4:25 a.m.
Hi all,
Here are 2 small fixes: the first one just gets the apparmor right for SLES
(and openSUSE). The second patch fixes a problem with lxc-enter-namespace on
pretty recent kernels. They surely have nothing to do with each other ;)
Cédric Bosdonnat (2):
Apparmor qemu abstraction fixes for SLES
Open /proc/PID/ns/* read-only to avoid getting permission denied
examples/apparmor/libvirt-qemu | 9 +++++++++
src/util/virprocess.c | 2 +-
2 files changed, 10 insertions(+), 1 deletion(-)
--
2.1.4
4:25 a.m.
New subject: [libvirt] [PATCH 1/2] Apparmor qemu abstraction fixes for SLES
SLES 11 has legacy qemu-kvm package, /usr/bin/qemu-kvm and
/usr/share/qemu-kvm need to be accessed by domains.
---
examples/apparmor/libvirt-qemu | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 7aad391..a3043dd 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -59,6 +59,7 @@
# access to firmware's etc
/usr/share/kvm/** r,
/usr/share/qemu/** r,
+ /usr/share/qemu-kvm/** r,
/usr/share/bochs/** r,
/usr/share/openbios/** r,
/usr/share/openhackware/** r,
@@ -73,6 +74,7 @@
# the various binaries
/usr/bin/kvm rmix,
/usr/bin/qemu rmix,
+ /usr/bin/qemu-kvm rmix,
/usr/bin/qemu-system-arm rmix,
/usr/bin/qemu-system-cris rmix,
/usr/bin/qemu-system-i386 rmix,
@@ -118,12 +120,19 @@
/bin/dd rmix,
/bin/cat rmix,
+ # for restore
+ /bin/bash rmix,
+
# for usb access
/dev/bus/usb/ r,
/etc/udev/udev.conf r,
/sys/bus/ r,
/sys/class/ r,
+ # nscd pieces
+ /run/nscd/group r,
+ /run/nscd/passwd r,
+
/usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
# child profile for bridge helper process
profile qemu_bridge_helper {
--
2.1.4
8:29 p.m.
New subject: [libvirt] [PATCH 1/2] Apparmor qemu abstraction fixes for SLES
On 04/09/2015 04:25 AM, Cédric Bosdonnat wrote:
SLES 11 has legacy qemu-kvm package, /usr/bin/qemu-kvm and
/usr/share/qemu-kvm need to be accessed by domains.
---
examples/apparmor/libvirt-qemu | 9 +++++++++
1 file changed, 9 insertions(+)
It is ok as is, but see my comments below.
Acked-By: Jamie Strandboge <jamie(a)canonical.com>
diff --git a/examples/apparmor/libvirt-qemu
b/examples/apparmor/libvirt-qemu
index 7aad391..a3043dd 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
...
@@ -118,12 +120,19 @@
/bin/dd rmix,
/bin/cat rmix,
+ # for restore
+ /bin/bash rmix,
+
This one is curious. You have it with rmix, so it's ok though.
Acked-By: Jamie Strandboge <jamie(a)canonical.com>
# for usb access
/dev/bus/usb/ r,
/etc/udev/udev.conf r,
/sys/bus/ r,
/sys/class/ r,
+ # nscd pieces
+ /run/nscd/group r,
+ /run/nscd/passwd r,
+
These should already be in the nameservice abstraction via this rule:
/{var/db,var/cache,var/run,run}/nscd/{passwd,group,services,host} r,
which is already included by libvirt-qemu:
#include <abstractions/nameservice>
It's ok to have duplicates-- apparmor handles them, but perhaps these aren't
actually needed?
--
Jamie Strandboge http://www.ubuntu.com/
2:20 a.m.
New subject: [libvirt] [PATCH 1/2] Apparmor qemu abstraction fixes for SLES
Hi Jamie,
On Thu, 2015-04-09 at 20:29 -0500, Jamie Strandboge wrote:
On 04/09/2015 04:25 AM, Cédric Bosdonnat wrote:
> SLES 11 has legacy qemu-kvm package, /usr/bin/qemu-kvm and
> /usr/share/qemu-kvm need to be accessed by domains.
> ---
> examples/apparmor/libvirt-qemu | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
It is ok as is, but see my comments below.
Acked-By: Jamie Strandboge <jamie(a)canonical.com>
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index 7aad391..a3043dd 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
...
> @@ -118,12 +120,19 @@
> /bin/dd rmix,
> /bin/cat rmix,
>
> + # for restore
> + /bin/bash rmix,
> +
This one is curious. You have it with rmix, so it's ok though.
I didn't investigate too deeply to know why we need it. Maybe that would
be a good thing for me to do ;)
Acked-By: Jamie Strandboge <jamie(a)canonical.com>
> # for usb access
> /dev/bus/usb/ r,
> /etc/udev/udev.conf r,
> /sys/bus/ r,
> /sys/class/ r,
>
> + # nscd pieces
> + /run/nscd/group r,
> + /run/nscd/passwd r,
> +
These should already be in the nameservice abstraction via this rule:
/{var/db,var/cache,var/run,run}/nscd/{passwd,group,services,host} r,
which is already included by libvirt-qemu:
#include <abstractions/nameservice>
It's ok to have duplicates-- apparmor handles them, but perhaps these aren't
actually needed?
Ouch, indeed... this rule seems more recent than what we have in SLES,
I'll remove those lines from the profile.
Thanks for the heads up.
--
Cedric
4:25 a.m.
New subject: [libvirt] [PATCH 2/2] Open /proc/PID/ns/* read-only to avoid getting permission denied
lxc-enter-namespace stopped working on recent kernels (at least 3.19+)
due to /proc/PID/ns/* file descriptors being opened RW. From outside
the namespace these can only be opened RO.
---
src/util/virprocess.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/util/virprocess.c b/src/util/virprocess.c
index ab1e039..7a79970 100644
--- a/src/util/virprocess.c
+++ b/src/util/virprocess.c
@@ -628,7 +628,7 @@ int virProcessGetNamespaces(pid_t pid,
ns[i]) < 0)
goto cleanup;
- if ((fd = open(nsfile, O_RDWR)) >= 0) {
+ if ((fd = open(nsfile, O_RDONLY)) >= 0) {
if (VIR_EXPAND_N(*fdlist, *nfdlist, 1) < 0) {
VIR_FORCE_CLOSE(fd);
goto cleanup;
--
2.1.4
4:58 a.m.
On 09.04.2015 11:25, Cédric Bosdonnat wrote:
Hi all,
Here are 2 small fixes: the first one just gets the apparmor right for SLES
(and openSUSE). The second patch fixes a problem with lxc-enter-namespace on
pretty recent kernels. They surely have nothing to do with each other ;)
Cédric Bosdonnat (2):
Apparmor qemu abstraction fixes for SLES
Open /proc/PID/ns/* read-only to avoid getting permission denied
examples/apparmor/libvirt-qemu | 9 +++++++++
src/util/virprocess.c | 2 +-
2 files changed, 10 insertions(+), 1 deletion(-)
ACK to both
Michal
3507
days inactive
3518
days old
5 comments
4 participants
participants (4)
-
Cedric Bosdonnat -
Cédric Bosdonnat
-
Jamie Strandboge -
Michal Privoznik