[PATCH] apparmor: Allow /usr/libexec for libxl-save-helper and pygrub
Like other distros, openSUSE Tumbleweed recently changed libexecdir from /usr/lib to /usr/libexec. Add it as an allowed path for libxl-save-helper and pygrub. Signed-off-by: Jim Fehlig <jfehlig@suse.com> --- I considered including /usr/lib64, but I don't think any distros are installing xen libexecdir targets to /usr/lib64. Happy to include it if I'm wrong :-). src/security/apparmor/usr.sbin.libvirtd.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in index f2030764cd..bf4563e1e8 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -86,8 +86,8 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { /{usr/,}lib/udev/scsi_id PUx, /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, /usr/{lib,lib64}/xen/bin/* Ux, - /usr/lib/xen-*/bin/libxl-save-helper PUx, - /usr/lib/xen-*/bin/pygrub PUx, + /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx, + /usr/{lib,libexec}/xen-*/bin/pygrub PUx, /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx, /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx, -- 2.28.0
On Wed, Sep 23, 2020 at 12:35 AM Jim Fehlig <jfehlig@suse.com> wrote:
Like other distros, openSUSE Tumbleweed recently changed libexecdir from /usr/lib to /usr/libexec. Add it as an allowed path for libxl-save-helper and pygrub.
Hi Jim, ack to the intention, but I think since this should use @libexecdir@ I think. Or did anything change that this doesn't apply anymore ... in that case I beg your pardon. [1]: https://libvirt.org/git/?p=libvirt.git;a=commit;h=5c8bd31c881e99261ac098e867...
Signed-off-by: Jim Fehlig <jfehlig@suse.com> ---
I considered including /usr/lib64, but I don't think any distros are installing xen libexecdir targets to /usr/lib64. Happy to include it if I'm wrong :-).
src/security/apparmor/usr.sbin.libvirtd.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in index f2030764cd..bf4563e1e8 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -86,8 +86,8 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { /{usr/,}lib/udev/scsi_id PUx, /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, /usr/{lib,lib64}/xen/bin/* Ux, - /usr/lib/xen-*/bin/libxl-save-helper PUx, - /usr/lib/xen-*/bin/pygrub PUx, + /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx, + /usr/{lib,libexec}/xen-*/bin/pygrub PUx, /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx, /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
-- 2.28.0
-- Christian Ehrhardt Staff Engineer, Ubuntu Server Canonical Ltd
On 9/23/20 7:26 AM, Christian Ehrhardt wrote:
On Wed, Sep 23, 2020 at 12:35 AM Jim Fehlig <jfehlig@suse.com> wrote:
Like other distros, openSUSE Tumbleweed recently changed libexecdir from /usr/lib to /usr/libexec. Add it as an allowed path for libxl-save-helper and pygrub.
Hi Jim, ack to the intention, but I think since this should use @libexecdir@ I think. Or did anything change that this doesn't apply anymore ... in that case I beg your pardon.
[1]: https://libvirt.org/git/?p=libvirt.git;a=commit;h=5c8bd31c881e99261ac098e867...
Heh, I see that skipped over the xen stuff :-). I'll send a V2 later. Regards, Jim
On 9/23/20 7:51 AM, Jim Fehlig wrote:
On 9/23/20 7:26 AM, Christian Ehrhardt wrote:
On Wed, Sep 23, 2020 at 12:35 AM Jim Fehlig <jfehlig@suse.com> wrote:
Like other distros, openSUSE Tumbleweed recently changed libexecdir from /usr/lib to /usr/libexec. Add it as an allowed path for libxl-save-helper and pygrub.
Hi Jim, ack to the intention, but I think since this should use @libexecdir@ I think. Or did anything change that this doesn't apply anymore ... in that case I beg your pardon.
[1]: https://libvirt.org/git/?p=libvirt.git;a=commit;h=5c8bd31c881e99261ac098e867...
Heh, I see that skipped over the xen stuff :-). I'll send a V2 later.
