Hi guys,
I have got a question. I need to add apparmor support for vhost-user socket
files used to communicate with the vhost-user server app. Those ones
defined with something like:
<interface type='vhostuser'>
<mac address='02:ed:f3:5d:de:f3'/>
<source type='unix'
path='/var/run/vrouter/uvh_vif_tapa8396c51-2a'
mode='client'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00'
slot='0x03'
function='0x0'/>
</interface>
I added something like this into get_files() function in virt-aa-helper.c:
for (i = 0; i < ctl->def->nnets; i++) {
if (ctl->def->nets[i] &&
ctl->def->nets[i]->type == VIR_DOMAIN_NET_TYPE_VHOSTUSER
&&
ctl->def->nets[i]->data.vhostuser) {
virDomainChrSourceDefPtr vhu =
ctl->def->nets[i]->data.vhostuser;
if (vah_add_file_chardev(&buf, vhu->data.nix.path, "rw",
vhu->type) != 0)
goto cleanup;
}
}
However, there is a restriction for the socket file types in valid_path()
function:
switch (sb.st_mode & S_IFMT) {
case S_IFSOCK:
return 1;
break;
default:
break;
}
That prevents this from working.
May I ask why the socket file types are restricted? Vhost-user uses sockets
so if I want to use apparmor virt-aa-helper has to be able to add the line
for the socket file into /etc/apparmor.d/libvirt/libvirt-UUID.files.
Regards,
Michal