[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 09/10] appmor, virt-aa-helper: Add 9p support



On 15.05.2017 18:13, Guido Günther wrote:
> On Mon, May 15, 2017 at 03:23:18PM +0200, Stefan Bader wrote:
>> From: Serge Hallyn <serge hallyn ubuntu com>
>>
>> Add fowner and fsetid to libvirt-qemu profile and add link
>> to 9p file options in virt-aa-helper.
>>
>> Bug-Ubuntu: https://bugs.launchpad.net/bugs/1378434
>>
>> Signed-off-by: Christian Ehrhardt <christian ehrhardt canonical com>
>> Signed-off-by: Stefan Bader <stefan bader canonical com>
>> ---
>>  examples/apparmor/libvirt-qemu | 4 ++++
>>  src/security/virt-aa-helper.c  | 2 +-
>>  2 files changed, 5 insertions(+), 1 deletion(-)
>>
>> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
>> index 89466c9..f04ce04 100644
>> --- a/examples/apparmor/libvirt-qemu
>> +++ b/examples/apparmor/libvirt-qemu
>> @@ -13,6 +13,10 @@
>>    capability setgid,
>>    capability setuid,
>>  
>> +  # for 9p
>> +  capability fsetid,
>> +  capability fowner,
>> +
>>    network inet stream,
>>    network inet6 stream,
> 
> I would put this into a separate patch.
> 
>>  
>> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
>> index a2d5c21..667241b 100644
>> --- a/src/security/virt-aa-helper.c
>> +++ b/src/security/virt-aa-helper.c
>> @@ -1108,7 +1108,7 @@ get_files(vahControl * ctl)
>>              /* We don't need to add deny rw rules for readonly mounts,
>>               * this can only lead to troubles when mounting / readonly.
>>               */
>> -            if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rw", true) != 0)
>> +            if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rwl", true) != 0)
> 
> Given the recent QEMU 9pfs CVS that allowed to access paths outside src.path
> I would feel better if the rule produces s.th. like
> 
>      link subset src.path/** -> src.path/**,
> 
> instead of allowing links to /**.

I had hoped to gain additional feedback from other people. But will start an
updated submission tomorrow. Splitting this one back into the two halves as
suggested and merging the other (5+6 and 7+8) together.

-Stefan

> Cheers,
>  -- Guido
> 
> 
>>                  goto cleanup;
>>          }
>>      }
>> -- 
>> 2.7.4
>>
> 
> --
> libvir-list mailing list
> libvir-list redhat com
> https://www.redhat.com/mailman/listinfo/libvir-list
> 


Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]