Hi there!
Has that one landed in abyssal depths of the mailing list?
--
Cedric
On Mon, 2017-12-11 at 16:23 +0100, Cédric Bosdonnat wrote:
> virt-aa-helper needs read access to the disk image to resolve symlinks
> and add the proper rules to the profile. Its profile whitelists a few
> common paths, but users can place their images anywhere.
>
> This commit helps users allowing access to their images by adding their
> own rules in apparmor.d/local/usr.lib.libvirt.virt-aa-helper.
>
> This commit also adds rules to allow reading files named:
> - *.raw as this is a rather common disk image extension
> - /run/libvirt/**[vd]d[a-z] as these are used by virt-sandbox
> ---
> examples/Makefile.am | 24 ++++++++++++++++++++++--
> examples/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++++
> 2 files changed, 26 insertions(+), 2 deletions(-)
>
> diff --git a/examples/Makefile.am b/examples/Makefile.am
> index ef2f79db3..8a1d6919a 100644
> --- a/examples/Makefile.am
> +++ b/examples/Makefile.am
> @@ -67,6 +67,9 @@ admin_client_info_SOURCES = admin/client_info.c
> admin_client_close_SOURCES = admin/client_close.c
> admin_logging_SOURCES = admin/logging.c
>
> +INSTALL_DATA_LOCAL =
> +UNINSTALL_LOCAL =
> +
> if WITH_APPARMOR_PROFILES
> apparmordir = $(sysconfdir)/apparmor.d/
> apparmor_DATA = \
> @@ -85,20 +88,37 @@ templates_DATA = \
> apparmor/TEMPLATE.qemu \
> apparmor/TEMPLATE.lxc \
> $(NULL)
> +
> +APPARMOR_LOCAL_DIR = "$(DESTDIR)$(apparmordir)/local"
> +install-apparmor-local:
> + $(MKDIR_P) "$(APPARMOR_LOCAL_DIR)"
> + echo "# Site-specific additions and overrides for \
> + 'usr.lib.libvirt.virt-aa-helper'" \
> + >$(APPARMOR_LOCAL_DIR)/usr.lib.libvirt.virt-aa-helper
> +
> +INSTALL_DATA_LOCAL += install-apparmor-local
> +UNINSTALL_LOCAL += uninstall-apparmor-local
> endif WITH_APPARMOR_PROFILES
>
> if WITH_NWFILTER
> NWFILTER_DIR = "$(DESTDIR)$(sysconfdir)/libvirt/nwfilter"
>
> -install-data-local:
> +install-nwfilter-local:
> $(MKDIR_P) "$(NWFILTER_DIR)"
> for f in $(FILTERS); do \
> $(INSTALL_DATA) $$f "$(NWFILTER_DIR)"; \
> done
>
> -uninstall-local::
> +uninstall-nwfilter-local::
> for f in $(FILTERS); do \
> rm -f "$(NWFILTER_DIR)/`basename $$f`"; \
> done
> -test -z "$(shell ls $(NWFILTER_DIR))" || rmdir $(NWFILTER_DIR)
> +
> +INSTALL_DATA_LOCAL += install-nwfilter-local
> +UNINSTALL_LOCAL += uninstall-nwfilter-local
> endif WITH_NWFILTER
> +
> +install-data-local: $(INSTALL_DATA_LOCAL)
> +
> +uninstall-local: $(UNINSTALL_LOCAL)
> diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> index bd6181d00..f3069d369 100644
> --- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> +++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> @@ -3,6 +3,7 @@
>
> profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
> #include <abstractions/base>
> + #include <local/usr.lib.libvirt.virt-aa-helper>
>
> # needed for searching directories
> capability dac_override,
> @@ -50,8 +51,11 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
> /var/lib/libvirt/images/ r,
> /var/lib/libvirt/images/** r,
> /{media,mnt,opt,srv}/** r,
> + # For virt-sandbox
> + /run/libvirt/**/[sv]d[a-z] r
>
> /**.img r,
> + /**.raw r,
> /**.qcow{,2} r,
> /**.qed r,
> /**.vmdk r,
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
