Re: Re: [PATCH] apparmor: Add user session path for PID and socket files used by passt
On Tue, Jan 30, 2024 at 10:47:54AM -0800, Andrea Bolognani wrote:
On Tue, Jan 30, 2024 at 07:15:51PM +0100, Stefano Brivio wrote:
Commit 7a39b04d683f ("apparmor: Enable passt support") grants passt(1) read-write access to /{,var/}run/libvirt/qemu/passt/* if started by the libvirt daemon. That's the path where passt creates PID and socket files only if the guest is started by the root user.
If the guest is started by another user, though, the path is more commonly /var/run/user/$UID/libvirt/qemu/run/passt: add it as read-write location. Otherwise, passt won't be able to start, as reported by Andreas.
While at it, replace /{,var/}run/ in the existing rule by its corresponding tunable variable, @{run}.
Reported-by: Andreas B. Mundt <andi@debian.org> Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061678 Fixes: 7a39b04d683f ("apparmor: Enable passt support") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> --- src/security/apparmor/libvirt-qemu.in | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/libvirt-qemu.in index f40f471891..8b92915281 100644 --- a/src/security/apparmor/libvirt-qemu.in +++ b/src/security/apparmor/libvirt-qemu.in @@ -196,7 +196,8 @@ signal (receive) set=("term") peer=libvirtd, signal (receive) set=("term") peer=virtqemud,
- owner /{,var/}run/libvirt/qemu/passt/* rw, + owner @{run}/user/[0-9]*/libvirt/qemu/run/passt/* rw, + owner @{run}/libvirt/qemu/passt/* rw,
Makes sense to me, so
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
I'll give Jim and others a chance to take a look before pushing.
I just realized that you sent the patch to the old mailing list address. We've migrated somewhat recently, so that's completely understandable :) I've adjusted the recipient now. I don't think it's necessary for you to post the patch again, as its contents are fully contained within the quoted part of this message. -- Andrea Bolognani / Red Hat / Virtualization
On 1/30/24 11:55, Andrea Bolognani wrote:
On Tue, Jan 30, 2024 at 10:47:54AM -0800, Andrea Bolognani wrote:
On Tue, Jan 30, 2024 at 07:15:51PM +0100, Stefano Brivio wrote:
Commit 7a39b04d683f ("apparmor: Enable passt support") grants passt(1) read-write access to /{,var/}run/libvirt/qemu/passt/* if started by the libvirt daemon. That's the path where passt creates PID and socket files only if the guest is started by the root user.
If the guest is started by another user, though, the path is more commonly /var/run/user/$UID/libvirt/qemu/run/passt: add it as read-write location. Otherwise, passt won't be able to start, as reported by Andreas.
While at it, replace /{,var/}run/ in the existing rule by its corresponding tunable variable, @{run}.
Reported-by: Andreas B. Mundt <andi@debian.org> Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061678 Fixes: 7a39b04d683f ("apparmor: Enable passt support") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> --- src/security/apparmor/libvirt-qemu.in | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/libvirt-qemu.in index f40f471891..8b92915281 100644 --- a/src/security/apparmor/libvirt-qemu.in +++ b/src/security/apparmor/libvirt-qemu.in @@ -196,7 +196,8 @@ signal (receive) set=("term") peer=libvirtd, signal (receive) set=("term") peer=virtqemud,
- owner /{,var/}run/libvirt/qemu/passt/* rw, + owner @{run}/user/[0-9]*/libvirt/qemu/run/passt/* rw, + owner @{run}/libvirt/qemu/passt/* rw,
Makes sense to me, so
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
I'll give Jim and others a chance to take a look before pushing.
LGTM, Reviewed-by: Jim Fehlig <jfehlig@suse.com>
I just realized that you sent the patch to the old mailing list address. We've migrated somewhat recently, so that's completely understandable :)
Thanks for noticing and adjusting the recipient! Regards, Jim
On Tue, Jan 30, 2024 at 05:21:02PM -0700, Jim Fehlig wrote:
On 1/30/24 11:55, Andrea Bolognani wrote:
On Tue, Jan 30, 2024 at 10:47:54AM -0800, Andrea Bolognani wrote:
On Tue, Jan 30, 2024 at 07:15:51PM +0100, Stefano Brivio wrote:
- owner /{,var/}run/libvirt/qemu/passt/* rw, + owner @{run}/user/[0-9]*/libvirt/qemu/run/passt/* rw, + owner @{run}/libvirt/qemu/passt/* rw,
Makes sense to me, so
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
I'll give Jim and others a chance to take a look before pushing.
LGTM,
Reviewed-by: Jim Fehlig <jfehlig@suse.com>
Thanks! Pushed now. -- Andrea Bolognani / Red Hat / Virtualization
participants (2)
-
Andrea Bolognani -
Jim Fehlig