[libvirt] Various apparmor related changes (part 2)

Over the years there have been a bunch of changes to the apparmor profiles and/or virt-aa-helper which have been carried in Debian/Ubuntu but never made it upstream.
In an attempt to clean this up and generally improve the apparmor based environments, we (Christian and I) went over the changes, cleaned out cruft as much as possible and would be sending out hunks of changes to this list for upstream inclusion.
This second batch consists partially of some reworked patches from the previous round and some more things which hopefully are simple enough and improve the upstream profiles. 5+6: Although these are Debian/Ubuntu specific, there are other paths which are specific for SuSE. So I wondered why not have both upstream. 9: Jamie, I know it has been a long time but do you remember what this resolved? Thanks, Stefan

From: Simon McVittie <smcv@debian.org> The split firmware and variables files introduced by https://bugs.debian.org/764918 are in a different directory for some reason. Let the virtual machine read both. Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- examples/apparmor/libvirt-qemu | 1 + src/security/virt-aa-helper.c | 1 + tests/virt-aa-helper-test | 7 ++++++- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index a9020aa..e0988bb 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -70,6 +70,7 @@ /usr/share/vgabios/** r, /usr/share/seabios/** r, /usr/share/ovmf/** r, + /usr/share/OVMF/** r, # access PKI infrastructure /etc/pki/libvirt-vnc/** r, diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 5f5d1cd..6c5fc28 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -512,6 +512,7 @@ valid_path(const char *path, const bool readonly) "/vmlinuz", "/initrd", "/initrd.img", + "/usr/share/OVMF/", /* for OVMF images */ "/usr/share/ovmf/" /* for OVMF images */ }; /* override the above with these */ diff --git a/tests/virt-aa-helper-test b/tests/virt-aa-helper-test index 68e9399..c05afc1 100755 --- a/tests/virt-aa-helper-test +++ b/tests/virt-aa-helper-test @@ -296,8 +296,13 @@ if [ -f /usr/share/ovmf/OVMF.fd ]; then -e "s,###DISK###,$disk1,g" \ -e "s,</os>,<loader readonly='yes' type='pflash'>/usr/share/ovmf/OVMF.fd</loader></os>,g" "$template_xml" > "$test_xml" testme "0" "ovmf" "-r -u $valid_uuid" "$test_xml" +elif [ -f /usr/share/OVMF/OVMF.fd ]; then + sed -e "s,###UUID###,$uuid,g" \ + -e "s,###DISK###,$disk1,g" \ + -e "s,</os>,<loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF.fd</loader></os>,g" "$template_xml" > "$test_xml" + testme "0" "ovmf" "-r -u $valid_uuid" "$test_xml" else - echo "Skipping OVMF test. Could not find /usr/share/ovmf/OVMF.fd" + echo "Skipping OVMF test. Could not find /usr/share/ovmf/OVMF.fd or /usr/share/OVMF/OVMF.fd" fi sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,</os>,<initrd>$tmpdir/initrd</initrd></os>,g" "$template_xml" > "$test_xml" -- 2.7.4

On Tue, May 23, 2017 at 06:22:39PM +0200, Stefan Bader wrote:
From: Simon McVittie <smcv@debian.org>
The split firmware and variables files introduced by https://bugs.debian.org/764918 are in a different directory for some reason. Let the virtual machine read both.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- examples/apparmor/libvirt-qemu | 1 + src/security/virt-aa-helper.c | 1 + tests/virt-aa-helper-test | 7 ++++++- 3 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index a9020aa..e0988bb 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -70,6 +70,7 @@ /usr/share/vgabios/** r, /usr/share/seabios/** r, /usr/share/ovmf/** r, + /usr/share/OVMF/** r,
# access PKI infrastructure /etc/pki/libvirt-vnc/** r, diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 5f5d1cd..6c5fc28 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -512,6 +512,7 @@ valid_path(const char *path, const bool readonly) "/vmlinuz", "/initrd", "/initrd.img", + "/usr/share/OVMF/", /* for OVMF images */ "/usr/share/ovmf/" /* for OVMF images */ }; /* override the above with these */ diff --git a/tests/virt-aa-helper-test b/tests/virt-aa-helper-test index 68e9399..c05afc1 100755 --- a/tests/virt-aa-helper-test +++ b/tests/virt-aa-helper-test @@ -296,8 +296,13 @@ if [ -f /usr/share/ovmf/OVMF.fd ]; then -e "s,###DISK###,$disk1,g" \ -e "s,</os>,<loader readonly='yes' type='pflash'>/usr/share/ovmf/OVMF.fd</loader></os>,g" "$template_xml" > "$test_xml" testme "0" "ovmf" "-r -u $valid_uuid" "$test_xml" +elif [ -f /usr/share/OVMF/OVMF.fd ]; then + sed -e "s,###UUID###,$uuid,g" \ + -e "s,###DISK###,$disk1,g" \ + -e "s,</os>,<loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF.fd</loader></os>,g" "$template_xml" > "$test_xml" + testme "0" "ovmf" "-r -u $valid_uuid" "$test_xml" else - echo "Skipping OVMF test. Could not find /usr/share/ovmf/OVMF.fd" + echo "Skipping OVMF test. Could not find /usr/share/ovmf/OVMF.fd or /usr/share/OVMF/OVMF.fd" fi
sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,</os>,<initrd>$tmpdir/initrd</initrd></os>,g" "$template_xml" > "$test_xml" -- 2.7.4
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
ACK. -- Guido

