On Thu, 2015-11-26 at 15:42 +0100, Guido Günther wrote:
Hi,
On Tue, Nov 17, 2015 at 03:14:51PM +0100, Cédric Bosdonnat wrote:
> There is no need to deny writes on a readonly mount: write still
> won't be accepted, even if the user remounts the folder as RW in
> the guest as qemu sets the 9p mount as ro.
Wouldn't a security whole in qemu possibly allow to circumvent this and
isn't this type of exploit the thing we want to guard against in the
apparmor proiles?
> This deny rule was leading to problems for example with readonly /:
> The qemu process had to write to a bunch of files in / like logs,
> sockets, etc. This deny rule was also preventing auditing of these
> denials, making it harder to debug.
So you're mapping a host directory as '/' into the guest or what was the
exact setup?
Yes, `virt-sandbox /bin/sh` will readonly mount the host / as / in the
guest. This will result in a 'deny /** w' rule that prevents writing to
several files. As the deny rules have precedence over the allow ones,
this rule will be the one applied for the logs and other files we need
to write to.
--
Cedric
Cheers,
-- Guido
> ---
> src/security/virt-aa-helper.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index 5de56e5..a2d7226 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -1127,7 +1127,10 @@ get_files(vahControl * ctl)
> ctl->def->fss[i]->src) {
> virDomainFSDefPtr fs = ctl->def->fss[i];
>
> - if (vah_add_path(&buf, fs->src, fs->readonly ? "r"
: "rw", true) != 0)
> + /* We don't need to add deny rw rules for readonly mounts,
> + * this can only lead to troubles when mounting / readonly.
> + */
> + if (vah_add_path(&buf, fs->src, "rw", true) != 0)
> goto cleanup;
> }
> }
> --
> 2.1.4
>
> --
> libvir-list mailing list
> libvir-list(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/libvir-list
>