On Thu, Nov 26, 2015 at 04:02:03PM +0100, Cedric Bosdonnat wrote: > On Thu, 2015-11-26 at 15:42 +0100, Guido Günther wrote: > > Hi, > > On Tue, Nov 17, 2015 at 03:14:51PM +0100, Cédric Bosdonnat wrote: > > > There is no need to deny writes on a readonly mount: write still > > > won't be accepted, even if the user remounts the folder as RW in > > > the guest as qemu sets the 9p mount as ro. > > > > Wouldn't a security whole in qemu possibly allow to circumvent this and > > isn't this type of exploit the thing we want to guard against in the > > apparmor proiles? > > > > > This deny rule was leading to problems for example with readonly /: > > > The qemu process had to write to a bunch of files in / like logs, > > > sockets, etc. This deny rule was also preventing auditing of these > > > denials, making it harder to debug. > > > > So you're mapping a host directory as '/' into the guest or what was the > > exact setup? > > Yes, `virt-sandbox /bin/sh` will readonly mount the host / as / in the > guest. This will result in a 'deny /** w' rule that prevents writing to > several files. As the deny rules have precedence over the allow ones, > this rule will be the one applied for the logs and other files we need > to write to. I see. Since I don't see any other nice solution mild "ACK" since I'm not a apparmor expert. Cheers, -- Guido -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list