On Mon, May 15, 2017 at 03:23:18PM +0200, Stefan Bader wrote: > From: Serge Hallyn <serge.hallyn@xxxxxxxxxx> > > Add fowner and fsetid to libvirt-qemu profile and add link > to 9p file options in virt-aa-helper. > > Bug-Ubuntu: https://bugs.launchpad.net/bugs/1378434 > > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> > Signed-off-by: Stefan Bader <stefan.bader@xxxxxxxxxxxxx> > --- > examples/apparmor/libvirt-qemu | 4 ++++ > src/security/virt-aa-helper.c | 2 +- > 2 files changed, 5 insertions(+), 1 deletion(-) > > diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu > index 89466c9..f04ce04 100644 > --- a/examples/apparmor/libvirt-qemu > +++ b/examples/apparmor/libvirt-qemu > @@ -13,6 +13,10 @@ > capability setgid, > capability setuid, > > + # for 9p > + capability fsetid, > + capability fowner, > + > network inet stream, > network inet6 stream, I would put this into a separate patch. > > diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c > index a2d5c21..667241b 100644 > --- a/src/security/virt-aa-helper.c > +++ b/src/security/virt-aa-helper.c > @@ -1108,7 +1108,7 @@ get_files(vahControl * ctl) > /* We don't need to add deny rw rules for readonly mounts, > * this can only lead to troubles when mounting / readonly. > */ > - if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rw", true) != 0) > + if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rwl", true) != 0) Given the recent QEMU 9pfs CVS that allowed to access paths outside src.path I would feel better if the rule produces s.th. like link subset src.path/** -> src.path/**, instead of allowing links to /**. Cheers, -- Guido > goto cleanup; > } > } > -- > 2.7.4 > -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
