[libvirt] Socket files in virt-aa-helper
Michał Dubiel
md at semihalf.com
Tue Jun 16 13:40:16 UTC 2015
Hi all,
May I kindly ask someone for some advice on this topic?
Regards,
Michal
On 21 May 2015 at 20:23, Michał Dubiel <md at semihalf.com> wrote:
> Hi guys,
>
> I have got a question. I need to add apparmor support for vhost-user
> socket files used to communicate with the vhost-user server app. Those ones
> defined with something like:
> <interface type='vhostuser'>
> <mac address='02:ed:f3:5d:de:f3'/>
> <source type='unix' path='/var/run/vrouter/uvh_vif_tapa8396c51-2a'
> mode='client'/>
> <model type='virtio'/>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x03'
> function='0x0'/>
> </interface>
>
> I added something like this into get_files() function in virt-aa-helper.c:
> for (i = 0; i < ctl->def->nnets; i++) {
> if (ctl->def->nets[i] &&
> ctl->def->nets[i]->type == VIR_DOMAIN_NET_TYPE_VHOSTUSER &&
> ctl->def->nets[i]->data.vhostuser) {
> virDomainChrSourceDefPtr vhu =
> ctl->def->nets[i]->data.vhostuser;
>
> if (vah_add_file_chardev(&buf, vhu->data.nix.path, "rw",
> vhu->type) != 0)
> goto cleanup;
> }
> }
>
> However, there is a restriction for the socket file types in valid_path()
> function:
> switch (sb.st_mode & S_IFMT) {
> case S_IFSOCK:
> return 1;
> break;
> default:
> break;
> }
> That prevents this from working.
>
> May I ask why the socket file types are restricted? Vhost-user uses
> sockets so if I want to use apparmor virt-aa-helper has to be able to add
> the line for the socket file into
> /etc/apparmor.d/libvirt/libvirt-UUID.files.
>
> Regards,
> Michal
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20150616/7968d517/attachment-0001.htm>
More information about the libvir-list
mailing list