On Fri, Jun 02, 2017 at 08:46:26PM +0200, Guido Günther wrote:
On Tue, May 23, 2017 at 06:22:39PM +0200, Stefan Bader wrote:
From: Simon McVittie <smcv@debian.org>
The split firmware and variables files introduced by https://bugs.debian.org/764918 are in a different directory for some reason. Let the virtual machine read both.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- examples/apparmor/libvirt-qemu | 1 + src/security/virt-aa-helper.c | 1 + tests/virt-aa-helper-test | 7 ++++++- 3 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index a9020aa..e0988bb 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -70,6 +70,7 @@ /usr/share/vgabios/** r, /usr/share/seabios/** r, /usr/share/ovmf/** r, + /usr/share/OVMF/** r,
# access PKI infrastructure /etc/pki/libvirt-vnc/** r, diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 5f5d1cd..6c5fc28 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -512,6 +512,7 @@ valid_path(const char *path, const bool readonly) "/vmlinuz", "/initrd", "/initrd.img", + "/usr/share/OVMF/", /* for OVMF images */ "/usr/share/ovmf/" /* for OVMF images */ }; /* override the above with these */ diff --git a/tests/virt-aa-helper-test b/tests/virt-aa-helper-test index 68e9399..c05afc1 100755 --- a/tests/virt-aa-helper-test +++ b/tests/virt-aa-helper-test @@ -296,8 +296,13 @@ if [ -f /usr/share/ovmf/OVMF.fd ]; then -e "s,###DISK###,$disk1,g" \ -e "s,</os>,<loader readonly='yes' type='pflash'>/usr/share/ovmf/OVMF.fd</loader></os>,g" "$template_xml" > "$test_xml" testme "0" "ovmf" "-r -u $valid_uuid" "$test_xml" +elif [ -f /usr/share/OVMF/OVMF.fd ]; then + sed -e "s,###UUID###,$uuid,g" \ + -e "s,###DISK###,$disk1,g" \ + -e "s,</os>,<loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF.fd</loader></os>,g" "$template_xml" > "$test_xml" + testme "0" "ovmf" "-r -u $valid_uuid" "$test_xml" else - echo "Skipping OVMF test. Could not find /usr/share/ovmf/OVMF.fd" + echo "Skipping OVMF test. Could not find /usr/share/ovmf/OVMF.fd or /usr/share/OVMF/OVMF.fd" fi
sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,</os>,<initrd>$tmpdir/initrd</initrd></os>,g" "$template_xml" > "$test_xml" -- 2.7.4
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
ACK
Pushed. Thanks -- Guido .
-- Guido
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

