On Thu, Jan 30, 2020 at 8:29 AM Michal Privoznik <mprivozn@xxxxxxxxxx> wrote:
On 1/30/20 8:21 AM, Christian Ehrhardt wrote:
> Since a3ab6d42 "apparmor: convert libvirtd profile to a named profile"
> the detection of the subelement for qemu_bridge_helper is wrong.
>
> In combination with the older 123cc3e1 "apparmor: allow
> /usr/lib/qemu/qemu-bridge-helper" it now detects qemu-bridge-helper no
> more with its path, but instead as a proper subelement of the named profile
> like: label=libvirtd//qemu_bridge_helper
>
> In the same fashion the reverse rule in the qemu_bridge_helper
> sub-profile still uses the path and not the named profile label.
>
> Triggering denies like:
> apparmor="DENIED" operation="file_inherit"
> profile="" pid=5629 comm="qemu-bridge-hel"
> family="unix" sock_type="stream" protocol=0 requested_mask="send receive"
> denied_mask="send receive" addr=none peer_addr=none peer="libvirtd"
>
> This patch fixes the unix socket rules for the communication between
> libvirtd and qemu-bridge-helper to match that.
>
> Fixes: a3ab6d42d825499af44b8f19f9299e150d9687bc
> Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1655111
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
> ---
> src/security/apparmor/usr.sbin.libvirtd | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
Reviewed-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
Thanks for the review!
Nothing else came up in discussions here and in local tests it seems to work fine as well.
Pushed to the repository
Michal
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
Staff Engineer, Ubuntu Server
Canonical Ltd
