Re: [PATCH 1/2] security: aa-helper: nvidia rules for gl devices

Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> · Wed, 6 Mar 2019 11:33:53 +0100



On Tue, Mar 5, 2019 at 5:45 PM Jamie Strandboge <jamie@xxxxxxxxxxxxx> wrote:
>
> On Tue, 05 Mar 2019, Christian Ehrhardt wrote:
>
> > Further testing with different devices showed that we need more rules
> > to drive gl backends with nvidia cards. Related denies look like:
> >
> > apparmor="DENIED" operation="open"
> >   name="/usr/share/egl/egl_external_platform.d/"
> >   requested_mask="r"
> > apparmor="DENIED" operation="open"
> >   name="/proc/modules"
> >   requested_mask="r"
> > apparmor="DENIED" operation="open"
> >   name="/proc/driver/nvidia/params"
> >   requested_mask="r"
> > apparmor="DENIED" operation="mknod"
> >   name="/dev/nvidiactl"
> >   requested_mask="c"
> >
> > Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1817943
> >
> > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
> > ---
> >  src/security/virt-aa-helper.c | 5 +++++
> >  1 file changed, 5 insertions(+)
> >
> > diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> > index e9120213ff..13b507ff69 100644
> > --- a/src/security/virt-aa-helper.c
> > +++ b/src/security/virt-aa-helper.c
> > @@ -1279,6 +1279,11 @@ get_files(vahControl * ctl)
> >          virBufferAddLit(&buf, "  \"/usr/share/drirc.d/{,*.conf}\" r,\n");
> >          virBufferAddLit(&buf, "  \"/etc/glvnd/egl_vendor.d/{,*}\" r,\n");
> >          virBufferAddLit(&buf, "  \"/usr/share/glvnd/egl_vendor.d/{,*}\" r,\n");
> > +        virBufferAddLit(&buf, "  \"/usr/share/egl/egl_external_platform.d/\" r,\n");
> > +        virBufferAddLit(&buf, "  \"/usr/share/egl/egl_external_platform.d/*\" r,\n");
> > +        virBufferAddLit(&buf, "  \"/proc/modules\" r,\n");
> > +        virBufferAddLit(&buf, "  \"/proc/driver/nvidia/params\" r,\n");
> > +        virBufferAddLit(&buf, "  \"/dev/nvidiactl\" rw,\n");
>
> All the reads are fine. The 'rw' for nvidiactl is unfortunate but there isn't
> anything we can do about the need for it. At least the policy doesn't have
> 'capability mknod' and DAC will protect against creating/removing the device
> where the VMs run as non-root.
>
> +1 to apply

Thanks, pushed with your ack

> --
> Jamie Strandboge             | http://www.canonical.com


-- 
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list