On 12/5/19 12:11 PM, Arnaud Patard wrote:
When emulating smartcard with host certificates, qemu needs to be able to read the certificates files. Add necessary code to add the smartcard certificates file path to the apparmor profile.
Passthrough support has been tested with spicevmc and remote-viewer.
v2: - Fix CodingStyle - Add support for 'host' case. - Add a comment to mention that the passthrough case doesn't need some configuration - Use one rule with '{,*}' instead of two rules.
Signed-off-by: Arnaud Patard <apatard@hupstream.com> Index: libvirt/src/security/virt-aa-helper.c =================================================================== --- libvirt.orig/src/security/virt-aa-helper.c +++ libvirt/src/security/virt-aa-helper.c @@ -1271,6 +1271,39 @@ get_files(vahControl * ctl) } }
+ for (i = 0; i < ctl->def->nsmartcards; i++) { + virDomainSmartcardDefPtr sc = ctl->def->smartcards[i]; + virDomainSmartcardType sc_type = sc->type; + char *sc_db = (char *)VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE; + if (sc->data.cert.database) + sc_db = sc->data.cert.database; + switch (sc_type) { + /* + * Note: At time of writing, to get this working, qemu seccomp sandbox has + * to be disabled or the host must be running QEMU with commit + * 9a1565a03b79d80b236bc7cc2dbce52a2ef3a1b8. + * It's possibly due to libcacard:vcard_emul_new_event_thread(), which calls + * PR_CreateThread(), which calls {g,s}etpriority(). And resourcecontrol seccomp + * filter forbids it (cf src/qemu/qemu_command.c which seems to always use + * resourcecontrol=deny). + */
This doesn't seem like the type of thing to track in a permanent code comment, nor a commit message, but as part of the email discussion. Otherwise, for the code because I don't have a test setup: Reviewed-by: Cole Robinson <crobinso@redhat.com> If apparmor maintainers agree they can strip out of the comment so doesn't require a repost either way IMO - Cole