From: Christian Ehrhardt <christian.ehrhardt@canonical.com> This replaces individual tests for firmware locations by a generic function which will simplify having additional locations in the future. Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- tests/virt-aa-helper-test | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/tests/virt-aa-helper-test b/tests/virt-aa-helper-test index c05afc1..73f3080 100755 --- a/tests/virt-aa-helper-test +++ b/tests/virt-aa-helper-test @@ -145,6 +145,20 @@ testme() { fi } +testfw() { + title="$1" + fwpath="$2" + + if [ -f "$fwpath" ]; then + sed -e "s,###UUID###,$uuid,g" \ + -e "s,###DISK###,$disk1,g" \ + -e "s,</os>,<loader readonly='yes' type='pflash'>$fwpath</loader></os>,g" "$template_xml" > "$test_xml" + testme "0" "$title" "-r -u $valid_uuid" "$test_xml" + else + echo "Skipping FW $title test. Could not find $fwpath" + fi +} + # Expected failures echo "Expected failures:" >$output testme "1" "invalid arg" "-z" @@ -291,19 +305,8 @@ sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,</os>,<kernel>$tm touch "$tmpdir/kernel" testme "0" "kernel" "-r -u $valid_uuid" "$test_xml" -if [ -f /usr/share/ovmf/OVMF.fd ]; then - sed -e "s,###UUID###,$uuid,g" \ - -e "s,###DISK###,$disk1,g" \ - -e "s,</os>,<loader readonly='yes' type='pflash'>/usr/share/ovmf/OVMF.fd</loader></os>,g" "$template_xml" > "$test_xml" - testme "0" "ovmf" "-r -u $valid_uuid" "$test_xml" -elif [ -f /usr/share/OVMF/OVMF.fd ]; then - sed -e "s,###UUID###,$uuid,g" \ - -e "s,###DISK###,$disk1,g" \ - -e "s,</os>,<loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF.fd</loader></os>,g" "$template_xml" > "$test_xml" - testme "0" "ovmf" "-r -u $valid_uuid" "$test_xml" -else - echo "Skipping OVMF test. Could not find /usr/share/ovmf/OVMF.fd or /usr/share/OVMF/OVMF.fd" -fi +testfw "ovmf (old path)" "/usr/share/ovmf/OVMF.fd" +testfw "OVMF (new path)" "/usr/share/OVMF/OVMF_CODE.fd" sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,</os>,<initrd>$tmpdir/initrd</initrd></os>,g" "$template_xml" > "$test_xml" touch "$tmpdir/initrd" -- 2.7.4

On Tue, May 23, 2017 at 06:22:40PM +0200, Stefan Bader wrote:
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
This replaces individual tests for firmware locations by a generic function which will simplify having additional locations in the future.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- tests/virt-aa-helper-test | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-)
diff --git a/tests/virt-aa-helper-test b/tests/virt-aa-helper-test index c05afc1..73f3080 100755 --- a/tests/virt-aa-helper-test +++ b/tests/virt-aa-helper-test @@ -145,6 +145,20 @@ testme() { fi }
+testfw() { + title="$1" + fwpath="$2" + + if [ -f "$fwpath" ]; then + sed -e "s,###UUID###,$uuid,g" \ + -e "s,###DISK###,$disk1,g" \ + -e "s,</os>,<loader readonly='yes' type='pflash'>$fwpath</loader></os>,g" "$template_xml" > "$test_xml" + testme "0" "$title" "-r -u $valid_uuid" "$test_xml" + else + echo "Skipping FW $title test. Could not find $fwpath" + fi +} + # Expected failures echo "Expected failures:" >$output testme "1" "invalid arg" "-z" @@ -291,19 +305,8 @@ sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,</os>,<kernel>$tm touch "$tmpdir/kernel" testme "0" "kernel" "-r -u $valid_uuid" "$test_xml"
-if [ -f /usr/share/ovmf/OVMF.fd ]; then - sed -e "s,###UUID###,$uuid,g" \ - -e "s,###DISK###,$disk1,g" \ - -e "s,</os>,<loader readonly='yes' type='pflash'>/usr/share/ovmf/OVMF.fd</loader></os>,g" "$template_xml" > "$test_xml" - testme "0" "ovmf" "-r -u $valid_uuid" "$test_xml" -elif [ -f /usr/share/OVMF/OVMF.fd ]; then - sed -e "s,###UUID###,$uuid,g" \ - -e "s,###DISK###,$disk1,g" \ - -e "s,</os>,<loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF.fd</loader></os>,g" "$template_xml" > "$test_xml" - testme "0" "ovmf" "-r -u $valid_uuid" "$test_xml" -else - echo "Skipping OVMF test. Could not find /usr/share/ovmf/OVMF.fd or /usr/share/OVMF/OVMF.fd" -fi +testfw "ovmf (old path)" "/usr/share/ovmf/OVMF.fd" +testfw "OVMF (new path)" "/usr/share/OVMF/OVMF_CODE.fd"
sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,</os>,<initrd>$tmpdir/initrd</initrd></os>,g" "$template_xml" > "$test_xml" touch "$tmpdir/initrd" -- 2.7.4
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
ACK. -- Guido

