Re: [PATCH] apparmor: avoid denials on libpmem initialization
On Wed, 08 Apr 2020, Christian Ehrhardt wrote:
With libpmem support compiled into qemu it will trigger the
following
denials on every startup.
apparmor="DENIED" operation="open" name="/"
apparmor="DENIED" operation="open"
name="/sys/bus/nd/devices/"
This is due to [1] that tries to auto-detect if the platform supports
auto flush for all region.
Once we know all the paths that are potentially needed if this feature
is really used we can add them conditionally in virt-aa-helper and labelling
calls in case </pmem> is enabled.
But until then the change here silences the denial warnings seen above.
[1]: https://github.com/pmem/pmdk/blob/master/src/libpmem2/auto_flush_linux.c#...
Bug: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1871354
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
---
src/security/apparmor/libvirt-qemu | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 80986aec61..602f5eb587 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -227,3 +227,8 @@
# required for sasl GSSAPI plugin
/etc/gss/mech.d/ r,
/etc/gss/mech.d/* r,
+
+ # scanned on libpmem init, but harmless on any lsb compliant system
+ / r,
I suggest adjusting the comment for clarity. Eg:
# required by libpmem init
/ r, # harmless on any lsb compliant system
/sys/bus/nd/devices/ r,
...
The '/' read is indeed fine.
+ /sys/bus/nd/devices/ r,
This also is fine.
+ /sys/bus/nd/devices/* r,
Can you list what files libpem init is looking at? I'm a bit
uncomfortable with the glob here and would rather not guess that today's
and all future files in /sys/bus/nd/devices are safe for all qemu
processes to read.
--
Jamie Strandboge | http://www.canonical.com