[PATCH] apparmor: allow kvm-spice compat wrapper
Jamie Strandboge
jamie at canonical.com
Wed Nov 18 22:48:31 UTC 2020
On Tue, 17 Nov 2020, Neal Gompa wrote:
> On Tue, Nov 17, 2020 at 11:49 AM Christian Ehrhardt
> <christian.ehrhardt at canonical.com> wrote:
> >
> > On Mon, Nov 16, 2020 at 3:28 PM Michal Privoznik <mprivozn at redhat.com> wrote:
> > >
> > > On 11/16/20 1:26 PM, Christian Ehrhardt wrote:
> > > > 'kvm-spice' is a binary name used to call 'kvm' which actually is a wrapper
> > > > around qemu-system-x86_64 enabling kvm acceleration. This isn't in use
> > > > for quite a while anymore, but required to work for compatibility e.g.
> > > > when migrating in old guests.
> > > >
> > > > For years this was a symlink kvm-spice->kvm and therefore covered
> > > > apparmor-wise by the existing entry:
> > > > /usr/bin/kvm rmix,
> > > > But due to a recent change [1] in qemu packaging this now is no symlink,
> > > > but a wrapper on its own and therefore needs an own entry that allows it
> > > > to be executed.
> > > >
> > > > [1]: https://salsa.debian.org/qemu-team/qemu/-/commit/9944836d3
> > > >
> > > > Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> > > > ---
> > > > src/security/apparmor/libvirt-qemu | 1 +
> > > > 1 file changed, 1 insertion(+)
> > > >
> > >
> > > Reviewed-by: Michal Privoznik <mprivozn at redhat.com>
> >
> > Thank you Michal,
> > it also passed fine through my tests (as backport to 6.8 and 6.9).
> > We are not in any freeze, review has happened, tests LGTM - pushed to git.
> >
>
> Hold up, why was this merged? Did anyone validate whether this would
> break the other AppArmor user (SUSE)?
>
> Unlike SELinux, AppArmor functionality is quite fragmented between
> Ubuntu and SUSE distributions (the two major users of AppArmor), and
> there did not seem to be any indication that this AppArmor patch was
> validated with openSUSE before merging. My personal experience with
> AppArmor across the two distribution families is that it's really easy
> to make profiles that work for Ubuntu but fail on SUSE because of the
> disparity of functionality. I also don't see Jim Fehlig stepping in to
> indicate that this worked for him.
>
> I haven't had a chance to test this myself, but I am immediately
> suspicious of a change that references a commit based on Debian
> packaging of QEMU.
Others have referred to how this list handles SUSE policies, but I'll
point out that the request was for a simple file rule that only adds
additional access. This should be no problem at all on SUSE.
Outside of this rule, the apparmor userspace understands kernel
differences and various rules and any modern SUSE would have a new
enough parser to handle the various rules syntax we use in the current
libvirt policy and be parseable without issues. The typical distro
pattern for new rule syntax would be that when a distro pulled in a new
libvirt with new policy syntax that the distro doesn't support, then it
would be abundantly clear to the distro maintainer when the parser
failed and the distro would either choose to upgrade apparmor or patch
out the problematic rules.
Hope this helps
--
Jamie Strandboge | http://www.canonical.com
More information about the libvir-list
mailing list