On Fri, Jun 02, 2017 at 08:46:42PM +0200, Guido Günther wrote:
On Tue, May 23, 2017 at 06:22:40PM +0200, Stefan Bader wrote:
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
This replaces individual tests for firmware locations by a generic function which will simplify having additional locations in the future.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- tests/virt-aa-helper-test | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-)
diff --git a/tests/virt-aa-helper-test b/tests/virt-aa-helper-test index c05afc1..73f3080 100755 --- a/tests/virt-aa-helper-test +++ b/tests/virt-aa-helper-test @@ -145,6 +145,20 @@ testme() { fi }
+testfw() { + title="$1" + fwpath="$2" + + if [ -f "$fwpath" ]; then + sed -e "s,###UUID###,$uuid,g" \ + -e "s,###DISK###,$disk1,g" \ + -e "s,</os>,<loader readonly='yes' type='pflash'>$fwpath</loader></os>,g" "$template_xml" > "$test_xml" + testme "0" "$title" "-r -u $valid_uuid" "$test_xml" + else + echo "Skipping FW $title test. Could not find $fwpath" + fi +} + # Expected failures echo "Expected failures:" >$output testme "1" "invalid arg" "-z" @@ -291,19 +305,8 @@ sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,</os>,<kernel>$tm touch "$tmpdir/kernel" testme "0" "kernel" "-r -u $valid_uuid" "$test_xml"
-if [ -f /usr/share/ovmf/OVMF.fd ]; then - sed -e "s,###UUID###,$uuid,g" \ - -e "s,###DISK###,$disk1,g" \ - -e "s,</os>,<loader readonly='yes' type='pflash'>/usr/share/ovmf/OVMF.fd</loader></os>,g" "$template_xml" > "$test_xml" - testme "0" "ovmf" "-r -u $valid_uuid" "$test_xml" -elif [ -f /usr/share/OVMF/OVMF.fd ]; then - sed -e "s,###UUID###,$uuid,g" \ - -e "s,###DISK###,$disk1,g" \ - -e "s,</os>,<loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF.fd</loader></os>,g" "$template_xml" > "$test_xml" - testme "0" "ovmf" "-r -u $valid_uuid" "$test_xml" -else - echo "Skipping OVMF test. Could not find /usr/share/ovmf/OVMF.fd or /usr/share/OVMF/OVMF.fd" -fi +testfw "ovmf (old path)" "/usr/share/ovmf/OVMF.fd" +testfw "OVMF (new path)" "/usr/share/OVMF/OVMF_CODE.fd"
sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,</os>,<initrd>$tmpdir/initrd</initrd></os>,g" "$template_xml" > "$test_xml" touch "$tmpdir/initrd" -- 2.7.4
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
ACK
Pushed. Thanks -- Guido .
-- Guido
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

From: William Grant <wgrant@ubuntu.com> Allow access to aarch64 UEFI images. Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Guido Günther <agx@sigxcpu.org> --- examples/apparmor/libvirt-qemu | 2 ++ src/security/virt-aa-helper.c | 4 +++- tests/virt-aa-helper-test | 2 ++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index e0988bb..89466c9 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -71,6 +71,8 @@ /usr/share/seabios/** r, /usr/share/ovmf/** r, /usr/share/OVMF/** r, + /usr/share/AAVMF/** r, + /usr/share/qemu-efi/** r, # access PKI infrastructure /etc/pki/libvirt-vnc/** r, diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 6c5fc28..69e797c 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -513,7 +513,9 @@ valid_path(const char *path, const bool readonly) "/initrd", "/initrd.img", "/usr/share/OVMF/", /* for OVMF images */ - "/usr/share/ovmf/" /* for OVMF images */ + "/usr/share/ovmf/", /* for OVMF images */ + "/usr/share/AAVMF/", /* for AAVMF images */ + "/usr/share/qemu-efi/" /* for AAVMF images */ }; /* override the above with these */ const char * const override[] = { diff --git a/tests/virt-aa-helper-test b/tests/virt-aa-helper-test index 73f3080..51072f6 100755 --- a/tests/virt-aa-helper-test +++ b/tests/virt-aa-helper-test @@ -307,6 +307,8 @@ testme "0" "kernel" "-r -u $valid_uuid" "$test_xml" testfw "ovmf (old path)" "/usr/share/ovmf/OVMF.fd" testfw "OVMF (new path)" "/usr/share/OVMF/OVMF_CODE.fd" +testfw "AAVMF" "/usr/share/AAVMF/AAVMF_CODE.fd" +testfw "qemu-efi" "/usr/share/qemu-efi/QEMU_EFI.fd" sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,</os>,<initrd>$tmpdir/initrd</initrd></os>,g" "$template_xml" > "$test_xml" touch "$tmpdir/initrd" -- 2.7.4

