[PATCH] security: apparmor: make vhost-net access a static rule

Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> · Mon, 18 Feb 2019 18:12:59 +0100

So far we were detecting at guest start if any devices needed vhost net
and only if that was true added a rule for /dev/vhost-net.

It turns out that it is an absolutely valid case to start a guest
without any vhost-net networking but later on wanting to hotplug such a
device which then would be denied by apparmor.

Unfortunately there also is no security labeling callback involved other
than the one to /dev/net/tun. But on the other hand vhost-net is no more
new and considered rather safe. Therefore drop the old detection and
just add it as a static rule.

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1815910

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
---
 src/security/apparmor/libvirt-qemu |  1 +
 src/security/virt-aa-helper.c      | 17 +----------------
 2 files changed, 2 insertions(+), 16 deletions(-)

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index eaa5167525..a71f34c175 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -21,6 +21,7 @@
   signal (receive) peer=/usr/sbin/libvirtd,
 
   /dev/net/tun rw,
+  /dev/vhost-net rw,
   /dev/kvm rw,
   /dev/ptmx rw,
   /dev/kqemu rw,
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 8e22e9978a..ebc4feac77 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -937,7 +937,7 @@ get_files(vahControl * ctl)
     size_t i;
     char *uuid;
     char uuidstr[VIR_UUID_STRING_BUFLEN];
-    bool needsVfio = false, needsvhost = false;
+    bool needsVfio = false;
 
     /* verify uuid is same as what we were given on the command line */
     virUUIDFormat(ctl->def->uuid, uuidstr);
@@ -1248,21 +1248,6 @@ get_files(vahControl * ctl)
         }
     }
 
-    if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
-        for (i = 0; i < ctl->def->nnets; i++) {
-            virDomainNetDefPtr net = ctl->def->nets[i];
-            if (net && net->model) {
-                if (net->driver.virtio.name == VIR_DOMAIN_NET_BACKEND_TYPE_QEMU)
-                    continue;
-                if (!virDomainNetIsVirtioModel(net))
-                    continue;
-            }
-            needsvhost = true;
-        }
-    }
-    if (needsvhost)
-        virBufferAddLit(&buf, "  \"/dev/vhost-net\" rw,\n");
-
     if (needsVfio) {
         virBufferAddLit(&buf, "  \"/dev/vfio/vfio\" rw,\n");
         virBufferAddLit(&buf, "  \"/dev/vfio/[0-9]*\" rw,\n");
-- 
2.17.1





