Re: [PATCH 1/2] security: aa-helper: nvidia rules for gl devices

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 05 Mar 2019, Christian Ehrhardt wrote:

> Further testing with different devices showed that we need more rules
> to drive gl backends with nvidia cards. Related denies look like:
> 
> apparmor="DENIED" operation="open"
>   name="/usr/share/egl/egl_external_platform.d/"
>   requested_mask="r"
> apparmor="DENIED" operation="open"
>   name="/proc/modules"
>   requested_mask="r"
> apparmor="DENIED" operation="open"
>   name="/proc/driver/nvidia/params"
>   requested_mask="r"
> apparmor="DENIED" operation="mknod"
>   name="/dev/nvidiactl"
>   requested_mask="c"
> 
> Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1817943
> 
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
> ---
>  src/security/virt-aa-helper.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index e9120213ff..13b507ff69 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -1279,6 +1279,11 @@ get_files(vahControl * ctl)
>          virBufferAddLit(&buf, "  \"/usr/share/drirc.d/{,*.conf}\" r,\n");
>          virBufferAddLit(&buf, "  \"/etc/glvnd/egl_vendor.d/{,*}\" r,\n");
>          virBufferAddLit(&buf, "  \"/usr/share/glvnd/egl_vendor.d/{,*}\" r,\n");
> +        virBufferAddLit(&buf, "  \"/usr/share/egl/egl_external_platform.d/\" r,\n");
> +        virBufferAddLit(&buf, "  \"/usr/share/egl/egl_external_platform.d/*\" r,\n");
> +        virBufferAddLit(&buf, "  \"/proc/modules\" r,\n");
> +        virBufferAddLit(&buf, "  \"/proc/driver/nvidia/params\" r,\n");
> +        virBufferAddLit(&buf, "  \"/dev/nvidiactl\" rw,\n");

All the reads are fine. The 'rw' for nvidiactl is unfortunate but there isn't
anything we can do about the need for it. At least the policy doesn't have
'capability mknod' and DAC will protect against creating/removing the device
where the VMs run as non-root.

+1 to apply

-- 
Jamie Strandboge             | http://www.canonical.com

Attachment: signature.asc
Description: PGP signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux