Re: [PATCH 2/3] virt-aa-helper: don't deny writes to readonly mounts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,
On Tue, Nov 17, 2015 at 03:14:51PM +0100, Cédric Bosdonnat wrote:
> There is no need to deny writes on a readonly mount: write still
> won't be accepted, even if the user remounts the folder as RW in
> the guest as qemu sets the 9p mount as ro.

Wouldn't a security whole in qemu possibly allow to circumvent this and
isn't this type of exploit the thing we want to guard against in the
apparmor proiles?

> This deny rule was leading to problems for example with readonly /:
> The qemu process had to write to a bunch of files in / like logs,
> sockets, etc. This deny rule was also preventing auditing of these
> denials, making it harder to debug.

So you're mapping a host directory as '/' into the guest or what was the
exact setup? 

Cheers,
 -- Guido

> ---
>  src/security/virt-aa-helper.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index 5de56e5..a2d7226 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -1127,7 +1127,10 @@ get_files(vahControl * ctl)
>                  ctl->def->fss[i]->src) {
>              virDomainFSDefPtr fs = ctl->def->fss[i];
>  
> -            if (vah_add_path(&buf, fs->src, fs->readonly ? "r" : "rw", true) != 0)
> +            /* We don't need to add deny rw rules for readonly mounts,
> +             * this can only lead to troubles when mounting / readonly.
> +             */
> +            if (vah_add_path(&buf, fs->src, "rw", true) != 0)
>                  goto cleanup;
>          }
>      }
> -- 
> 2.1.4
> 
> --
> libvir-list mailing list
> libvir-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/libvir-list
> 

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]