[PATCH v2] apparmor: avoid denials on libpmem initialization

[Christian Ehrhardt]

On Thu, Apr 9, 2020 at 6:57 PM Jamie Strandboge <jamie at canonical.com> wrote:
>
> On Thu, 09 Apr 2020, Christian Ehrhardt wrote:
>
> > With libpmem support compiled into qemu it will trigger the following
> > denials on every startup.
> >   apparmor="DENIED" operation="open" name="/"
> >   apparmor="DENIED" operation="open" name="/sys/bus/nd/devices/"
> >
> > This is due to [1] that tries to auto-detect if the platform supports
> > auto flush for all region.
> >
> > Once we know all the paths that are potentially needed if this feature
> > is really used we can add them conditionally in virt-aa-helper and labelling
> > calls in case </pmem> is enabled.
> >
> > But until then the change here silences the denial warnings seen above.
> >
> > [1]: https://github.com/pmem/pmdk/blob/master/src/libpmem2/auto_flush_linux.c#L131
> >
> > Bug: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1871354
> >
> > Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> > ---
> >  src/security/apparmor/libvirt-qemu | 5 +++++
> >  1 file changed, 5 insertions(+)
> >
> > diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
> > index 80986aec61..1a4b226612 100644
> > --- a/src/security/apparmor/libvirt-qemu
> > +++ b/src/security/apparmor/libvirt-qemu
> > @@ -227,3 +227,8 @@
> >    # required for sasl GSSAPI plugin
> >    /etc/gss/mech.d/ r,
> >    /etc/gss/mech.d/* r,
> > +
> > +  # required by libpmem init to fts_open()/fts_read() the symlinks in
> > +  # /sys/bus/nd/devices
> > +  / r, # harmless on any lsb compliant system
> > +  /sys/bus/nd/devices/{,**/} r,
>
> LGTM. Thanks!

Thanks, it also works fine in all my tests and there was no other
negative feedback.
Added your acked-by and pushing to the repo now ...

> --
> Jamie Strandboge             | http://www.canonical.com



-- 
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd