* [pve-devel] Consideration of contributing Apparmor for KVM
@ 2025-04-28 13:50 Sven Springer via pve-devel
2025-04-29 8:43 ` Fabian Grünbichler
0 siblings, 1 reply; 2+ messages in thread
From: Sven Springer via pve-devel @ 2025-04-28 13:50 UTC (permalink / raw)
To: pve-devel; +Cc: Sven Springer
[-- Attachment #1: Type: message/rfc822, Size: 9556 bytes --]
[-- Attachment #1.1.1.1: Type: text/plain, Size: 1351 bytes --]
Hello,
for a project we are working on a simple Apparmor profile for KVM-based
VMs in Proxmox.
For now it's a POC with a static profile for the qemu-system-x86_64
binary. The next step would be to patch the Proxmox Perl code to
implement a basic version of dynamic profiles, similar to how it's done
for LXC by Proxmox, or how it's done by libvirt for QEMU/KVM.
Now the thought of bringing this upstream was brought up, but I am a
little concerned about the scope of this endeavor (in particular
considering limited to no perl experience on our side).
I am also aware that there have been requests about this feature by
other users in the forum and on the bug report board, but no specific
promises have been made nor does it appear in the Roadmap
(https://pve.proxmox.com/wiki/Roadmap).
Implementing it for a limited scope/usecase (e.g. only x86, only testing
with some storage type, not testing for a plethora of pass-through
possibilities) seems doable enough, but is this even something you would
even consider accepting as a contribution, or is it more an
all-or-nothing situation where most if not all edgecases need to be
covered from the get-go?
Any feedback is much appreciated.
This is my first mail to this list, so please let me know if I missed
some netiquette.
Best regards,
Sven.
[-- Attachment #1.1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 665 bytes --]
[-- Attachment #2: Type: text/plain, Size: 160 bytes --]
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [pve-devel] Consideration of contributing Apparmor for KVM
2025-04-28 13:50 [pve-devel] Consideration of contributing Apparmor for KVM Sven Springer via pve-devel
@ 2025-04-29 8:43 ` Fabian Grünbichler
0 siblings, 0 replies; 2+ messages in thread
From: Fabian Grünbichler @ 2025-04-29 8:43 UTC (permalink / raw)
To: Proxmox VE development discussion
> Sven Springer via pve-devel <pve-devel@lists.proxmox.com> hat am 28.04.2025 15:50 CEST geschrieben:
> Hello,
>
> for a project we are working on a simple Apparmor profile for KVM-based
> VMs in Proxmox.
> For now it's a POC with a static profile for the qemu-system-x86_64
> binary. The next step would be to patch the Proxmox Perl code to
> implement a basic version of dynamic profiles, similar to how it's done
> for LXC by Proxmox, or how it's done by libvirt for QEMU/KVM.
>
> Now the thought of bringing this upstream was brought up, but I am a
> little concerned about the scope of this endeavor (in particular
> considering limited to no perl experience on our side).
> I am also aware that there have been requests about this feature by
> other users in the forum and on the bug report board, but no specific
> promises have been made nor does it appear in the Roadmap
> (https://pve.proxmox.com/wiki/Roadmap).
>
> Implementing it for a limited scope/usecase (e.g. only x86, only testing
> with some storage type, not testing for a plethora of pass-through
> possibilities) seems doable enough, but is this even something you would
> even consider accepting as a contribution, or is it more an
> all-or-nothing situation where most if not all edgecases need to be
> covered from the get-go?
>
> Any feedback is much appreciated.
hi!
this is something that would be indeed very nice to have, and has been
requested a few times already:
https://bugzilla.proxmox.com/show_bug.cgi?id=5270
as you already noted, the tricky part is covering all the different
storage types and other similar "extension points". for storages,
one question to discuss is whether we want to derive a "storage profile"
that allows access to (all) volumes stored on a given storage, or
whether we'd want to derive a "volume profile" that allows access to a
given specific volume. both come with pros and cons - one profile per
storage is probably easier to implement, but doesn't cover cross-VM
exploits.
starting off with basic support for common setups and making that
opt-in is probably a sensible approach. compared to containers, some
complexity is removed (e.g., no handling of mount points ;)), but
some other complexity is gained (the QEMU process does a lot more at
runtime that needs to be properly covered by the profile).
and even just some real world experimenting would already help with
implementing this feature, e.g., a base profile for the QEMU process
itself for a given config that can be used as a starting point.
if you haven't already, check out our developer docs at
https://pve.proxmox.com/wiki/Developer_Documentation
in particular the style, preparing/sending patches and licensing sections.
maybe you could send a more in-depth RFC with some basic architecture
or design and open questions once you have that?
Fabian
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-04-29 8:43 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-04-28 13:50 [pve-devel] Consideration of contributing Apparmor for KVM Sven Springer via pve-devel
2025-04-29 8:43 ` Fabian Grünbichler
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal