[libvirt] [PATCH 09/10] appmor, virt-aa-helper: Add 9p support
Guido Günther
agx at sigxcpu.org
Mon May 15 16:13:12 UTC 2017
On Mon, May 15, 2017 at 03:23:18PM +0200, Stefan Bader wrote:
> From: Serge Hallyn <serge.hallyn at ubuntu.com>
>
> Add fowner and fsetid to libvirt-qemu profile and add link
> to 9p file options in virt-aa-helper.
>
> Bug-Ubuntu: https://bugs.launchpad.net/bugs/1378434
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
> ---
> examples/apparmor/libvirt-qemu | 4 ++++
> src/security/virt-aa-helper.c | 2 +-
> 2 files changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index 89466c9..f04ce04 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -13,6 +13,10 @@
> capability setgid,
> capability setuid,
>
> + # for 9p
> + capability fsetid,
> + capability fowner,
> +
> network inet stream,
> network inet6 stream,
I would put this into a separate patch.
>
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index a2d5c21..667241b 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -1108,7 +1108,7 @@ get_files(vahControl * ctl)
> /* We don't need to add deny rw rules for readonly mounts,
> * this can only lead to troubles when mounting / readonly.
> */
> - if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rw", true) != 0)
> + if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rwl", true) != 0)
Given the recent QEMU 9pfs CVS that allowed to access paths outside src.path
I would feel better if the rule produces s.th. like
link subset src.path/** -> src.path/**,
instead of allowing links to /**.
Cheers,
-- Guido
> goto cleanup;
> }
> }
> --
> 2.7.4
>
More information about the libvir-list
mailing list