Re: [libvirt] [PATCH] virt-aa-helper: disallow VNC socket read permissions

On Fri, Apr 08, 2016 at 09:01:33AM -0400, Cole Robinson wrote: > From: Simon Arlott <bugzilla.redhat.simon(a)arlott.org&gt; > > The VM does not need read permission for its own VNC socket to > create(), > bind(), accept() connections or to receive(), send(), etc. on > connections. > > https://bugzilla.redhat.com/show_bug.cgi?id=1312573 > --- > src/security/virt-aa-helper.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa > -helper.c > index 50d2a08..a4cb409 100644 > --- a/src/security/virt-aa-helper.c > +++ b/src/security/virt-aa-helper.c > @@ -1062,7 +1062,7 @@ get_files(vahControl * ctl) > for (i = 0; i < ctl->def->ngraphics; i++) { > if (ctl->def->graphics[i]->type == > VIR_DOMAIN_GRAPHICS_TYPE_VNC && > ctl->def->graphics[i]->data.vnc.socket && > - vah_add_file(&buf, ctl->def->graphics[i] > ->data.vnc.socket, "rw")) > + vah_add_file(&buf, ctl->def->graphics[i] > ->data.vnc.socket, "w")) > goto cleanup; > } ACK. I'd be great if Jamie or Cedric would comment also though on this security sensitive stuff.