<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Feb 14, 2020 at 10:19 PM Jim Fehlig <<a href="mailto:jfehlig@suse.com">jfehlig@suse.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 2/14/20 1:14 PM, Christian Ehrhardt wrote:<br>
> <br>
> <br>
> On Fri, Feb 14, 2020 at 6:00 PM Jim Fehlig <<a href="mailto:jfehlig@suse.com" target="_blank">jfehlig@suse.com</a> <br>
> <mailto:<a href="mailto:jfehlig@suse.com" target="_blank">jfehlig@suse.com</a>>> wrote:<br>
> <br>
> On 2/13/20 4:32 AM, Christian Ehrhardt wrote:<br>
> > Configuring vhost-user-gpu like:<br>
> > <video><br>
> > <driver name='vhostuser'/><br>
> > <model type='virtio' heads='1'/><br>
> > </video><br>
> > Triggers an apparmor denial like:<br>
> > apparmor="DENIED" operation="exec" profile="libvirtd"<br>
> > name="/usr/lib/qemu/vhost-user-gpu" pid=888257 comm="libvirtd"<br>
> > requested_mask="x" denied_mask="x" fsuid=0 ouid=0<br>
> ><br>
> > This helper is provided by qemu for vhost-user-gpu and thereby being<br>
> > in the same path as qemu_bridge_helper. Due to that adding a rule allowing<br>
> > to call uses the same path list.<br>
> <br>
> Does the vhost-usr-gpu helper need a profile to restrict its access, similar to<br>
> the bridge helper?<br>
> <br>
> Hi Jim,<br>
> Yes - we can later on add one, as soon as someone did the work to trace all the <br>
> things that will be needed.<br>
> I had no full setup - and I'm not sure about the multitude of potential <br>
> configurations - so I didn't go that far.<br>
> I didn't have that yet, but if anyone has please just add a follow on patch.<br>
> <br>
> The P in PUx allows that someone defines an external profile to guard it - and <br>
> it would be used, but without one existing the U allows it to fall back to <br>
> unconfined.<br>
<br>
Nod. That's reasonable behavior in the absence of an internal profile.<br>
<br>
> If/Once we add an internal profile like we do for bridge helper P can be changed <br>
> to C, but as I said I have no useful profile and no full setup to test&train one <br>
> at the moment.<br>
<br>
With a bit of searching I could probably find a setup, but getting access is <br>
another thing. In the meantime your patch is a fine alternative IMO<br>
<br>
Reviewed-by: Jim Fehlig <<a href="mailto:jfehlig@suse.com" target="_blank">jfehlig@suse.com</a>><br></blockquote><div><br></div><div>Thanks, pushed with the Reviewed-by added.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Regards,<br>
Jim<br>
<br>
> ><br>
> > Signed-off-by: Christian Ehrhardt <<a href="mailto:christian.ehrhardt@canonical.com" target="_blank">christian.ehrhardt@canonical.com</a><br>
> <mailto:<a href="mailto:christian.ehrhardt@canonical.com" target="_blank">christian.ehrhardt@canonical.com</a>>><br>
> > ---<br>
> > src/security/apparmor/<a href="http://usr.sbin.libvirtd.in" rel="noreferrer" target="_blank">usr.sbin.libvirtd.in</a><br>
> <<a href="http://usr.sbin.libvirtd.in" rel="noreferrer" target="_blank">http://usr.sbin.libvirtd.in</a>> | 1 +<br>
> > 1 file changed, 1 insertion(+)<br>
> ><br>
> > diff --git a/src/security/apparmor/<a href="http://usr.sbin.libvirtd.in" rel="noreferrer" target="_blank">usr.sbin.libvirtd.in</a><br>
> <<a href="http://usr.sbin.libvirtd.in" rel="noreferrer" target="_blank">http://usr.sbin.libvirtd.in</a>> b/src/security/apparmor/<a href="http://usr.sbin.libvirtd.in" rel="noreferrer" target="_blank">usr.sbin.libvirtd.in</a><br>
> <<a href="http://usr.sbin.libvirtd.in" rel="noreferrer" target="_blank">http://usr.sbin.libvirtd.in</a>><br>
> > index b384b7213b..1e137039e9 100644<br>
> > --- a/src/security/apparmor/<a href="http://usr.sbin.libvirtd.in" rel="noreferrer" target="_blank">usr.sbin.libvirtd.in</a><br>
> <<a href="http://usr.sbin.libvirtd.in" rel="noreferrer" target="_blank">http://usr.sbin.libvirtd.in</a>><br>
> > +++ b/src/security/apparmor/<a href="http://usr.sbin.libvirtd.in" rel="noreferrer" target="_blank">usr.sbin.libvirtd.in</a><br>
> <<a href="http://usr.sbin.libvirtd.in" rel="noreferrer" target="_blank">http://usr.sbin.libvirtd.in</a>><br>
> > @@ -86,6 +86,7 @@ profile libvirtd @sbindir@/libvirtd<br>
> flags=(attach_disconnected) {<br>
> > /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,<br>
> > /usr/{lib,lib64}/xen/bin/* Ux,<br>
> > /usr/lib/xen-*/bin/libxl-save-helper PUx,<br>
> > + /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,<br>
> ><br>
> > # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to<br>
> > # read and run an ebtables script.<br>
> ><br>
> <br>
> <br>
> <br>
> -- <br>
> Christian Ehrhardt<br>
> Staff Engineer, Ubuntu Server<br>
> Canonical Ltd<br>
<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature">Christian Ehrhardt<br>Staff Engineer, Ubuntu Server<br>Canonical Ltd</div></div>