[PATCH 7/8] apparmor: allow virt-aa-helper to read openvswitch sockets

Christian Ehrhardt christian.ehrhardt at canonical.com
Tue Aug 4 07:42:26 UTC 2020 

On Mon, Aug 3, 2020 at 5:13 PM Jamie Strandboge <jamie at canonical.com> wrote:

> On Mon, 03 Aug 2020, Christian Ehrhardt wrote:
>
> > From: Serge Hallyn <serge.hallyn at ubuntu.com>
> >
> > Chardevs/sockets configured for openvswitch-dpdk use cases
> > might be probed by virt-aa-helper. Allow that access to enable
> > virt-aa-helper rendering per-guest rules for the actual qemu
> > guest accessing these sockets eventually.
> >
> > Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> > Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
> > Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> > ---
> >  src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> > index 3f204799a6..877cb04b1e 100644
> > --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> > +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> > @@ -46,6 +46,9 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
> >    @sysconfdir@/apparmor.d/libvirt/* r,
> >    @sysconfdir@/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*
> rw,
> >
> > +  # for openvswitch sockets
> > +  /{,var/}run/openvswitch/** rw,
>
> A bit unfortunate and unexpected. What kind of probing does
> virt-aa-helper do on these?
>

I'm so glad we do this exercise and you have the "investigative hat on" to
challenge the few bits of the series that seem odd.
I have read through virt-aa-helper again with a focus on this and at least
today's openvswitch-dpdk+libvirt should not need this anymore.

It seems this was a wild guess many years ago and added for bug 1513367 but
eventually (or just noadays) is no longer needed.

I have set up a 20.04 based openvswitch-dpdk system and dropped the rule.
Once with vhostuserclient and once on an older system with the older
vhostuser type connection.

Things are still working, so I'm removing this rule from this series as
well as from the Ubuntu builds.


> --
> Jamie Strandboge             | http://www.canonical.com
>


-- 
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20200804/8340a2ec/attachment-0001.htm>

More information about the libvir-list mailing list