[PATCH 1/1] virt-aa-helper: allow hard links for mounts

Christian Schoenebeck qemu_oss at crudebyte.com
Mon Oct 26 12:57:25 UTC 2020 

On Montag, 26. Oktober 2020 09:12:38 CET Michal Privoznik wrote:
> On 10/23/20 4:19 PM, Christian Schoenebeck wrote:
> > On Donnerstag, 22. Oktober 2020 19:07:33 CEST Michal Privoznik wrote:
> >> [Please don't CC random people on patches until asked to, we are all
> >> subscribed to the list]
> > 
> > Got it, I'll refrain from CCing on libvirt in future.
> > 
> > Not as erratic as it looks like though: I CCed people who touched this
> > specific AppArmor permission before, plus the virtiofs maintainers.
> 
> Yeah, I understand that. BTW: it's okay to CC people when replying :-)
> 
> >> On 10/22/20 4:58 PM, Christian Schoenebeck wrote:
> >>> Guests should be allowed to create hard links on mounted pathes, since
> >>> many applications rely on this functionality and would error on guest
> >>> with current "rw" AppArmor permission with 9pfs.
> >>> 
> >>> Signed-off-by: Christian Schoenebeck <qemu_oss at crudebyte.com>
> >>> ---
> >>> 
> >>>    src/security/virt-aa-helper.c | 2 +-
> >>>    1 file changed, 1 insertion(+), 1 deletion(-)
> >>> 
> >>> diff --git a/src/security/virt-aa-helper.c
> >>> b/src/security/virt-aa-helper.c
> >>> index 12429278fb..5a6f4a5f7d 100644
> >>> --- a/src/security/virt-aa-helper.c
> >>> +++ b/src/security/virt-aa-helper.c
> >>> @@ -1142,7 +1142,7 @@ get_files(vahControl * ctl)
> >>> 
> >>>                /* We don't need to add deny rw rules for readonly
> >>>                mounts,
> >>>                
> >>>                 * this can only lead to troubles when mounting /
> >>>                 readonly.
> >>>                 */
> >>> 
> >>> -            if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" :
> >>> "rw", true) != 0) +            if (vah_add_path(&buf, fs->src->path,
> >>> fs->readonly ? "R" : "rwl", true) != 0)>
> >>> 
> >>>                    goto cleanup;
> >>>            
> >>>            }
> >>>        
> >>>        }
> >> 
> >> Reviewed-by: Michal Privoznik <mprivozn at redhat.com>
> >> 
> >> but I will give a day or two for other developers to chime in.
> >> 
> >> Michal
> > 
> > Yes, please wait couple days to see whether there are reactions.
> 
> Okay, so nobody objected and we can expect the freeze of upstream today,
> so I am pushing this.

Yes, makes sense. Thanks Michal!

Best regards,
Christian Schoenebeck

More information about the libvir-list mailing list