On Tue, May 23, 2017 at 06:22:41PM +0200, Stefan Bader wrote:
From: William Grant <wgrant@ubuntu.com>
Allow access to aarch64 UEFI images.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Guido Günther <agx@sigxcpu.org>
Pushed. Thanks. -- Guido
--- examples/apparmor/libvirt-qemu | 2 ++ src/security/virt-aa-helper.c | 4 +++- tests/virt-aa-helper-test | 2 ++ 3 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index e0988bb..89466c9 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -71,6 +71,8 @@ /usr/share/seabios/** r, /usr/share/ovmf/** r, /usr/share/OVMF/** r, + /usr/share/AAVMF/** r, + /usr/share/qemu-efi/** r,
# access PKI infrastructure /etc/pki/libvirt-vnc/** r, diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 6c5fc28..69e797c 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -513,7 +513,9 @@ valid_path(const char *path, const bool readonly) "/initrd", "/initrd.img", "/usr/share/OVMF/", /* for OVMF images */ - "/usr/share/ovmf/" /* for OVMF images */ + "/usr/share/ovmf/", /* for OVMF images */ + "/usr/share/AAVMF/", /* for AAVMF images */ + "/usr/share/qemu-efi/" /* for AAVMF images */ }; /* override the above with these */ const char * const override[] = { diff --git a/tests/virt-aa-helper-test b/tests/virt-aa-helper-test index 73f3080..51072f6 100755 --- a/tests/virt-aa-helper-test +++ b/tests/virt-aa-helper-test @@ -307,6 +307,8 @@ testme "0" "kernel" "-r -u $valid_uuid" "$test_xml"
testfw "ovmf (old path)" "/usr/share/ovmf/OVMF.fd" testfw "OVMF (new path)" "/usr/share/OVMF/OVMF_CODE.fd" +testfw "AAVMF" "/usr/share/AAVMF/AAVMF_CODE.fd" +testfw "qemu-efi" "/usr/share/qemu-efi/QEMU_EFI.fd"
sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,</os>,<initrd>$tmpdir/initrd</initrd></os>,g" "$template_xml" > "$test_xml" touch "$tmpdir/initrd" -- 2.7.4
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

From: Serge Hallyn <serge.hallyn@ubuntu.com> Updates profile to allow running on ppc64el. Bug-Ubuntu: https://bugs.launchpad.net/bugs/1374554 Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- examples/apparmor/libvirt-qemu | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 89466c9..7fa512f 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -73,6 +73,7 @@ /usr/share/OVMF/** r, /usr/share/AAVMF/** r, /usr/share/qemu-efi/** r, + /usr/share/slof/** r, # access PKI infrastructure /etc/pki/libvirt-vnc/** r, @@ -154,3 +155,8 @@ /etc/udev/udev.conf r, /sys/bus/ r, /sys/class/ r, + + # for ppc device-tree access + @{PROC}/device-tree/ r, + @{PROC}/device-tree/** r, + /sys/firmware/devicetree/** r, -- 2.7.4

On Tue, May 23, 2017 at 06:22:42PM +0200, Stefan Bader wrote:
From: Serge Hallyn <serge.hallyn@ubuntu.com>
Updates profile to allow running on ppc64el.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1374554
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- examples/apparmor/libvirt-qemu | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 89466c9..7fa512f 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -73,6 +73,7 @@ /usr/share/OVMF/** r, /usr/share/AAVMF/** r, /usr/share/qemu-efi/** r, + /usr/share/slof/** r,
# access PKI infrastructure /etc/pki/libvirt-vnc/** r, @@ -154,3 +155,8 @@ /etc/udev/udev.conf r, /sys/bus/ r, /sys/class/ r, + + # for ppc device-tree access + @{PROC}/device-tree/ r, + @{PROC}/device-tree/** r, + /sys/firmware/devicetree/** r,
ACK -- Guido
-- 2.7.4
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

On Sun, Jun 04, 2017 at 04:41:58PM +0200, Guido Günther wrote:
On Tue, May 23, 2017 at 06:22:42PM +0200, Stefan Bader wrote:
From: Serge Hallyn <serge.hallyn@ubuntu.com>
Updates profile to allow running on ppc64el.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1374554
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- examples/apparmor/libvirt-qemu | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 89466c9..7fa512f 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -73,6 +73,7 @@ /usr/share/OVMF/** r, /usr/share/AAVMF/** r, /usr/share/qemu-efi/** r, + /usr/share/slof/** r,
# access PKI infrastructure /etc/pki/libvirt-vnc/** r, @@ -154,3 +155,8 @@ /etc/udev/udev.conf r, /sys/bus/ r, /sys/class/ r, + + # for ppc device-tree access + @{PROC}/device-tree/ r, + @{PROC}/device-tree/** r, + /sys/firmware/devicetree/** r,
ACK
Pushed. Thanks -- Guido
-- Guido
-- 2.7.4
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

