[PATCH V2 3/4] Apparmor: Allow reading libnl's classid file
Jim Fehlig
jfehlig at suse.com
Thu Jun 24 22:51:19 UTC 2021
On 6/23/21 11:43 PM, Christian Ehrhardt wrote:
> On Wed, Jun 23, 2021 at 1:28 AM Jim Fehlig <jfehlig at suse.com> wrote:
>>
>> I noticed the following denial messages from apparmor in audit.log when
>> starting confined VMs via the QEMU driver
>>
>> type=AVC msg=audit(1623864006.370:837): apparmor="DENIED" operation="open" \
>> profile="virt-aa-helper" name="/etc/libnl/classid" pid=11265 \
>> comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
>>
>> type=AVC msg=audit(1623864006.582:849): apparmor="DENIED" operation="open" \
>> profile="libvirt-0ca2720d-6cff-48bb-86c2-61ab9a79b6e9" \
>> name="/etc/libnl/classid" pid=11270 comm="qemu-system-x86" \
>> requested_mask="r" denied_mask="r" fsuid=107 ouid=0
>>
>> It is possible for site admins to assign names to classids in this file,
>> which are then used by all libnl tools, possibly those used by libvirt.
>> To be on the safe side, allow read access to the file in the virt-aa-helper
>> profile and the libvirt-qemu abstraction.
>>
>> Signed-off-by: Jim Fehlig <jfehlig at suse.com>
>
> While this particular rule would be covered in
> abstractions/nameservice that would allow much more.
Christian B. mentioned that in V1, and also discouraged its use for the single file.
> I agree if we really only need libnl and nothing else then
> adapting/adding the existing rule should be better.
>
> Reviewed-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
Thanks! I've pushed 3 and 4, and after making a few more tweaks sent a V3 of the
others.
Regards,
Jim
More information about the libvir-list
mailing list