[Please don't CC random people on patches until asked to, we are all subscribed to the list]

On 10/22/20 4:58 PM, Christian Schoenebeck wrote: > Guests should be allowed to create hard links on mounted pathes, since > many applications rely on this functionality and would error on guest > with current "rw" AppArmor permission with 9pfs. > > Signed-off-by: Christian Schoenebeck <qemu_oss(a)crudebyte.com&gt; > --- > > src/security/virt-aa-helper.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c > index 12429278fb..5a6f4a5f7d 100644 > --- a/src/security/virt-aa-helper.c > +++ b/src/security/virt-aa-helper.c > @@ -1142,7 +1142,7 @@ get_files(vahControl * ctl) > > /* We don't need to add deny rw rules for readonly mounts, > > * this can only lead to troubles when mounting / readonly. > */ > > - if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : > "rw", true) != 0) + if (vah_add_path(&buf, fs->src->path, > fs->readonly ? "R" : "rwl", true) != 0)> > goto cleanup; > > } > > } Reviewed-by: Michal Privoznik <mprivozn(a)redhat.com&gt; but I will give a day or two for other developers to chime in. Michal

On 10/23/20 4:19 PM, Christian Schoenebeck wrote: > On Donnerstag, 22. Oktober 2020 19:07:33 CEST Michal Privoznik wrote: >> [Please don't CC random people on patches until asked to, we are all >> subscribed to the list] > > Got it, I'll refrain from CCing on libvirt in future. > > Not as erratic as it looks like though: I CCed people who touched this > specific AppArmor permission before, plus the virtiofs maintainers. Yeah, I understand that. BTW: it's okay to CC people when replying :-) >> On 10/22/20 4:58 PM, Christian Schoenebeck wrote: >>> Guests should be allowed to create hard links on mounted pathes, since >>> many applications rely on this functionality and would error on guest >>> with current "rw" AppArmor permission with 9pfs. >>> >>> Signed-off-by: Christian Schoenebeck <qemu_oss(a)crudebyte.com&gt; >>> --- >>> >>> src/security/virt-aa-helper.c | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/src/security/virt-aa-helper.c >>> b/src/security/virt-aa-helper.c >>> index 12429278fb..5a6f4a5f7d 100644 >>> --- a/src/security/virt-aa-helper.c >>> +++ b/src/security/virt-aa-helper.c >>> @@ -1142,7 +1142,7 @@ get_files(vahControl * ctl) >>> >>> /* We don't need to add deny rw rules for readonly >>> mounts, >>> >>> * this can only lead to troubles when mounting / >>> readonly. >>> */ >>> >>> - if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : >>> "rw", true) != 0) + if (vah_add_path(&buf, fs->src->path, >>> fs->readonly ? "R" : "rwl", true) != 0)> >>> >>> goto cleanup; >>> >>> } >>> >>> } >> >> Reviewed-by: Michal Privoznik <mprivozn(a)redhat.com&gt; >> >> but I will give a day or two for other developers to chime in. >> >> Michal > > Yes, please wait couple days to see whether there are reactions. Okay, so nobody objected and we can expect the freeze of upstream today, so I am pushing this.