In Debian/Ubuntu the pygrub command is located under /usr/lib/xen-<version>/bin/pygrub. Bug-Ubuntu: https://bugs.launchpad.net/bugs/1326003 Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- examples/apparmor/usr.sbin.libvirtd | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 353b039..f43bfd5 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -50,6 +50,7 @@ /{usr/,}lib/udev/scsi_id PUx, /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, /usr/{lib,lib64}/xen/bin/* Ux, + /usr/lib/xen-*/bin/pygrub PUx, # force the use of virt-aa-helper audit deny /{usr/,}sbin/apparmor_parser rwxl, -- 2.7.4

On Debian/Ubuntu the libxl-save-helper (used when saving/restoring a domain through libxl) is located under /usr/lib/xen-<version>/bin. Bug-Ubuntu: https://bugs.launchpad.net/bugs/1334195 Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- examples/apparmor/usr.sbin.libvirtd | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index f43bfd5..64f6d2c 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -51,6 +51,7 @@ /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, /usr/{lib,lib64}/xen/bin/* Ux, /usr/lib/xen-*/bin/pygrub PUx, + /usr/lib/xen-*/bin/libxl-save-helper PUx, # force the use of virt-aa-helper audit deny /{usr/,}sbin/apparmor_parser rwxl, -- 2.7.4

On Tue, May 23, 2017 at 06:22:44PM +0200, Stefan Bader wrote:
On Debian/Ubuntu the libxl-save-helper (used when saving/restoring a domain through libxl) is located under /usr/lib/xen-<version>/bin.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1334195
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- examples/apparmor/usr.sbin.libvirtd | 1 + 1 file changed, 1 insertion(+)
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index f43bfd5..64f6d2c 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -51,6 +51,7 @@ /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, /usr/{lib,lib64}/xen/bin/* Ux, /usr/lib/xen-*/bin/pygrub PUx, + /usr/lib/xen-*/bin/libxl-save-helper PUx,
Ack. It would be nice if patches to help libvirtd would be split from ones that handle qemu confinement (virt-aa-helper, libvirt-qemu). Cheers, -- Guidp
# force the use of virt-aa-helper audit deny /{usr/,}sbin/apparmor_parser rwxl, -- 2.7.4
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

On Fri, Jun 02, 2017 at 08:58:57PM +0200, Guido Günther wrote:
On Tue, May 23, 2017 at 06:22:44PM +0200, Stefan Bader wrote:
On Debian/Ubuntu the libxl-save-helper (used when saving/restoring a domain through libxl) is located under /usr/lib/xen-<version>/bin.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1334195
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- examples/apparmor/usr.sbin.libvirtd | 1 + 1 file changed, 1 insertion(+)
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index f43bfd5..64f6d2c 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -51,6 +51,7 @@ /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, /usr/{lib,lib64}/xen/bin/* Ux, /usr/lib/xen-*/bin/pygrub PUx, + /usr/lib/xen-*/bin/libxl-save-helper PUx,
Ack It would be nice if patches to help libvirtd would be split from ones that handle qemu confinement (virt-aa-helper, libvirt-qemu).
Pushed. Thanks -- Guido
Cheers, -- Guidp
# force the use of virt-aa-helper audit deny /{usr/,}sbin/apparmor_parser rwxl, -- 2.7.4
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

From: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- examples/apparmor/libvirt-qemu | 3 +++ 1 file changed, 3 insertions(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 7fa512f..fddc93a 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -156,6 +156,9 @@ /sys/bus/ r, /sys/class/ r, + # for rbd + /etc/ceph/ceph.conf r, + # for ppc device-tree access @{PROC}/device-tree/ r, @{PROC}/device-tree/** r, -- 2.7.4

On Tue, May 23, 2017 at 06:22:45PM +0200, Stefan Bader wrote:
From: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- examples/apparmor/libvirt-qemu | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 7fa512f..fddc93a 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -156,6 +156,9 @@ /sys/bus/ r, /sys/class/ r,
+ # for rbd + /etc/ceph/ceph.conf r, +
Shouldn't this only be added when ceph is in use? Cheers, -- Guido
# for ppc device-tree access @{PROC}/device-tree/ r, @{PROC}/device-tree/** r, -- 2.7.4
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

