[libvirt] [PATCH 09/10] appmor, virt-aa-helper: Add 9p support
Stefan Bader
stefan.bader at canonical.com
Wed May 17 15:10:06 UTC 2017
On 15.05.2017 18:13, Guido Günther wrote:
> On Mon, May 15, 2017 at 03:23:18PM +0200, Stefan Bader wrote:
>> From: Serge Hallyn <serge.hallyn at ubuntu.com>
>>
>> Add fowner and fsetid to libvirt-qemu profile and add link
>> to 9p file options in virt-aa-helper.
>>
>> Bug-Ubuntu: https://bugs.launchpad.net/bugs/1378434
>>
>> Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
>> Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
>> ---
>> examples/apparmor/libvirt-qemu | 4 ++++
>> src/security/virt-aa-helper.c | 2 +-
>> 2 files changed, 5 insertions(+), 1 deletion(-)
>>
>> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
>> index 89466c9..f04ce04 100644
>> --- a/examples/apparmor/libvirt-qemu
>> +++ b/examples/apparmor/libvirt-qemu
>> @@ -13,6 +13,10 @@
>> capability setgid,
>> capability setuid,
>>
>> + # for 9p
>> + capability fsetid,
>> + capability fowner,
>> +
>> network inet stream,
>> network inet6 stream,
>
> I would put this into a separate patch.
>
>>
>> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
>> index a2d5c21..667241b 100644
>> --- a/src/security/virt-aa-helper.c
>> +++ b/src/security/virt-aa-helper.c
>> @@ -1108,7 +1108,7 @@ get_files(vahControl * ctl)
>> /* We don't need to add deny rw rules for readonly mounts,
>> * this can only lead to troubles when mounting / readonly.
>> */
>> - if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rw", true) != 0)
>> + if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rwl", true) != 0)
>
> Given the recent QEMU 9pfs CVS that allowed to access paths outside src.path
> I would feel better if the rule produces s.th. like
>
> link subset src.path/** -> src.path/**,
>
> instead of allowing links to /**.
I had hoped to gain additional feedback from other people. But will start an
updated submission tomorrow. Splitting this one back into the two halves as
suggested and merging the other (5+6 and 7+8) together.
-Stefan
> Cheers,
> -- Guido
>
>
>> goto cleanup;
>> }
>> }
>> --
>> 2.7.4
>>
>
> --
> libvir-list mailing list
> libvir-list at redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20170517/5a87a82b/attachment-0001.sig>
More information about the libvir-list
mailing list