[libvirt] [PATCH 0/2] Misc apparmor fixes
Hi, here a few more apparmor fixes for your review. One is for an Ubuntu bug [1] which is non fatal, but denies a qemu fix to fully work. The other one I was carried in Ubuntu for some time and is related to ipv6 only setups where virt-aa-helper can fail if not permitted inet6. [1]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1729626 Christian Ehrhardt (2): apparmor: allow qemu to read max_segments apparmor, virt-aa-helper: allow ipv6 examples/apparmor/libvirt-qemu | 3 +++ examples/apparmor/usr.lib.libvirt.virt-aa-helper | 1 + 2 files changed, 4 insertions(+) -- 2.7.4
Since qemu 2.9 via 9103f1ce "file-posix: Consider max_segments for BlockLimits.max_transfer" this is a new access that is denied by the qemu profile. It is non fatal, but prevents the fix mentioned to actually work. It should be safe to allow reading from that path. Since qemu opens a symlink path we need to translate that for apparmor from "/sys/dev/block/*/queue/max_segments" to "/sys/devices/**/block/*/queue/max_segments" Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- examples/apparmor/libvirt-qemu | 3 +++ 1 file changed, 3 insertions(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 97dd2d4..064501f 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -169,6 +169,9 @@ # for rbd /etc/ceph/ceph.conf r, + # for file-posix getting limits since 9103f1ce + /sys/devices/**/block/*/queue/max_segments r, + # for ppc device-tree access @{PROC}/device-tree/ r, @{PROC}/device-tree/** r, -- 2.7.4
On Fri, 2017-11-03 at 09:46 +0100, Christian Ehrhardt wrote:
Since qemu 2.9 via 9103f1ce "file-posix: Consider max_segments for BlockLimits.max_transfer" this is a new access that is denied by the qemu profile.
It is non fatal, but prevents the fix mentioned to actually work. It should be safe to allow reading from that path.
Since qemu opens a symlink path we need to translate that for apparmor from "/sys/dev/block/*/queue/max_segments" to "/sys/devices/**/block/*/queue/max_segments"
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- examples/apparmor/libvirt-qemu | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 97dd2d4..064501f 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -169,6 +169,9 @@ # for rbd /etc/ceph/ceph.conf r,
+ # for file-posix getting limits since 9103f1ce + /sys/devices/**/block/*/queue/max_segments r, + # for ppc device-tree access @{PROC}/device-tree/ r, @{PROC}/device-tree/** r,
This LGTM. Thanks for the patch! -- Jamie Strandboge | http://www.canonical.com
In case ipv6 is used the network inet6 permission is required for virt-aa-helper. Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- examples/apparmor/usr.lib.libvirt.virt-aa-helper | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper index 012080c..bd6181d 100644 --- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper +++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper @@ -10,6 +10,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { # needed for when disk is on a network filesystem network inet, + network inet6, deny @{PROC}/[0-9]*/mounts r, @{PROC}/[0-9]*/net/psched r, -- 2.7.4
On Fri, 2017-11-03 at 09:46 +0100, Christian Ehrhardt wrote:
In case ipv6 is used the network inet6 permission is required for virt-aa-helper.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- examples/apparmor/usr.lib.libvirt.virt-aa-helper | 1 + 1 file changed, 1 insertion(+)
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper index 012080c..bd6181d 100644 --- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper +++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper @@ -10,6 +10,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
# needed for when disk is on a network filesystem network inet, + network inet6,
deny @{PROC}/[0-9]*/mounts r, @{PROC}/[0-9]*/net/psched r,
LGTM. Thanks! -- Jamie Strandboge | http://www.canonical.com
On 11/03/2017 09:46 AM, Christian Ehrhardt wrote:
Hi, here a few more apparmor fixes for your review.
One is for an Ubuntu bug [1] which is non fatal, but denies a qemu fix to fully work. The other one I was carried in Ubuntu for some time and is related to ipv6 only setups where virt-aa-helper can fail if not permitted inet6.
[1]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1729626
Christian Ehrhardt (2): apparmor: allow qemu to read max_segments apparmor, virt-aa-helper: allow ipv6
examples/apparmor/libvirt-qemu | 3 +++ examples/apparmor/usr.lib.libvirt.virt-aa-helper | 1 + 2 files changed, 4 insertions(+)
Pushed, thanks. Michal
participants (3)
-
Christian Ehrhardt -
Jamie Strandboge -
Michal Privoznik