On 15.05.2017 18:13, Guido Günther wrote:
On Mon, May 15, 2017 at 03:23:18PM +0200, Stefan Bader wrote:
From: Serge Hallyn <serge.hallyn@ubuntu.com>
Add fowner and fsetid to libvirt-qemu profile and add link to 9p file options in virt-aa-helper.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1378434
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- examples/apparmor/libvirt-qemu | 4 ++++ src/security/virt-aa-helper.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 89466c9..f04ce04 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -13,6 +13,10 @@ capability setgid, capability setuid,
+ # for 9p + capability fsetid, + capability fowner, + network inet stream, network inet6 stream,
I would put this into a separate patch.
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index a2d5c21..667241b 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1108,7 +1108,7 @@ get_files(vahControl * ctl) /* We don't need to add deny rw rules for readonly mounts, * this can only lead to troubles when mounting / readonly. */ - if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rw", true) != 0) + if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rwl", true) != 0)
Given the recent QEMU 9pfs CVS that allowed to access paths outside src.path I would feel better if the rule produces s.th. like
link subset src.path/** -> src.path/**,
instead of allowing links to /**.
I had hoped to gain additional feedback from other people. But will start an updated submission tomorrow. Splitting this one back into the two halves as suggested and merging the other (5+6 and 7+8) together. -Stefan
Cheers, -- Guido
goto cleanup; } } -- 2.7.4
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list