[libvirt] [patch] Add support for OVMF in virt-aa-helper [Was: [apparmor] virt-aa-helper: does not support OVMF?]
10:59 a.m.
Hi,
[please Cc me any reply, I'm not subscribed to libvir-list.]
it was reported [1] to Ubuntu that virt-aa-helper blocks access to the
OVMF files needed to boot UEFI virtual machines in QEMU. After I've
confirmed that on Debian sid, Jamie Strandboge suggested a fix.
I've successfully tested in my environment (applied on top of 1.2.18)
so I'm forwarding it here.
[1] https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1483071
Cheers,
--
intrigeri
11:19 a.m.
On 08/12/2015 10:59 AM, intrigeri(a)debian.org wrote:
Hi,
[please Cc me any reply, I'm not subscribed to libvir-list.]
it was reported [1] to Ubuntu that virt-aa-helper blocks access to the
OVMF files needed to boot UEFI virtual machines in QEMU. After I've
confirmed that on Debian sid, Jamie Strandboge suggested a fix.
I've successfully tested in my environment (applied on top of 1.2.18)
so I'm forwarding it here.
[1] https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1483071
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 4ce1e7a..357dde4 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -572,8 +572,9 @@ valid_path(const char *path, const bool readonly)
};
/* override the above with these */
const char * const override[] = {
- "/sys/devices/pci", /* for hostdev pci devices */
- "/etc/libvirt-sandbox/services/" /* for virt-sandbox service config */
+ "/sys/devices/pci", /* for hostdev pci devices */
+ "/etc/libvirt-sandbox/services/", /* for virt-sandbox service config
*/
+ "/usr/share/ovmf/" /* for OVMF images */
};
if (path == NULL) {
Unsurprisingly, this looks good to me.
ACK
--
Jamie Strandboge http://www.ubuntu.com/
2:55 a.m.
On Wed, Aug 12, 2015 at 11:19:54AM -0500, Jamie Strandboge wrote:
On 08/12/2015 10:59 AM, intrigeri(a)debian.org wrote:
> Hi,
>
> [please Cc me any reply, I'm not subscribed to libvir-list.]
>
> it was reported [1] to Ubuntu that virt-aa-helper blocks access to the
> OVMF files needed to boot UEFI virtual machines in QEMU. After I've
> confirmed that on Debian sid, Jamie Strandboge suggested a fix.
> I've successfully tested in my environment (applied on top of 1.2.18)
> so I'm forwarding it here.
>
> [1] https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1483071
>
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 4ce1e7a..357dde4 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -572,8 +572,9 @@ valid_path(const char *path, const bool readonly)
};
/* override the above with these */
const char * const override[] = {
- "/sys/devices/pci", /* for hostdev pci devices */
- "/etc/libvirt-sandbox/services/" /* for virt-sandbox service config */
+ "/sys/devices/pci", /* for hostdev pci devices */
+ "/etc/libvirt-sandbox/services/", /* for virt-sandbox service config
*/
+ "/usr/share/ovmf/" /* for OVMF images */
};
Disclaimer: I know nearly nothing about the apparmor insides, so
please excuse any inappropriate ideas.
Good catch, this makes sense, but to be strictly precise about this, I
would say this makes the directory accessible for R/W, but readonly
would be enough, wouldn't it? There could be a small code adjustment,
I'd even dare calling it a clean-up, that would make it possible for
this direcotry to be put in the 'restricted_rw'. It would change the
semantic a bit, but since there is no path that could start with
string from both 'restricted' and 'restricted_rw' currently, I don't
see a problem there.
if (path == NULL) {
Unsurprisingly, this looks good to me.
ACK
Consider my idea of moving the line (and maybe some others from
'override') to 'restricted_rw' after applying the following patch.
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 4ce1e7a20590..2eae3eebdecf 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -595,18 +595,19 @@ valid_path(const char *path, const bool readonly)
vah_warning(_("path does not exist, skipping file type checks"));
opaths = sizeof(override)/sizeof(*(override));
-
- npaths = sizeof(restricted)/sizeof(*(restricted));
- if (array_starts_with(path, restricted, npaths) == 0 &&
- array_starts_with(path, override, opaths) != 0)
- return 1;
+ if (array_starts_with(path, override, opaths) == 0)
+ return 0;
npaths = sizeof(restricted_rw)/sizeof(*(restricted_rw));
- if (!readonly) {
+ if (readonly) {
if (array_starts_with(path, restricted_rw, npaths) == 0)
- return 1;
+ return 0;
}
+ npaths = sizeof(restricted)/sizeof(*(restricted));
+ if (array_starts_with(path, restricted, npaths) != 0)
+ return 1;
+
return 0;
}
--
Martin
3:24 a.m.
Hi,
Martin Kletzander wrote (13 Aug 2015 07:55:54 GMT) :
Good catch, this makes sense, but to be strictly precise about this,
I
would say this makes the directory accessible for R/W, but readonly
would be enough, wouldn't it?
Yes.
There could be a small code adjustment,
I'd even dare calling it a clean-up, that would make it possible for
this direcotry to be put in the 'restricted_rw'. It would change the
semantic a bit, but since there is no path that could start with
string from both 'restricted' and 'restricted_rw' currently, I don't
see a problem there.
Great idea, the proposed logic looks fine to me. I'm not skilled
enough at C to review the actual patch, though.
Cheers,
--
intrigeri
3354
days inactive
3355
days old
3 comments
4 participants
participants (4)
-
intrigeri -
intrigeri@debian.org
-
Jamie Strandboge -
Martin Kletzander