[libvirt] [PATCH] virt-aa-helper: handle more disk images

Cedric Bosdonnat cbosdonnat at suse.com
Tue Dec 19 12:16:25 UTC 2017


Hi there!

Has that one landed in abyssal depths of the mailing list?

--
Cedric

On Mon, 2017-12-11 at 16:23 +0100, Cédric Bosdonnat wrote:
> virt-aa-helper needs read access to the disk image to resolve symlinks
> and add the proper rules to the profile. Its profile whitelists a few
> common paths, but users can place their images anywhere.
> 
> This commit helps users allowing access to their images by adding their
> own rules in apparmor.d/local/usr.lib.libvirt.virt-aa-helper.
> 
> This commit also adds rules to allow reading files named:
>   - *.raw as this is a rather common disk image extension
>   - /run/libvirt/**[vd]d[a-z] as these are used by virt-sandbox
> ---
>  examples/Makefile.am                             | 24 ++++++++++++++++++++++--
>  examples/apparmor/usr.lib.libvirt.virt-aa-helper |  4 ++++
>  2 files changed, 26 insertions(+), 2 deletions(-)
> 
> diff --git a/examples/Makefile.am b/examples/Makefile.am
> index ef2f79db3..8a1d6919a 100644
> --- a/examples/Makefile.am
> +++ b/examples/Makefile.am
> @@ -67,6 +67,9 @@ admin_client_info_SOURCES = admin/client_info.c
>  admin_client_close_SOURCES = admin/client_close.c
>  admin_logging_SOURCES = admin/logging.c
>  
> +INSTALL_DATA_LOCAL =
> +UNINSTALL_LOCAL =
> +
>  if WITH_APPARMOR_PROFILES
>  apparmordir = $(sysconfdir)/apparmor.d/
>  apparmor_DATA = \
> @@ -85,20 +88,37 @@ templates_DATA = \
>  	apparmor/TEMPLATE.qemu \
>  	apparmor/TEMPLATE.lxc \
>  	$(NULL)
> +
> +APPARMOR_LOCAL_DIR = "$(DESTDIR)$(apparmordir)/local"
> +install-apparmor-local:
> +	$(MKDIR_P) "$(APPARMOR_LOCAL_DIR)"
> +	echo "# Site-specific additions and overrides for \
> +  		 'usr.lib.libvirt.virt-aa-helper'" \
> +		 >$(APPARMOR_LOCAL_DIR)/usr.lib.libvirt.virt-aa-helper
> +
> +INSTALL_DATA_LOCAL += install-apparmor-local
> +UNINSTALL_LOCAL += uninstall-apparmor-local
>  endif WITH_APPARMOR_PROFILES
>  
>  if WITH_NWFILTER
>  NWFILTER_DIR = "$(DESTDIR)$(sysconfdir)/libvirt/nwfilter"
>  
> -install-data-local:
> +install-nwfilter-local:
>  	$(MKDIR_P) "$(NWFILTER_DIR)"
>  	for f in $(FILTERS); do \
>  		$(INSTALL_DATA) $$f "$(NWFILTER_DIR)"; \
>  	done
>  
> -uninstall-local::
> +uninstall-nwfilter-local::
>  	for f in $(FILTERS); do \
>  		rm -f "$(NWFILTER_DIR)/`basename $$f`"; \
>  	done
>  	-test -z "$(shell ls $(NWFILTER_DIR))" || rmdir $(NWFILTER_DIR)
> +
> +INSTALL_DATA_LOCAL += install-nwfilter-local
> +UNINSTALL_LOCAL += uninstall-nwfilter-local
>  endif WITH_NWFILTER
> +
> +install-data-local: $(INSTALL_DATA_LOCAL)
> +
> +uninstall-local: $(UNINSTALL_LOCAL)
> diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> index bd6181d00..f3069d369 100644
> --- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> +++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> @@ -3,6 +3,7 @@
>  
>  profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
>    #include <abstractions/base>
> +  #include <local/usr.lib.libvirt.virt-aa-helper>
>  
>    # needed for searching directories
>    capability dac_override,
> @@ -50,8 +51,11 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
>    /var/lib/libvirt/images/ r,
>    /var/lib/libvirt/images/** r,
>    /{media,mnt,opt,srv}/** r,
> +  # For virt-sandbox
> +  /run/libvirt/**/[sv]d[a-z] r
>  
>    /**.img r,
> +  /**.raw r,
>    /**.qcow{,2} r,
>    /**.qed r,
>    /**.vmdk r,




More information about the libvir-list mailing list