[PATCH] apparmor: avoid denials on libpmem initialization

Jamie Strandboge jamie at canonical.com
Wed Apr 8 19:50:10 UTC 2020

On Wed, 08 Apr 2020, Jamie Strandboge wrote:

> On Wed, 08 Apr 2020, Christian Ehrhardt wrote:
> > With libpmem support compiled into qemu it will trigger the following
> > denials on every startup.
> >   apparmor="DENIED" operation="open" name="/"
> >   apparmor="DENIED" operation="open" name="/sys/bus/nd/devices/"
> > 
> > This is due to [1] that tries to auto-detect if the platform supports
> > auto flush for all region.
> > 
> > Once we know all the paths that are potentially needed if this feature
> > is really used we can add them conditionally in virt-aa-helper and labelling
> > calls in case </pmem> is enabled.
> > 
> > But until then the change here silences the denial warnings seen above.
> > 
> > [1]: https://github.com/pmem/pmdk/blob/master/src/libpmem2/auto_flush_linux.c#L131
> > 
> > Bug: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1871354
> > 
> > +  /sys/bus/nd/devices/* r,
> Can you list what files libpem init is looking at? I'm a bit
> uncomfortable with the glob here and would rather not guess that today's
> and all future files in /sys/bus/nd/devices are safe for all qemu
> processes to read.

Answering myself after looking at the pmdk source code, fs_new() is
calling fts_open() without FTS_NOCHDIR (and based on your '/' rule,
starting in '/'), then calls fs_read() which calls fts_read() on the
files it finds in /sys/bus/nd/devices (it makes sure to only look at
symlinks, but that doesn't impact our rules). Writing some test code to
simulate this and testing on /sys/bus/usb/devices (since I have usb
devices here, but not nd and this dir is populated with symlinks as the
libpmem code expects), I think the full rules you want are:

# required by libpmem init to fts_open()/fts_read() the symlinks in
# /sys/bus/nd/devices
/ r,
/sys/bus/nd/devices/{,**/} r,

Ideally this access would only be needed if using NFIT-ND devices, but
as you mentioned, that is not possible at the point of the denial. I
think these rules are fine to apply to the default VM policy since they
are only a collection of directory reads (note the trailing '/'s in the
second rule), which should have no impact guest isolation or host

Jamie Strandboge             | http://www.canonical.com

More information about the libvir-list mailing list