The samba feature of qemu will place the samba config file in
/tmp/qemu-smb.<PID>.
But at least it has a predictable path identifying qemu-smb feature
itself by an infix in the path.
This is a compromise of security and usability as the "owner" restriction
will not protect guests among each other.
Therefore the rule added makes the feature usable, but does not allow
cross guest protection.
Core issue is, that it is currently impossible to predict the PID which would
follow "qemu-smb-", but long term, once the samba feature would be exposed in
guest XML we'd prefer a virt-aa-helper based solution that can render the
samba rule on demand and with a custom PID into the per guest profile.
But the same is true for manual user overrides for this feature as well,
they can neither predict the PID, nor have a local include per-guest. Thereby
punting this to the user to add the rule later will not make it safer, but
only less usable.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
---
examples/apparmor/libvirt-qemu | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 6971d3db03..350b13b824 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -191,6 +191,11 @@
# want more unique paths per rule.
/{,var/}tmp/ r,
owner /{,var/}tmp/**/ r,
+ # allow qemu smb feature specific path with write access
+ # TODO: This is a compromise between security and usability - once e.g. samba
+ # would be expressed in libvirt XML it should be added on demand via
+ # virt-aa-helper instead.
+ owner /tmp/qemu-smb.*/{,**} rw,
# for file-posix getting limits since 9103f1ce
/sys/devices/**/block/*/queue/max_segments r,
--
2.17.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
