[libvirt] [PATCH 0/2] apparmor fixes
Fixes a regression I brough in virt-aa-helper with the lxc apparmor profiles. And makes vfio work even with apparmor enforced on libvirtd Cédric Bosdonnat (2): Fixed regression in apparmor profiles for qemu brought by 43c030f Fix apparmor profile to make vfio pci passthrough work examples/apparmor/libvirt-qemu | 5 +++++ examples/apparmor/usr.sbin.libvirtd | 3 +++ src/security/virt-aa-helper.c | 4 +++- 3 files changed, 11 insertions(+), 1 deletion(-) -- 1.9.0
--- src/security/virt-aa-helper.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index b8b0610..59de517 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1281,7 +1281,9 @@ main(int argc, char **argv) if (vah_add_file(&buf, ctl->newfile, "rw") != 0) goto cleanup; } else { - if (ctl->def->virtType == VIR_DOMAIN_VIRT_QEMU) { + if (ctl->def->virtType == VIR_DOMAIN_VIRT_QEMU || + ctl->def->virtType == VIR_DOMAIN_VIRT_KQEMU || + ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) { virBufferAsprintf(&buf, " \"%s/log/libvirt/**/%s.log\" w,\n", LOCALSTATEDIR, ctl->def->name); virBufferAsprintf(&buf, " \"%s/lib/libvirt/**/%s.monitor\" rw,\n", -- 1.9.0
On 03/24/2014 11:20 AM, Cédric Bosdonnat wrote:
--- src/security/virt-aa-helper.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
ACK and pushed.
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index b8b0610..59de517 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1281,7 +1281,9 @@ main(int argc, char **argv) if (vah_add_file(&buf, ctl->newfile, "rw") != 0) goto cleanup; } else { - if (ctl->def->virtType == VIR_DOMAIN_VIRT_QEMU) { + if (ctl->def->virtType == VIR_DOMAIN_VIRT_QEMU || + ctl->def->virtType == VIR_DOMAIN_VIRT_KQEMU || + ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) { virBufferAsprintf(&buf, " \"%s/log/libvirt/**/%s.log\" w,\n", LOCALSTATEDIR, ctl->def->name); virBufferAsprintf(&buf, " \"%s/lib/libvirt/**/%s.monitor\" rw,\n",
-- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
See lp#1276719 for the bug description. As virt-aa-helper doesn't know the VFIO groups to use for the guest, allow access to all /dev/vfio/[0-9]* and /dev/vfio/vfio files. --- examples/apparmor/libvirt-qemu | 5 +++++ examples/apparmor/usr.sbin.libvirtd | 3 +++ 2 files changed, 8 insertions(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index e1980b7..c3dfa57 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -110,6 +110,7 @@ /usr/bin/qemu-sparc32plus rmix, /usr/bin/qemu-sparc64 rmix, /usr/bin/qemu-x86_64 rmix, + /usr/lib/qemu/block-curl.so mr, # for save and resume /bin/dash rmix, @@ -122,6 +123,10 @@ /sys/bus/ r, /sys/class/ r, + # for vfio access + /dev/vfio/vfio rw, + /dev/vfio/[0-9]* rw, + /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, # child profile for bridge helper process profile qemu_bridge_helper { diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index fd6def1..3011eff 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -25,6 +25,9 @@ capability fsetid, capability audit_write, + # Needed for vfio + capability sys_resource, + network inet stream, network inet dgram, network inet6 stream, -- 1.9.0
Quoting Cédric Bosdonnat (cbosdonnat@suse.com):
See lp#1276719 for the bug description. As virt-aa-helper doesn't know
Great, thanks for addressing this.
the VFIO groups to use for the guest,
Is there really no way for it to know that (based on xml)? If not then I guess this is the way to go - though even in that case could we at least have virt-aa-helper only allow access to all vfio* only when vfio pci is required?
allow access to all /dev/vfio/[0-9]* and /dev/vfio/vfio files. ---
(Note - there is no signed-off-by on these patches)
examples/apparmor/libvirt-qemu | 5 +++++ examples/apparmor/usr.sbin.libvirtd | 3 +++ 2 files changed, 8 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index e1980b7..c3dfa57 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -110,6 +110,7 @@ /usr/bin/qemu-sparc32plus rmix, /usr/bin/qemu-sparc64 rmix, /usr/bin/qemu-x86_64 rmix, + /usr/lib/qemu/block-curl.so mr,
# for save and resume /bin/dash rmix, @@ -122,6 +123,10 @@ /sys/bus/ r, /sys/class/ r,
+ # for vfio access + /dev/vfio/vfio rw, + /dev/vfio/[0-9]* rw, + /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, # child profile for bridge helper process profile qemu_bridge_helper { diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index fd6def1..3011eff 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -25,6 +25,9 @@ capability fsetid, capability audit_write,
+ # Needed for vfio + capability sys_resource, + network inet stream, network inet dgram, network inet6 stream, -- 1.9.0
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Hello Serge, On Mon, 2014-03-24 at 22:21 -0500, Serge Hallyn wrote:
Quoting Cédric Bosdonnat (cbosdonnat@suse.com):
See lp#1276719 for the bug description. As virt-aa-helper doesn't know
Great, thanks for addressing this.
the VFIO groups to use for the guest,
Is there really no way for it to know that (based on xml)? If not then I guess this is the way to go - though even in that case could we at least have virt-aa-helper only allow access to all vfio* only when vfio pci is required?
Sadly the vfio group is handled on the qemu side, there is nothing on the xml side. But I surely can change the patch to add the vfio rule to the *.files part of the profile and only when vfio is needed by the guest: that would restrain the access a bit. -- Cedric
participants (4)
-
Cedric Bosdonnat -
Cédric Bosdonnat
-
Eric Blake -
Serge Hallyn