On Fri, Jun 2, 2017 at 12:57 PM, Guido Günther <agx@sigxcpu.org> wrote:
Shouldn't this only be added when ceph is in use? Cheers, -- Guido
Yeah it is part of a category of rules where in a perfect world we would wirte virt-aa-helper code for each of them. In this particular case I think the existance of the following would be the trigger: <disk type='network'> [...] <source protocol="rbd" Yet for some cases - like this one - the "opening" we are doing in regard to apparmor is quite small and maybe the burden to create (and maintain) it in virt-aa-helper is too much. So I'd appreciate if that change could be considered as-is - otherwise please let me know - I'll then add it to a bunch of issues of the category "needs to be done in virt-aa-helper" which I already track. -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd

On Wed, Jun 07, 2017 at 10:44:59AM -0600, Christian Ehrhardt wrote:
On Fri, Jun 2, 2017 at 12:57 PM, Guido Günther <agx@sigxcpu.org> wrote:
Shouldn't this only be added when ceph is in use? Cheers, -- Guido
Yeah it is part of a category of rules where in a perfect world we would wirte virt-aa-helper code for each of them. In this particular case I think the existance of the following would be the trigger:
<disk type='network'> [...] <source protocol="rbd"
Yet for some cases - like this one - the "opening" we are doing in regard to apparmor is quite small and maybe the burden to create (and maintain) it in virt-aa-helper is too much.
So I'd appreciate if that change could be considered as-is - otherwise please let me know - I'll then add it to a bunch of issues of the category "needs to be done in virt-aa-helper" which I already track.
I was uder the impression that ceph.conf might contain sensitive data which we might not want to open up to all domains but looking at http://docs.ceph.com/docs/jewel/rados/configuration/ceph-conf/ this does not seem to be the case so this is probably o.k. CHeers, -- Guido

On Wed, Jun 07, 2017 at 07:00:56PM +0200, Guido Günther wrote:
On Wed, Jun 07, 2017 at 10:44:59AM -0600, Christian Ehrhardt wrote:
On Fri, Jun 2, 2017 at 12:57 PM, Guido Günther <agx@sigxcpu.org> wrote:
Shouldn't this only be added when ceph is in use? Cheers, -- Guido
Yeah it is part of a category of rules where in a perfect world we would wirte virt-aa-helper code for each of them. In this particular case I think the existance of the following would be the trigger:
<disk type='network'> [...] <source protocol="rbd"
Yet for some cases - like this one - the "opening" we are doing in regard to apparmor is quite small and maybe the burden to create (and maintain) it in virt-aa-helper is too much.
So I'd appreciate if that change could be considered as-is - otherwise please let me know - I'll then add it to a bunch of issues of the category "needs to be done in virt-aa-helper" which I already track.
I was uder the impression that ceph.conf might contain sensitive data which we might not want to open up to all domains but looking at
http://docs.ceph.com/docs/jewel/rados/configuration/ceph-conf/
this does not seem to be the case so this is probably o.k.
Pushed. Thanks. -- Guido

From: Guilhem Lettron <guilhem+ubuntu@lettron.fr> Add rule to allow access to /dev/tap* used by macvtap. Bug-Ubuntu: https://bugs.launchpad.net/bugs/921870 Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- examples/apparmor/libvirt-qemu | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index fddc93a..e2b0dfd 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -17,6 +17,7 @@ network inet6 stream, /dev/net/tun rw, + /dev/tap* rw, /dev/kvm rw, /dev/ptmx rw, /dev/kqemu rw, -- 2.7.4

On Tue, May 23, 2017 at 06:22:46PM +0200, Stefan Bader wrote:
From: Guilhem Lettron <guilhem+ubuntu@lettron.fr>
Add rule to allow access to /dev/tap* used by macvtap.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/921870
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- examples/apparmor/libvirt-qemu | 1 + 1 file changed, 1 insertion(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index fddc93a..e2b0dfd 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -17,6 +17,7 @@ network inet6 stream,
/dev/net/tun rw, + /dev/tap* rw, /dev/kvm rw, /dev/ptmx rw, /dev/kqemu rw,
Shouldn't this only be added when macvtap is in use? Cheers, -- Guido
-- 2.7.4
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

