3:46 a.m.
Hi,
here a few more apparmor fixes for your review.
One is for an Ubuntu bug [1] which is non fatal, but denies a qemu fix to
fully work.
The other one I was carried in Ubuntu for some time and is related to ipv6
only setups where virt-aa-helper can fail if not permitted inet6.
[1]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1729626
Christian Ehrhardt (2):
apparmor: allow qemu to read max_segments
apparmor, virt-aa-helper: allow ipv6
examples/apparmor/libvirt-qemu | 3 +++
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 1 +
2 files changed, 4 insertions(+)
--
2.7.4
3:46 a.m.
New subject: [libvirt] [PATCH 1/2] apparmor: allow qemu to read max_segments
Since qemu 2.9 via 9103f1ce "file-posix: Consider max_segments for
BlockLimits.max_transfer" this is a new access that is denied by the
qemu profile.
It is non fatal, but prevents the fix mentioned to actually work.
It should be safe to allow reading from that path.
Since qemu opens a symlink path we need to translate that for apparmor from
"/sys/dev/block/*/queue/max_segments" to
"/sys/devices/**/block/*/queue/max_segments"
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
---
examples/apparmor/libvirt-qemu | 3 +++
1 file changed, 3 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 97dd2d4..064501f 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -169,6 +169,9 @@
# for rbd
/etc/ceph/ceph.conf r,
+ # for file-posix getting limits since 9103f1ce
+ /sys/devices/**/block/*/queue/max_segments r,
+
# for ppc device-tree access
@{PROC}/device-tree/ r,
@{PROC}/device-tree/** r,
--
2.7.4
11 a.m.
New subject: [libvirt] [PATCH 1/2] apparmor: allow qemu to read max_segments
On Fri, 2017-11-03 at 09:46 +0100, Christian Ehrhardt wrote:
Since qemu 2.9 via 9103f1ce "file-posix: Consider max_segments
for
BlockLimits.max_transfer" this is a new access that is denied by the
qemu profile.
It is non fatal, but prevents the fix mentioned to actually work.
It should be safe to allow reading from that path.
Since qemu opens a symlink path we need to translate that for
apparmor from
"/sys/dev/block/*/queue/max_segments" to
"/sys/devices/**/block/*/queue/max_segments"
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
---
examples/apparmor/libvirt-qemu | 3 +++
1 file changed, 3 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu
b/examples/apparmor/libvirt-qemu
index 97dd2d4..064501f 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -169,6 +169,9 @@
# for rbd
/etc/ceph/ceph.conf r,
+ # for file-posix getting limits since 9103f1ce
+ /sys/devices/**/block/*/queue/max_segments r,
+
# for ppc device-tree access
@{PROC}/device-tree/ r,
@{PROC}/device-tree/** r,
This LGTM. Thanks for the patch!
--
Jamie Strandboge | http://www.canonical.com
3:46 a.m.
New subject: [libvirt] [PATCH 2/2] apparmor, virt-aa-helper: allow ipv6
In case ipv6 is used the network inet6 permission is required for
virt-aa-helper.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
---
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 1 +
1 file changed, 1 insertion(+)
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
index 012080c..bd6181d 100644
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -10,6 +10,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
# needed for when disk is on a network filesystem
network inet,
+ network inet6,
deny @{PROC}/[0-9]*/mounts r,
@{PROC}/[0-9]*/net/psched r,
--
2.7.4
11:01 a.m.
New subject: [libvirt] [PATCH 2/2] apparmor, virt-aa-helper: allow ipv6
On Fri, 2017-11-03 at 09:46 +0100, Christian Ehrhardt wrote:
In case ipv6 is used the network inet6 permission is required for
virt-aa-helper.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
---
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 1 +
1 file changed, 1 insertion(+)
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
index 012080c..bd6181d 100644
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -10,6 +10,7 @@ profile virt-aa-helper
/usr/{lib,lib64}/libvirt/virt-aa-helper {
# needed for when disk is on a network filesystem
network inet,
+ network inet6,
deny @{PROC}/[0-9]*/mounts r,
@{PROC}/[0-9]*/net/psched r,
LGTM. Thanks!
--
Jamie Strandboge | http://www.canonical.com
10:04 a.m.
On 11/03/2017 09:46 AM, Christian Ehrhardt wrote:
Hi,
here a few more apparmor fixes for your review.
One is for an Ubuntu bug [1] which is non fatal, but denies a qemu fix to
fully work.
The other one I was carried in Ubuntu for some time and is related to ipv6
only setups where virt-aa-helper can fail if not permitted inet6.
[1]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1729626
Christian Ehrhardt (2):
apparmor: allow qemu to read max_segments
apparmor, virt-aa-helper: allow ipv6
examples/apparmor/libvirt-qemu | 3 +++
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 1 +
2 files changed, 4 insertions(+)
Pushed, thanks.
Michal
2553
days inactive
2557
days old
5 comments
3 participants
participants (3)
-
Christian Ehrhardt -
Jamie Strandboge -
Michal Privoznik