[PATCH 3/8] apparmor: allow virt-aa-helper nameservices
Jamie Strandboge
jamie at canonical.com
Mon Aug 3 15:05:15 UTC 2020
On Mon, 03 Aug 2020, Christian Ehrhardt wrote:
> Since quite a while libvirt-aa-helper triggers nss related apparmor
> denials like:
> operation="open" profile="virt-aa-helper" name="/etc/nsswitch.conf"
> operation="open" profile="virt-aa-helper" name="/etc/host.conf"
> operation="open" profile="virt-aa-helper" name="/etc/resolv.conf"
> operation="open" profile="virt-aa-helper" name="/etc/hosts"
>
> Rules to allow these are in Debian [1] / Ubuntu [2] since quite a
> while but do not seem to be specific to those distributions.
>
> There can be much more reasons than one would think to inadvertently
> use/trigger nameservices as can be seen in the comments in
> profiles/apparmor.d/abstractions/nameservice at [3].
> The nameservices abstraction provides a nice and upgrade safe
> way to cover all of them.
>
> [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882979
> [2]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674
> [3]: https://gitlab.com/apparmor/apparmor
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> ---
> src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> index dd18c8ab89..dfc61e8de4 100644
> --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> @@ -2,6 +2,7 @@
>
> profile virt-aa-helper @libexecdir@/virt-aa-helper {
> #include <abstractions/base>
> + #include <abstractions/nameservice>
nameservice brings in network rules so this is actually a lot of access.
Why is it reaching out to nss? Is it just cause some library happens to
look at /etc/nsswitch.conf and pull in other things or does it actually
need networking? I suspect the former. If my suspicion is true, perhaps
instead:
# virt-aa-helper dependent libraries read (and if successful, other
# files) but virt-aa-helper itself doesn't require the access, so
# silence the denial.
deny /etc/nsswitch.conf r,
--
Jamie Strandboge | http://www.canonical.com
More information about the libvir-list
mailing list