[libvirt PATCH v2 1/3] scripts: Check spelling
Andrea Bolognani
abologna at redhat.com
Tue Jan 11 09:58:49 UTC 2022
On Mon, Jan 10, 2022 at 03:58:55PM -0700, Jim Fehlig wrote:
> On 1/10/22 11:21, Andrea Bolognani wrote:
> > On Mon, Jan 10, 2022 at 04:41:25PM +0100, Tim Wiederhake wrote:
> > > + ("/src/security/apparmor/libvirt-lxc", "devic"),
> >
> > Looking at the context where this appears:
> >
> > deny /sys/d[^e]*{,/**} wklx,
> > deny /sys/de[^v]*{,/**} wklx,
> > deny /sys/dev[^i]*{,/**} wklx,
> > deny /sys/devi[^c]*{,/**} wklx,
> > deny /sys/devic[^e]*{,/**} wklx,
> > deny /sys/device[^s]*{,/**} wklx,
> > deny /sys/devices/[^v]*{,/**} wklx,
> > deny /sys/devices/v[^i]*{,/**} wklx,
> > deny /sys/devices/vi[^r]*{,/**} wklx,
> > deny /sys/devices/vir[^t]*{,/**} wklx,
> > deny /sys/devices/virt[^u]*{,/**} wklx,
> > deny /sys/devices/virtu[^a]*{,/**} wklx,
> > deny /sys/devices/virtua[^l]*{,/**} wklx,
> > deny /sys/devices/virtual/[^n]*{,/**} wklx,
> > deny /sys/devices/virtual/n[^e]*{,/**} wklx,
> > deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
> > deny /sys/devices/virtual/net?*{,/**} wklx,
> > deny /sys/devices/virtual?*{,/**} wklx,
> > deny /sys/devices?*{,/**} wklx,
> >
> > I mean, I don't speak AppArmor but this can't be right, can it? :D
>
> It's valid apparmor. At least the apparmor parser doesn't complain :-). ISTM
> the last rule should cover the others.
I was not really suggesting that it was not a valid configuration,
it's just that looking at it immediately triggered a "that can't be
the best way to do it" reaction in me ;)
> > Jim, do you think we actually need such a slippery slope of deny
> > rules, or can we simplify things a bit?
>
> I don't know why all of these deny rules are defined in this manner.
> /sys/class, /proc/sys/kernel, and others are defined similarly. They were
> added by Cedric in commit 9265f8ab67d. Cedric, do you recall the purpose of
> defining the rules in this way?
The script that generated those rules is
https://github.com/lxc/lxc/blob/master/config/apparmor/lxc-generate-aa-rules.py
and that's apparently its intended behavior. So there has to be a
reason why it's done this way, right? I just have no idea what it
could possibly be.
--
Andrea Bolognani / Red Hat / Virtualization
More information about the libvir-list
mailing list