On Tue, Mar 5, 2019 at 5:45 PM Jamie Strandboge <jamie@canonical.com> wrote:
On Tue, 05 Mar 2019, Christian Ehrhardt wrote:
Further testing with different devices showed that we need more rules to drive gl backends with nvidia cards. Related denies look like:
apparmor="DENIED" operation="open" name="/usr/share/egl/egl_external_platform.d/" requested_mask="r" apparmor="DENIED" operation="open" name="/proc/modules" requested_mask="r" apparmor="DENIED" operation="open" name="/proc/driver/nvidia/params" requested_mask="r" apparmor="DENIED" operation="mknod" name="/dev/nvidiactl" requested_mask="c"
Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1817943
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- src/security/virt-aa-helper.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index e9120213ff..13b507ff69 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1279,6 +1279,11 @@ get_files(vahControl * ctl) virBufferAddLit(&buf, " \"/usr/share/drirc.d/{,*.conf}\" r,\n"); virBufferAddLit(&buf, " \"/etc/glvnd/egl_vendor.d/{,*}\" r,\n"); virBufferAddLit(&buf, " \"/usr/share/glvnd/egl_vendor.d/{,*}\" r,\n"); + virBufferAddLit(&buf, " \"/usr/share/egl/egl_external_platform.d/\" r,\n"); + virBufferAddLit(&buf, " \"/usr/share/egl/egl_external_platform.d/*\" r,\n"); + virBufferAddLit(&buf, " \"/proc/modules\" r,\n"); + virBufferAddLit(&buf, " \"/proc/driver/nvidia/params\" r,\n"); + virBufferAddLit(&buf, " \"/dev/nvidiactl\" rw,\n");
All the reads are fine. The 'rw' for nvidiactl is unfortunate but there isn't anything we can do about the need for it. At least the policy doesn't have 'capability mknod' and DAC will protect against creating/removing the device where the VMs run as non-root.
+1 to apply
Thanks, pushed with your ack
-- Jamie Strandboge | http://www.canonical.com
-- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd