Re: [PATCH 2/3] virt-aa-helper: don't deny writes to readonly mounts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Nov 26, 2015 at 04:02:03PM +0100, Cedric Bosdonnat wrote:
> On Thu, 2015-11-26 at 15:42 +0100, Guido Günther wrote:
> > Hi,
> > On Tue, Nov 17, 2015 at 03:14:51PM +0100, Cédric Bosdonnat wrote:
> > > There is no need to deny writes on a readonly mount: write still
> > > won't be accepted, even if the user remounts the folder as RW in
> > > the guest as qemu sets the 9p mount as ro.
> > 
> > Wouldn't a security whole in qemu possibly allow to circumvent this and
> > isn't this type of exploit the thing we want to guard against in the
> > apparmor proiles?
> > 
> > > This deny rule was leading to problems for example with readonly /:
> > > The qemu process had to write to a bunch of files in / like logs,
> > > sockets, etc. This deny rule was also preventing auditing of these
> > > denials, making it harder to debug.
> > 
> > So you're mapping a host directory as '/' into the guest or what was the
> > exact setup? 
> 
> Yes, `virt-sandbox /bin/sh` will readonly mount the host / as / in the
> guest. This will result in a 'deny /** w' rule that prevents writing to
> several files. As the deny rules have precedence over the allow ones,
> this rule will be the one applied for the logs and other files we need
> to write to.

I see. Since I don't see any other nice solution mild "ACK" since I'm
not a apparmor expert.
Cheers,
 -- Guido

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]