[PATCH 0/1] virt-aa-helper: allow hard links for mounts
I'm suggesting to add the AppArmor permission "l" on libvirt export pathes to allow guests creating hard links, which is currently a problem for 9pfs mounts. Since the suggested patch would affect virtiofs as well, I would ask David and Stefan for feedback. If necessary I would change the patch to exclude virtiofs from this change. Christian Schoenebeck (1): virt-aa-helper: allow hard links for mounts src/security/virt-aa-helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.20.1
Guests should be allowed to create hard links on mounted pathes, since many applications rely on this functionality and would error on guest with current "rw" AppArmor permission with 9pfs. Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com> --- src/security/virt-aa-helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 12429278fb..5a6f4a5f7d 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1142,7 +1142,7 @@ get_files(vahControl * ctl) /* We don't need to add deny rw rules for readonly mounts, * this can only lead to troubles when mounting / readonly. */ - if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rw", true) != 0) + if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rwl", true) != 0) goto cleanup; } } -- 2.20.1
[Please don't CC random people on patches until asked to, we are all subscribed to the list] On 10/22/20 4:58 PM, Christian Schoenebeck wrote:
Guests should be allowed to create hard links on mounted pathes, since many applications rely on this functionality and would error on guest with current "rw" AppArmor permission with 9pfs.
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com> --- src/security/virt-aa-helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 12429278fb..5a6f4a5f7d 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1142,7 +1142,7 @@ get_files(vahControl * ctl) /* We don't need to add deny rw rules for readonly mounts, * this can only lead to troubles when mounting / readonly. */ - if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rw", true) != 0) + if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rwl", true) != 0) goto cleanup; } }
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> but I will give a day or two for other developers to chime in. Michal
On Donnerstag, 22. Oktober 2020 19:07:33 CEST Michal Privoznik wrote:
[Please don't CC random people on patches until asked to, we are all subscribed to the list]
Got it, I'll refrain from CCing on libvirt in future. Not as erratic as it looks like though: I CCed people who touched this specific AppArmor permission before, plus the virtiofs maintainers.
On 10/22/20 4:58 PM, Christian Schoenebeck wrote:
Guests should be allowed to create hard links on mounted pathes, since many applications rely on this functionality and would error on guest with current "rw" AppArmor permission with 9pfs.
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com> ---
src/security/virt-aa-helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 12429278fb..5a6f4a5f7d 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1142,7 +1142,7 @@ get_files(vahControl * ctl)
/* We don't need to add deny rw rules for readonly mounts,
* this can only lead to troubles when mounting / readonly. */
- if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rw", true) != 0) + if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rwl", true) != 0)> goto cleanup;
}
}
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
but I will give a day or two for other developers to chime in.
Michal
Yes, please wait couple days to see whether there are reactions. Best regards, Christian Schoenebeck
On 10/23/20 4:19 PM, Christian Schoenebeck wrote:
On Donnerstag, 22. Oktober 2020 19:07:33 CEST Michal Privoznik wrote:
[Please don't CC random people on patches until asked to, we are all subscribed to the list]
Got it, I'll refrain from CCing on libvirt in future.
Not as erratic as it looks like though: I CCed people who touched this specific AppArmor permission before, plus the virtiofs maintainers.
Yeah, I understand that. BTW: it's okay to CC people when replying :-)
On 10/22/20 4:58 PM, Christian Schoenebeck wrote:
Guests should be allowed to create hard links on mounted pathes, since many applications rely on this functionality and would error on guest with current "rw" AppArmor permission with 9pfs.
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com> ---
src/security/virt-aa-helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 12429278fb..5a6f4a5f7d 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1142,7 +1142,7 @@ get_files(vahControl * ctl)
/* We don't need to add deny rw rules for readonly mounts,
* this can only lead to troubles when mounting / readonly. */
- if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rw", true) != 0) + if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rwl", true) != 0)> goto cleanup;
}
}
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
but I will give a day or two for other developers to chime in.
Michal
Yes, please wait couple days to see whether there are reactions.
Okay, so nobody objected and we can expect the freeze of upstream today, so I am pushing this.
On Montag, 26. Oktober 2020 09:12:38 CET Michal Privoznik wrote:
On 10/23/20 4:19 PM, Christian Schoenebeck wrote:
On Donnerstag, 22. Oktober 2020 19:07:33 CEST Michal Privoznik wrote:
[Please don't CC random people on patches until asked to, we are all subscribed to the list]
Got it, I'll refrain from CCing on libvirt in future.
Not as erratic as it looks like though: I CCed people who touched this specific AppArmor permission before, plus the virtiofs maintainers.
Yeah, I understand that. BTW: it's okay to CC people when replying :-)
On 10/22/20 4:58 PM, Christian Schoenebeck wrote:
Guests should be allowed to create hard links on mounted pathes, since many applications rely on this functionality and would error on guest with current "rw" AppArmor permission with 9pfs.
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com> ---
src/security/virt-aa-helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 12429278fb..5a6f4a5f7d 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1142,7 +1142,7 @@ get_files(vahControl * ctl)
/* We don't need to add deny rw rules for readonly mounts,
* this can only lead to troubles when mounting / readonly. */
- if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rw", true) != 0) + if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rwl", true) != 0)>
goto cleanup;
}
}
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
but I will give a day or two for other developers to chime in.
Michal
Yes, please wait couple days to see whether there are reactions.
Okay, so nobody objected and we can expect the freeze of upstream today, so I am pushing this.
Yes, makes sense. Thanks Michal! Best regards, Christian Schoenebeck
On Thu, Oct 22, 2020 at 05:10:10PM +0200, Christian Schoenebeck wrote:
I'm suggesting to add the AppArmor permission "l" on libvirt export pathes to allow guests creating hard links, which is currently a problem for 9pfs mounts.
Since the suggested patch would affect virtiofs as well, I would ask David and Stefan for feedback. If necessary I would change the patch to exclude virtiofs from this change.
virtiofsd supports the link(2) operation and enabling it seems reasonable to me. It is enabled in non-AppArmor configuration. Stefan
participants (3)
-
Christian Schoenebeck -
Michal Privoznik -
Stefan Hajnoczi