[libvirt] [PATCH 0/2] Misc fixes
Hi all, Here are 2 small fixes: the first one just gets the apparmor right for SLES (and openSUSE). The second patch fixes a problem with lxc-enter-namespace on pretty recent kernels. They surely have nothing to do with each other ;) Cédric Bosdonnat (2): Apparmor qemu abstraction fixes for SLES Open /proc/PID/ns/* read-only to avoid getting permission denied examples/apparmor/libvirt-qemu | 9 +++++++++ src/util/virprocess.c | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) -- 2.1.4
SLES 11 has legacy qemu-kvm package, /usr/bin/qemu-kvm and /usr/share/qemu-kvm need to be accessed by domains. --- examples/apparmor/libvirt-qemu | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 7aad391..a3043dd 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -59,6 +59,7 @@ # access to firmware's etc /usr/share/kvm/** r, /usr/share/qemu/** r, + /usr/share/qemu-kvm/** r, /usr/share/bochs/** r, /usr/share/openbios/** r, /usr/share/openhackware/** r, @@ -73,6 +74,7 @@ # the various binaries /usr/bin/kvm rmix, /usr/bin/qemu rmix, + /usr/bin/qemu-kvm rmix, /usr/bin/qemu-system-arm rmix, /usr/bin/qemu-system-cris rmix, /usr/bin/qemu-system-i386 rmix, @@ -118,12 +120,19 @@ /bin/dd rmix, /bin/cat rmix, + # for restore + /bin/bash rmix, + # for usb access /dev/bus/usb/ r, /etc/udev/udev.conf r, /sys/bus/ r, /sys/class/ r, + # nscd pieces + /run/nscd/group r, + /run/nscd/passwd r, + /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, # child profile for bridge helper process profile qemu_bridge_helper { -- 2.1.4
On 04/09/2015 04:25 AM, Cédric Bosdonnat wrote:
SLES 11 has legacy qemu-kvm package, /usr/bin/qemu-kvm and /usr/share/qemu-kvm need to be accessed by domains. --- examples/apparmor/libvirt-qemu | 9 +++++++++ 1 file changed, 9 insertions(+)
It is ok as is, but see my comments below. Acked-By: Jamie Strandboge <jamie@canonical.com>
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 7aad391..a3043dd 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu
...
@@ -118,12 +120,19 @@ /bin/dd rmix, /bin/cat rmix,
+ # for restore + /bin/bash rmix, +
This one is curious. You have it with rmix, so it's ok though. Acked-By: Jamie Strandboge <jamie@canonical.com>
# for usb access /dev/bus/usb/ r, /etc/udev/udev.conf r, /sys/bus/ r, /sys/class/ r,
+ # nscd pieces + /run/nscd/group r, + /run/nscd/passwd r, +
These should already be in the nameservice abstraction via this rule: /{var/db,var/cache,var/run,run}/nscd/{passwd,group,services,host} r, which is already included by libvirt-qemu: #include <abstractions/nameservice> It's ok to have duplicates-- apparmor handles them, but perhaps these aren't actually needed? -- Jamie Strandboge http://www.ubuntu.com/
Hi Jamie, On Thu, 2015-04-09 at 20:29 -0500, Jamie Strandboge wrote:
On 04/09/2015 04:25 AM, Cédric Bosdonnat wrote:
SLES 11 has legacy qemu-kvm package, /usr/bin/qemu-kvm and /usr/share/qemu-kvm need to be accessed by domains. --- examples/apparmor/libvirt-qemu | 9 +++++++++ 1 file changed, 9 insertions(+)
It is ok as is, but see my comments below.
Acked-By: Jamie Strandboge <jamie@canonical.com>
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 7aad391..a3043dd 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu
...
@@ -118,12 +120,19 @@ /bin/dd rmix, /bin/cat rmix,
+ # for restore + /bin/bash rmix, +
This one is curious. You have it with rmix, so it's ok though.
I didn't investigate too deeply to know why we need it. Maybe that would be a good thing for me to do ;)
Acked-By: Jamie Strandboge <jamie@canonical.com>
# for usb access /dev/bus/usb/ r, /etc/udev/udev.conf r, /sys/bus/ r, /sys/class/ r,
+ # nscd pieces + /run/nscd/group r, + /run/nscd/passwd r, +
These should already be in the nameservice abstraction via this rule: /{var/db,var/cache,var/run,run}/nscd/{passwd,group,services,host} r,
which is already included by libvirt-qemu: #include <abstractions/nameservice>
It's ok to have duplicates-- apparmor handles them, but perhaps these aren't actually needed?
Ouch, indeed... this rule seems more recent than what we have in SLES, I'll remove those lines from the profile. Thanks for the heads up. -- Cedric
lxc-enter-namespace stopped working on recent kernels (at least 3.19+) due to /proc/PID/ns/* file descriptors being opened RW. From outside the namespace these can only be opened RO. --- src/util/virprocess.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/util/virprocess.c b/src/util/virprocess.c index ab1e039..7a79970 100644 --- a/src/util/virprocess.c +++ b/src/util/virprocess.c @@ -628,7 +628,7 @@ int virProcessGetNamespaces(pid_t pid, ns[i]) < 0) goto cleanup; - if ((fd = open(nsfile, O_RDWR)) >= 0) { + if ((fd = open(nsfile, O_RDONLY)) >= 0) { if (VIR_EXPAND_N(*fdlist, *nfdlist, 1) < 0) { VIR_FORCE_CLOSE(fd); goto cleanup; -- 2.1.4
On 09.04.2015 11:25, Cédric Bosdonnat wrote:
Hi all,
Here are 2 small fixes: the first one just gets the apparmor right for SLES (and openSUSE). The second patch fixes a problem with lxc-enter-namespace on pretty recent kernels. They surely have nothing to do with each other ;)
Cédric Bosdonnat (2): Apparmor qemu abstraction fixes for SLES Open /proc/PID/ns/* read-only to avoid getting permission denied
examples/apparmor/libvirt-qemu | 9 +++++++++ src/util/virprocess.c | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-)
ACK to both Michal
participants (4)
-
Cedric Bosdonnat -
Cédric Bosdonnat
-
Jamie Strandboge -
Michal Privoznik