[libvirt] PATCH 3/4: AppArmor updates

Jamie Strandboge jamie at canonical.com
Fri Sep 24 13:38:16 UTC 2010


On Thu, 2010-09-23 at 15:02 -0500, Jamie Strandboge wrote:
> > Hmm, that's a libvirt error rather than a QEMU error. Is the restricted
> > AppArmour policy taking effect *before* the actual QEMU binary is exec()d ?
> 
> This is related to the stacked security driver implementation.
> Specifically, if I strace libvirtd, I see in one of its threads:
> gettid()                                = 20306
> open("/proc/20306/attr/current", O_WRONLY) = 3
> write(3, "changeprofile libvirt-7d781722-6"..., 58) = 58
> close(3)                                = 0
> chown("/tmp/qrt-test-libvirt/libvirt/qatest/qatest.img", 116, 123) = 0
> setregid(123, 123)                      = -1 EPERM (Operation not
> permitted)
> 
> This chown appears to come from qemuSecurityDACSetProcessLabel(). What
> seems to be happening is that in __virExec() we call the security hook
> and the apparmor hook is being called before the DAC one, so we
> aa_change_profile() to the more restricted libvirt-<uuid> profile. It
> seems that it would be preferable to reverse the calling order of the
> hooks, but I am not sure how to do that.

Err.. of course I meant both the 'chown' and the 'setregid' appear to
come from qemuSecurityDACSetProcessLabel() and that it is the setregid
that is causing the error.

-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20100924/c6a27538/attachment-0001.sig>


More information about the libvir-list mailing list