Re: [libvirt] [PATCH] virt-aa-helper: disallow VNC socket read permissions

On 04/11/2016 03:06 AM, Cedric Bosdonnat wrote: > On Fri, 2016-04-08 at 18:55 +0200, Guido Günther wrote: >> On Fri, Apr 08, 2016 at 09:01:33AM -0400, Cole Robinson wrote: >>> From: Simon Arlott <bugzilla.redhat.simon(a)arlott.org&gt; >>> >>> The VM does not need read permission for its own VNC socket to >>> create(), >>> bind(), accept() connections or to receive(), send(), etc. on >>> connections. >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=1312573 >>> --- >>> src/security/virt-aa-helper.c | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa >>> -helper.c >>> index 50d2a08..a4cb409 100644 >>> --- a/src/security/virt-aa-helper.c >>> +++ b/src/security/virt-aa-helper.c >>> @@ -1062,7 +1062,7 @@ get_files(vahControl * ctl) >>> for (i = 0; i < ctl->def->ngraphics; i++) { >>> if (ctl->def->graphics[i]->type == >>> VIR_DOMAIN_GRAPHICS_TYPE_VNC && >>> ctl->def->graphics[i]->data.vnc.socket && >>> - vah_add_file(&buf, ctl->def->graphics[i] >>> ->data.vnc.socket, "rw")) >>> + vah_add_file(&buf, ctl->def->graphics[i] >>> ->data.vnc.socket, "w")) >>> goto cleanup; >>> } >> >> ACK. I'd be great if Jamie or Cedric would comment also though on >> this >> security sensitive stuff. > > I'm not a socket expert, but it sounds weird to me that recv doesn't > need read access to the socket file. ACK to this patch as long a read > is really not needed. > > Jamie, any thoughts? > Maybe someone with an apparmor setup can give it a test? <graphics type='vnc' socket='/tmp/foo.vnc'/> Then open the VM locally in virt-manager (virt-viewer probably has a URI for it too but I didn't figure it out. Make sure the app isn't using the libvirt OpenGraphics API though since that won't go through the actual socket)