On Fri, Jun 2, 2017 at 12:55 PM, Guido Günther <agx@sigxcpu.org> wrote:
Shouldn't this only be added when macvtap is in use? Cheers, -- Guido
Right again - as the ceph change this is part of a category of rules where in a perfect world we would write virt-aa-helper code for each of them. In this particular case allowing that in general might be less safe, so I agree to lean towards virt-aa-helper if possible. OTOH I'm not sure virt-aa-helper can easily detect that from the guest context that it has access to, it might need to reach out to the network config and I'm not sure if we have a case doing that already one could easily build on implementing this. If(f) that is done - and working it might be down to knowing the exact tap device and only add that. That said if one is willing to consider this patch as-is that would be great until implemented more granularily via virt-aa-helper - but otherwise please let me know - I'll then add it to a bunch of issues of the category "needs to be done in virt-aa-helper" which I already track. -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd

From: Jamie Strandboge <jamie@ubuntu.com> Allow qemu to read @{PROC}/sys/vm/overcommit_memory. Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- examples/apparmor/libvirt-qemu | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index e2b0dfd..89525b3 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -26,6 +26,7 @@ # only modify its comm value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, @{PROC}/sys/kernel/cap_last_cap r, + @{PROC}/sys/vm/overcommit_memory r, # For hostdev access. The actual devices will be added dynamically /sys/bus/usb/devices/ r, -- 2.7.4

From: Serge Hallyn <serge.hallyn@ubuntu.com> When setting up VncTLS according to the official Libvirt documentation, only one certificate for libvirt/libvirt-vnc is used. The document indicates to use the following directories : /etc/pki/CA /etc/pki/libvirt /etc/pki/libvirt/private in order to manage the certificates used by libvirt-vnc. Bug-Ubuntu: https://bugs.launchpad.net/bugs/901272 Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- examples/apparmor/libvirt-qemu | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 89525b3..e990ab4 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -144,6 +144,12 @@ /usr/{lib,lib64}/qemu/block-curl.so mr, /usr/{lib,lib64}/qemu/block-rbd.so mr, + # for use by libvirt-vnc (LP: #901272) + /etc/pki/CA/ r, + /etc/pki/CA/* r, + /etc/pki/libvirt/ r, + /etc/pki/libvirt/** r, + # for save and resume /{usr/,}bin/dash rmix, /{usr/,}bin/dd rmix, -- 2.7.4

On Tue, May 23, 2017 at 06:22:48PM +0200, Stefan Bader wrote:
From: Serge Hallyn <serge.hallyn@ubuntu.com>
When setting up VncTLS according to the official Libvirt documentation, only one certificate for libvirt/libvirt-vnc is used. The document indicates to use the following directories :
/etc/pki/CA /etc/pki/libvirt /etc/pki/libvirt/private
in order to manage the certificates used by libvirt-vnc.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/901272
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- examples/apparmor/libvirt-qemu | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 89525b3..e990ab4 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -144,6 +144,12 @@ /usr/{lib,lib64}/qemu/block-curl.so mr, /usr/{lib,lib64}/qemu/block-rbd.so mr,
+ # for use by libvirt-vnc (LP: #901272) + /etc/pki/CA/ r, + /etc/pki/CA/* r, + /etc/pki/libvirt/ r, + /etc/pki/libvirt/** r, + # for save and resume /{usr/,}bin/dash rmix, /{usr/,}bin/dd rmix, -- 2.7.4
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
ACK. -- Guido

On Fri, Jun 02, 2017 at 09:01:49PM +0200, Guido Günther wrote:
On Tue, May 23, 2017 at 06:22:48PM +0200, Stefan Bader wrote:
From: Serge Hallyn <serge.hallyn@ubuntu.com>
When setting up VncTLS according to the official Libvirt documentation, only one certificate for libvirt/libvirt-vnc is used. The document indicates to use the following directories :
/etc/pki/CA /etc/pki/libvirt /etc/pki/libvirt/private
in order to manage the certificates used by libvirt-vnc.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/901272
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- examples/apparmor/libvirt-qemu | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 89525b3..e990ab4 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -144,6 +144,12 @@ /usr/{lib,lib64}/qemu/block-curl.so mr, /usr/{lib,lib64}/qemu/block-rbd.so mr,
+ # for use by libvirt-vnc (LP: #901272) + /etc/pki/CA/ r, + /etc/pki/CA/* r, + /etc/pki/libvirt/ r, + /etc/pki/libvirt/** r, + # for save and resume /{usr/,}bin/dash rmix, /{usr/,}bin/dd rmix, -- 2.7.4
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
ACK
Pushed. Thanks -- Guido .
-- Guido
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
participants (3)
-
Christian Ehrhardt
-
Guido Günther
-
Stefan Bader