Hi,
On Tue, Nov 17, 2015 at 03:14:51PM +0100, Cédric Bosdonnat wrote:
> There is no need to deny writes on a readonly mount: write still
> won't be accepted, even if the user remounts the folder as RW in
> the guest as qemu sets the 9p mount as ro.
Wouldn't a security whole in qemu possibly allow to circumvent this and
isn't this type of exploit the thing we want to guard against in the
apparmor proiles?
> This deny rule was leading to problems for example with readonly /:
> The qemu process had to write to a bunch of files in / like logs,
> sockets, etc. This deny rule was also preventing auditing of these
> denials, making it harder to debug.
So you're mapping a host directory as '/' into the guest or what was the
exact setup?
Cheers,
-- Guido
> ---
> src/security/virt-aa-helper.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index 5de56e5..a2d7226 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -1127,7 +1127,10 @@ get_files(vahControl * ctl)
> ctl->def->fss[i]->src) {
> virDomainFSDefPtr fs = ctl->def->fss[i];
>
> - if (vah_add_path(&buf, fs->src, fs->readonly ? "r" : "rw", true) != 0)
> + /* We don't need to add deny rw rules for readonly mounts,
> + * this can only lead to troubles when mounting / readonly.
> + */
> + if (vah_add_path(&buf, fs->src, "rw", true) != 0)
> goto cleanup;
> }
> }
> --
> 2.1.4
>
> --
> libvir-list mailing list
> libvir-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/libvir-list
>
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list