[libvirt] [PATCH] security: apparmor: make vhost-net access a static rule
So far we were detecting at guest start if any devices needed vhost net
and only if that was true added a rule for /dev/vhost-net.
It turns out that it is an absolutely valid case to start a guest
without any vhost-net networking but later on wanting to hotplug such a
device which then would be denied by apparmor.
Unfortunately there also is no security labeling callback involved other
than the one to /dev/net/tun. But on the other hand vhost-net is no more
new and considered rather safe. Therefore drop the old detection and
just add it as a static rule.
Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1815910
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
---
src/security/apparmor/libvirt-qemu | 1 +
src/security/virt-aa-helper.c | 17 +----------------
2 files changed, 2 insertions(+), 16 deletions(-)
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index eaa5167525..a71f34c175 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -21,6 +21,7 @@
signal (receive) peer=/usr/sbin/libvirtd,
/dev/net/tun rw,
+ /dev/vhost-net rw,
/dev/kvm rw,
/dev/ptmx rw,
/dev/kqemu rw,
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 8e22e9978a..ebc4feac77 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -937,7 +937,7 @@ get_files(vahControl * ctl)
size_t i;
char *uuid;
char uuidstr[VIR_UUID_STRING_BUFLEN];
- bool needsVfio = false, needsvhost = false;
+ bool needsVfio = false;
/* verify uuid is same as what we were given on the command line */
virUUIDFormat(ctl->def->uuid, uuidstr);
@@ -1248,21 +1248,6 @@ get_files(vahControl * ctl)
}
}
- if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
- for (i = 0; i < ctl->def->nnets; i++) {
- virDomainNetDefPtr net = ctl->def->nets[i];
- if (net && net->model) {
- if (net->driver.virtio.name == VIR_DOMAIN_NET_BACKEND_TYPE_QEMU)
- continue;
- if (!virDomainNetIsVirtioModel(net))
- continue;
- }
- needsvhost = true;
- }
- }
- if (needsvhost)
- virBufferAddLit(&buf, " \"/dev/vhost-net\" rw,\n");
-
if (needsVfio) {
virBufferAddLit(&buf, " \"/dev/vfio/vfio\" rw,\n");
virBufferAddLit(&buf, " \"/dev/vfio/[0-9]*\" rw,\n");
--
2.17.1