On Mon, May 15, 2017 at 03:23:18PM +0200, Stefan Bader wrote:
> From: Serge Hallyn <serge.hallyn(a)ubuntu.com>
>
> Add fowner and fsetid to libvirt-qemu profile and add link
> to 9p file options in virt-aa-helper.
>
> Bug-Ubuntu:
https://bugs.launchpad.net/bugs/1378434
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
> Signed-off-by: Stefan Bader <stefan.bader(a)canonical.com>
> ---
> examples/apparmor/libvirt-qemu | 4 ++++
> src/security/virt-aa-helper.c | 2 +-
> 2 files changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index 89466c9..f04ce04 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -13,6 +13,10 @@
> capability setgid,
> capability setuid,
>
> + # for 9p
> + capability fsetid,
> + capability fowner,
> +
> network inet stream,
> network inet6 stream,
I would put this into a separate patch.
>
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index a2d5c21..667241b 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -1108,7 +1108,7 @@ get_files(vahControl * ctl)
> /* We don't need to add deny rw rules for readonly mounts,
> * this can only lead to troubles when mounting / readonly.
> */
> - if (vah_add_path(&buf, fs->src->path, fs->readonly ?
"R" : "rw", true) != 0)
> + if (vah_add_path(&buf, fs->src->path, fs->readonly ?
"R" : "rwl", true) != 0)
Given the recent QEMU 9pfs CVS that allowed to access paths outside src.path
I would feel better if the rule produces s.th. like
link subset src.path/** -> src.path/**,
instead of allowing links to /**.
I had hoped to gain additional feedback from other people. But will start an
updated submission tomorrow. Splitting this one back into the two halves as
suggested and merging the other (5+6 and 7+8) together.
-Stefan
Cheers,
-- Guido
> goto cleanup;
> }
> }
> --
> 2.7.4
>
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list