AppArmorLibvirtProfile

Differences between revisions 6 and 7
Revision 6 as of 2009-06-22 19:31:44
Size: 5350
Editor: pool-71-114-225-43
Comment:
Revision 7 as of 2009-06-24 17:17:34
Size: 5369
Editor: pool-71-114-225-43
Comment: fix a few typos and clarify a few statements
Deletions are marked like this. Additions are marked like this.
Line 22: Line 22:
Libvirt now contains AppArmor integration. Libvirtd can be configured to
use AppArmor and launch virtual machines that are confined by a uniquely
restrictive profile. This feature allows protection of the host and other
guest machines against untrusted or malicious virtual machines.		 Libvirt now contains AppArmor integration when using KVM or QEMU. Libvirtd
can be configured to use AppArmor and launch virtual machines that are
confined by a uniquely restrictive profile. This feature allows protection
of the host and other guest machines against untrusted or malicious virtual
machines.
Line 71: Line 72:
 * Provide a restrictive AppArmor template for guest profiles to include (```/etc/apparmor.d/libvirt/TEMPLATE```).
 * Write ```virt-aa-helper``` which ```libvirtd``` calls to create/update the profiles and load them. This applications can create a profile based on TEMPLATE and load it, load an existing profile and unload an existing profile.		  * Provide a restrictive AppArmor template to be used when generating new profiles (```/etc/apparmor.d/libvirt/TEMPLATE```).
 * Write ```virt-aa-helper``` which ```libvirtd``` calls to create/update the profiles and load them. This application can create a profile based on TEMPLATE, load a profile, unload a profile and delete a profile.

Describe SecurityTeam/Specifications/AppArmorLibvirtProfile here.

Summary

Virtual machines started by libvirt run unconfined. If there is a bug in the hypervisor, a guest could potentially attack other guests or the host. Providing an AppArmor profile would help protect against this. As of libvirt 0.6.1, sVirt has been merged and contains all the necessary hooks through a plugin architecture to confine a virtual machine, and includes an SELinux plugin. Providing an AppArmor plugin would help increase security and contain virtual machines in Ubuntu.

Release Note

Libvirt now contains AppArmor integration when using KVM or QEMU. Libvirtd can be configured to use AppArmor and launch virtual machines that are confined by a uniquely restrictive profile. This feature allows protection of the host and other guest machines against untrusted or malicious virtual machines.

Rationale

Virtual machines started by libvirt run unconfined. Since virtual machines with security bugs, misconfigured software or nefarious users could be deployed, it is imperative that the host machine is protected from attack by a malicious guest and guests be isolated from each other. Generally speaking, the hypervisor takes care of this isolation, however, bugs in the hypervisor may allow attackers to circumvent the hypervisor's protections.

AppArmor can increase security and help protect the host and isolate guests in the event of bugs in the hypervisor.

Design

When a virtual machine is started, determine if a profile is currently defined for the machine, and use it if available. If not, generate a new profile for the machine based on a template, which is by default a very restrictive profile allowing access to disk files, and anything else needed to run, such as the pid and log files.

Virtual machines should have a unique profile specific to that machine. To ensure uniqueness, the profile name will be the UUID of the virtual machine. These profiles should be configurable, either by adjusting the profile template for new machines, creating/modifying the VM profile directly or through the use of AppArmor abstractions. This will allow for administrators to fine-tune confinement for individual machines if desired.

In addition to the above, initially confine libvirtd itself with a permissive (perhaps even complain-mode only) profile. libvirtd should not be allowed to create arbitrary profiles or modify profiles directly, so as to not allow libvirtd to potentially (ie via a security bug in libvirtd itself) bootstrap out of AppArmor confinement, should it be in a restrictive enforcing profile.

Note that the upstream security plugin framework in libvirt 0.6.1 only works with qemu (and kvm), and not other technologies like Xen or OpenVZ. If and when these technologies are supported by the upstream framework, AppArmor confinement should work with them as well.

Implementation

  • Create an AppArmor plugin for libvirt using the security plugin framework provided by libvirt 0.6.1. Use aa_change_profile() from (sys/apparmor.h) in the hook for virExecWithHook(). This allows libvirtd to run in it's own profile and then change to a new profile in the kvm child after fork().

  • Provide a permissive libvirt AppArmor profile (/etc/apparmor.d/usr.sbin.libvirtd)

  • Provide a restrictive AppArmor abstraction for guest profiles to include (/etc/apparmor.d/abstractions/libvirt-qemu)

  • Provide a restrictive AppArmor template to be used when generating new profiles (/etc/apparmor.d/libvirt/TEMPLATE).

  • Write virt-aa-helper which libvirtd calls to create/update the profiles and load them. This application can create a profile based on TEMPLATE, load a profile, unload a profile and delete a profile.

  • Provide a restrictive AppArmor profile for virt-aa-helper (as part of /etc/apparmor.d/usr.sbin.libvirtd)

  • fix bug #390810

Test/Demo Plan

  • libvirt tests:

    • virsh capabilities

    • virsh dominfo <guest>

    • virsh dumpxml <guest>

  • guest tests:
    • add a disk via virt-manager

    • add a disk via virsh define

    • add a CDROM iso
    • add hardware to the guest (should be allowed)
    • modifying hardware in the guest (should be allowed)
  • remote vs local tests

    • guest on local host with AppArmor (confined)

    • guest local host without AppArmor (unconfined)

    • unconfined virsh client starts guest on remote host with AppArmor (confined)

    • unconfined virsh client starts guest on remote host without AppArmor (unconfined)

    • confined virsh client1 starts guest on remote host with AppArmor (confined)

    • confined virsh client1 starts guest on remote host without AppArmor (unconfined)

[1] confined virsh client means that a local libvirtd is confined, not virsh itself

Unresolved issues

To be determined.

CategorySpec

SecurityTeam/Specifications/Karmic/AppArmorLibvirtProfile (last edited 2011-05-04 13:55:02 by pool-71-114-233-7)