[PATCH 6/8] apparmor: allow virt-aa-helper to read from tmp
Christian Ehrhardt
christian.ehrhardt at canonical.com
Tue Aug 4 06:57:57 UTC 2020
On Mon, Aug 3, 2020 at 5:11 PM Jamie Strandboge <jamie at canonical.com> wrote:
> On Mon, 03 Aug 2020, Christian Ehrhardt wrote:
>
> > From: Stefan Bader <stefan.bader at canonical.com>
> >
> > temporary directories are a common place images are placed by users
> > for any sort of quick evaluation. Allow virt-aa-helper access to tmp
> > via the existing user-tmp apparmor abstraction.
> >
> > That way if a guest definition has paths in temporary directories
> > virt-aa-helper can properly probe them e.g. for further backing files in
> > the case of qcow2.
> >
> > Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> > ---
> > src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> > index dfc61e8de4..3f204799a6 100644
> > --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> > +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> > @@ -3,6 +3,7 @@
> > profile virt-aa-helper @libexecdir@/virt-aa-helper {
> > #include <abstractions/base>
> > #include <abstractions/nameservice>
> > + #include <abstractions/user-tmp>
>
> user-tmp allows write and all other accesses for disks are read. We have
> these rules:
>
> /**.img r,
> /**.raw r,
> /**.qcow{,2} r,
> /**.qed r,
> /**.vmdk r,
> /**.vhd r,
> /**.[iI][sS][oO] r,
> /**/disk{,.*} r,
>
> Why are these not sufficient? What was the denial that triggered the
> issue?
>
Great question to ask - this is one of the Deltas that was "just carried"
for quite some time.
But you made me analyze the background and it isn't reasonable IMHO.
It was added quite some time ago without outlining a particular reason.
The list you refer to above wasn't as long back then (~5 years ago), maybe
extending the list would have been all that was needed and instead the
user-tmp abstraction was added.
I'll drop the commit from this series as well as from Ubuntu on next merge
and check for any fallout - it is easy to be added back and most likely not
needed.
--
> Jamie Strandboge | http://www.canonical.com
>
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20200804/c80caa06/attachment-0001.htm>
More information about the libvir-list
mailing list