Provmox VE 8.0 and Apparmor for VM

J

jlbbb

New Member
Aug 10, 2023
2
0
1
Hello,

As the title states I would like more info about the state of Apparmor profiles for Proxmox Virtual Machines, is it possible to confine VMs with Apparmor? Does Proxmox offer any facility to do so? Just running one with default settings doesn't seem to get it confined, am I wrong?

As a bonus question: if the answer is no, is there a way to run VIRTIO ONLY machines? So that the use of QEMU virtualized devices is at its lowest?

Thank you!
 
jlbbb said:
As the title states I would like more info about the state of Apparmor profiles for Proxmox Virtual Machines, is it possible to confine VMs with Apparmor? Does Proxmox offer any facility to do so? Just running one with default settings doesn't seem to get it confined, am I wrong?
Click to expand...
Sounds interesting, yet I don't know what you want to confine here. Do you have any information about how it should/could work?

jlbbb said:
As a bonus question: if the answer is no, is there a way to run VIRTIO ONLY machines? So that the use of QEMU virtualized devices is at its lowest?
Click to expand...
that depends on the guest OS, but yes, it should be possible. CPU, harddisk, network, mouse, keyboard all virtualized.
 
LnxBil said:
Sounds interesting, yet I don't know what you want to confine here. Do you have any information about how it should/could work?
Click to expand...
Hello there!

I would like to confine the QEMU processes, Libvirt seems to do it, you can read more about Libvirt's way here: https://libvirt.org/drvqemu.html#apparmor-svirt-confinement

That makes it possible to contain the QEMU processes when a vulnerability is found (and exploited) in parts of them (mostly the fully virtualized devices, I see...)

Does it make QEMU more secure? Maybe.
Is that a panacea? Perhaps not.
Does it break anything? Not that I'm aware of if the profile is generated dynamically.
Would it be nice to have? Most probably I believe...


Now, since I mentioned it, you may well be replying "go with Libvirt then", well... I'd rather not...!

LnxBil said:
that depends on the guest OS, but yes, it should be possible. CPU, harddisk, network, mouse, keyboard all virtualized.
Click to expand...

Or... paravirtualized! That's what I wanted, less QEMU emulation more VirtIO.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back