Thinking about it more, perhaps it is best to go with this V1 patch since these are not files provided by libvirt but xen, where conceivably libvirt and xen could be built with different libexecdir? IMO it would be best to explicitly list the known paths distros have used for libxl-save-helper and pygrub. Regards, Jim
On Wed, Sep 23, 2020 at 12:46 PM Jim Fehlig <jfehlig@suse.com> wrote:
On 9/23/20 7:51 AM, Jim Fehlig wrote:
On 9/23/20 7:26 AM, Christian Ehrhardt wrote:
On Wed, Sep 23, 2020 at 12:35 AM Jim Fehlig <jfehlig@suse.com> wrote:
Like other distros, openSUSE Tumbleweed recently changed libexecdir from /usr/lib to /usr/libexec. Add it as an allowed path for libxl-save-helper and pygrub.
Hi Jim, ack to the intention, but I think since this should use @libexecdir@ I think. Or did anything change that this doesn't apply anymore ... in that case I beg your pardon.
[1]: https://libvirt.org/git/?p=libvirt.git;a=commit;h=5c8bd31c881e99261ac098e867...
Heh, I see that skipped over the xen stuff :-). I'll send a V2 later.
Thinking about it more, perhaps it is best to go with this V1 patch since these are not files provided by libvirt but xen, where conceivably libvirt and xen could be built with different libexecdir? IMO it would be best to explicitly list the known paths distros have used for libxl-save-helper and pygrub.
It is entirely possible that one has not been updated yet, or someone is mixing packages, so this patch makes sense over having it assume a specific path. -- 真実はいつも一つ!/ Always, there's only one truth!
On Wed, Sep 23, 2020 at 6:45 PM Jim Fehlig <jfehlig@suse.com> wrote:
On 9/23/20 7:51 AM, Jim Fehlig wrote:
On 9/23/20 7:26 AM, Christian Ehrhardt wrote:
On Wed, Sep 23, 2020 at 12:35 AM Jim Fehlig <jfehlig@suse.com> wrote:
Like other distros, openSUSE Tumbleweed recently changed libexecdir from /usr/lib to /usr/libexec. Add it as an allowed path for libxl-save-helper and pygrub.
Hi Jim, ack to the intention, but I think since this should use @libexecdir@ I think. Or did anything change that this doesn't apply anymore ... in that case I beg your pardon.
[1]: https://libvirt.org/git/?p=libvirt.git;a=commit;h=5c8bd31c881e99261ac098e867...
Heh, I see that skipped over the xen stuff :-). I'll send a V2 later.
Thinking about it more, perhaps it is best to go with this V1 patch since these are not files provided by libvirt but xen, where conceivably libvirt and xen could be built with different libexecdir? IMO it would be best to explicitly list the known paths distros have used for libxl-save-helper and pygrub.
You are right, and in >99% of the cases it will be one of the two paths you have in your rule anyway. Sorry for the detour Jim Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Regards, Jim
-- Christian Ehrhardt Staff Engineer, Ubuntu Server Canonical Ltd
On Tue, Sep 22, 2020 at 6:35 PM Jim Fehlig <jfehlig@suse.com> wrote:
Like other distros, openSUSE Tumbleweed recently changed libexecdir from /usr/lib to /usr/libexec. Add it as an allowed path for libxl-save-helper and pygrub.
Signed-off-by: Jim Fehlig <jfehlig@suse.com> ---
I considered including /usr/lib64, but I don't think any distros are installing xen libexecdir targets to /usr/lib64. Happy to include it if I'm wrong :-).
src/security/apparmor/usr.sbin.libvirtd.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in index f2030764cd..bf4563e1e8 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -86,8 +86,8 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { /{usr/,}lib/udev/scsi_id PUx, /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, /usr/{lib,lib64}/xen/bin/* Ux, - /usr/lib/xen-*/bin/libxl-save-helper PUx, - /usr/lib/xen-*/bin/pygrub PUx, + /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx, + /usr/{lib,libexec}/xen-*/bin/pygrub PUx, /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx, /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
-- 2.28.0
Yay! Looks great to me! Reviewed-by: Neal Gompa <ngompa13@gmail.com> -- 真実はいつも一つ!/ Always, there's only one truth!
participants (3)
-
Christian Ehrhardt -
Jim Fehlig -
Neal Gompa