[libvirt] [PATCH 3/3] virt-aa-helper: Fix AppArmor profile

Ján Tomko jtomko at redhat.com
Mon Aug 19 13:07:20 UTC 2019


On Mon, Aug 19, 2019 at 12:01:42PM +0200, Andrea Bolognani wrote:
>Since
>
>  commit 432faf259b696043ee5d7e8f657d855419a9a3fa
>  Author: Michal Privoznik <mprivozn at redhat.com>
>  Date:   Tue Jul 2 19:49:51 2019 +0200
>
>    virCommand: use procfs to learn opened FDs
>
>    When spawning a child process, between fork() and exec() we close
>    all file descriptors and keep only those the caller wants us to
>    pass onto the child. The problem is how we do that. Currently, we
>    get the limit of opened files and then iterate through each one
>    of them and either close() it or make it survive exec(). This
>    approach is suboptimal (although, not that much in default
>    configurations where the limit is pretty low - 1024). We have
>    /proc where we can learn what FDs we hold open and thus we can
>    selectively close only those.
>
>    Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
>    Reviewed-by: Ján Tomko <jtomko at redhat.com>
>
>  v5.5.0-173-g432faf259b
>
>programs using the virCommand APIs on Linux need read access to
>/proc/self/fd, or they will fail like
>
>  error : virCommandWait:2796 : internal error: Child process
>  (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -c
>   -u libvirt-b20e9a8e-091a-45e0-8823-537119e98bc6) unexpected exit
>  status 1: libvirt:  error : cannot open directory '/proc/self/fd':
>  Permission denied
>  virt-aa-helper: error: apparmor_parser exited with error
>
>Update the AppArmor profile for virt-aa-helper so that read access
>to the relevant path is granted.
>
>Signed-off-by: Andrea Bolognani <abologna at redhat.com>
>---
> src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++++
> 1 file changed, 4 insertions(+)
>

Reviewed-by: Ján Tomko <jtomko at redhat.com>

Jano
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20190819/cb832094/attachment-0001.sig>


More information about the libvir-list mailing list