Re: [PATCH] apparmor: qemu load old shared objects

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Mar 13, 2020 at 09:56:12AM +0100, Christian Ehrhardt wrote:
> On qemu upgrades the old .so files usually are replaced. But on the other
> hand since a qemu process represents a guest instance it is usually kept
> around.
> 
> That makes late addition of dynamic features e.g. 'hot-attach of a ceph
> disk' fail by trying to load a new version of e.f. block-rbd.so into an
> old still running qemu binary.
> 
> Qemu adds a fallback to also load modules from a versioned directory in the
> temporary /var/run path. That way qemu is providing a way for packaging
> to store modules of an upgraded qemu package as needed until the next reboot.
> 
> This change is allowing the qemu process access to these paths.
> 
> Background:
> This is a continuation of a discussion at KVM Forum 2019 eventually
> becoming [1] and recently this change is queued to get into qemu properly [2].
> 
> [1]: https://lists.gnu.org/archive/html/qemu-devel/2019-11/msg00005.html
> [2]: https://lists.nongnu.org/archive/html/qemu-devel/2020-03/msg03313.html
> 
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
> ---
>  src/security/apparmor/libvirt-qemu | 5 +++++
>  1 file changed, 5 insertions(+)

Reviewed-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>

> 
> diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
> index 80986aec61..22415c9dfd 100644
> --- a/src/security/apparmor/libvirt-qemu
> +++ b/src/security/apparmor/libvirt-qemu
> @@ -164,6 +164,11 @@
>    /usr/{lib,lib64}/qemu/*.so mr,
>    /usr/lib/@{multiarch}/qemu/*.so mr,
>  
> +  # let qemu load old shared objects after upgrades (LP: #1847361)
> +  /{var/,}run/qemu/*/*.so mr,
> +  # but explicitly deny with auditing writing to these files
> +  audit deny /{var/,}run/qemu/*/*.so w,
> +
>    # swtpm
>    /{usr/,}bin/swtpm rmix,
>    /usr/{lib,lib64}/libswtpm_libtpms.so mr,
> -- 
> 2.25.1
> 
> 

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux