Re: [libvirt] [PATCH 01/10] virt-aa-helper: Ask for no deny rule for readonly disk elements
Hi Christian,
On Fri, 2017-05-19 at 11:18 +0200, Christian Ehrhardt wrote:
On Fri, May 19, 2017 at 10:03 AM, Guido Günther <agx(a)sigxcpu.org> wrote:
> But if we aim for a profile replace on blockcommit [1] the would't matter
> since the whole profile would get replaced, wouldn't it?
>
Since this is based on [1][2] looping in Cédric here to share some old explaiantions.
See especially [1] for some reasoning for 'R' in general.
[1]: http://libvirt.org/git/?p=libvirt.git;a=commit;h=c726af2d5a2248f0dad0...
[2]:
http://libvirt.org/git/?p=libvirt.git;a=commit;h=cedd2ab28262db62976b351d...
Sadly the bug report isn't public since it has been reported again SLES. But here is
the
description of the bug that motivated that fix:
------------------ %< ------------------
Steps to reproduce:
* run virt-sandbox /bin/sh as root
Expected result: Run a shell in a qemu domain, apparmor enforced
Actual result: Domain fails to start
After some more debugging it happens that the problem is caused by
<filesystem type='mount' accessmode='passthrough'>
<source dir='/'/>
<target dir='host_root'/>
<readonly/>
</filesystem>
Since commit
http://libvirt.org/git/?p=libvirt.git;a=commit;h=d0d4b8ad76d3e8a859ee9070...,
virt-aa-helper
generates a "deny /** w" rule in such cases that takes precedence over the allow
rules.
This has several effects:
* It hides the DENIED/ALLOWED apparmor log entries
* It prevents qemu to write to the log file, /dev/ptmx and other important files to run
the domain.
To see the rules, add the audit flag to /etc/apparmor.d/libvirt/TEMPLATE.qemu file and
rerun virt-sandbox.
------------------ %< ------------------
Hi hope this will answer your questions
--
Cedric