[PATCH] apparmor: allow to call vhost-user-gpu
Jim Fehlig
jfehlig at suse.com
Fri Feb 14 16:11:20 UTC 2020
On 2/13/20 4:32 AM, Christian Ehrhardt wrote:
> Configuring vhost-user-gpu like:
> <video>
> <driver name='vhostuser'/>
> <model type='virtio' heads='1'/>
> </video>
> Triggers an apparmor denial like:
> apparmor="DENIED" operation="exec" profile="libvirtd"
> name="/usr/lib/qemu/vhost-user-gpu" pid=888257 comm="libvirtd"
> requested_mask="x" denied_mask="x" fsuid=0 ouid=0
>
> This helper is provided by qemu for vhost-user-gpu and thereby being
> in the same path as qemu_bridge_helper. Due to that adding a rule allowing
> to call uses the same path list.
Does the vhost-usr-gpu helper need a profile to restrict its access, similar to
the bridge helper?
Regards,
Jim
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> ---
> src/security/apparmor/usr.sbin.libvirtd.in | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
> index b384b7213b..1e137039e9 100644
> --- a/src/security/apparmor/usr.sbin.libvirtd.in
> +++ b/src/security/apparmor/usr.sbin.libvirtd.in
> @@ -86,6 +86,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
> /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
> /usr/{lib,lib64}/xen/bin/* Ux,
> /usr/lib/xen-*/bin/libxl-save-helper PUx,
> + /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
>
> # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
> # read and run an ebtables script.
>
More information about the libvir-list
mailing list