +0000 (09:48 +0200)
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper

index ee53c2c12a7c70656ee42e4cf8bd276ca4110efb..012080c676f41318365a3280a9484fdbd53da34e 100644 (file)
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -21,6 +21,15 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
    # for hostdev
    /sys/devices/ r,
    /sys/devices/** r,
+  deny /dev/sd* r,
+  deny /dev/vd* r,
+  deny /dev/dm-* r,
+  deny /dev/drbd[0-9]* r,
+  deny /dev/dasd* r,
+  deny /dev/nvme* r,
+  deny /dev/zd[0-9]* r,
+  deny /dev/mapper/ r,
+  deny /dev/mapper/* r,
  
    /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
    /{usr/,}sbin/apparmor_parser Ux,
author	Felix Geyer <fgeyer@debian.org>
	Thu, 18 May 2017 08:53:43 +0000 (10:53 +0200)
committer	Guido Günther <agx@sigxcpu.org>
	Fri, 19 May 2017 07:48:23 +0000 (09:48 +0200)