Re: [PATCH 7/8] apparmor: allow virt-aa-helper to read openvswitch sockets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Aug 3, 2020 at 5:13 PM Jamie Strandboge <jamie@xxxxxxxxxxxxx> wrote:
On Mon, 03 Aug 2020, Christian Ehrhardt wrote:

> From: Serge Hallyn <serge.hallyn@xxxxxxxxxx>
>
> Chardevs/sockets configured for openvswitch-dpdk use cases
> might be probed by virt-aa-helper. Allow that access to enable
> virt-aa-helper rendering per-guest rules for the actual qemu
> guest accessing these sockets eventually.
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
> Signed-off-by: Stefan Bader <stefan.bader@xxxxxxxxxxxxx>
> Signed-off-by: Serge Hallyn <serge.hallyn@xxxxxxxxxx>
> ---
>  src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> index 3f204799a6..877cb04b1e 100644
> --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> @@ -46,6 +46,9 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
>    @sysconfdir@/apparmor.d/libvirt/* r,
>    @sysconfdir@/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,

> +  # for openvswitch sockets
> +  /{,var/}run/openvswitch/** rw,

A bit unfortunate and unexpected. What kind of probing does
virt-aa-helper do on these?

I'm so glad we do this exercise and you have the "investigative hat on" to challenge the few bits of the series that seem odd.
I have read through virt-aa-helper again with a focus on this and at least today's openvswitch-dpdk+libvirt should not need this anymore.

It seems this was a wild guess many years ago and added for bug 1513367 but eventually (or just noadays) is no longer needed.

I have set up a 20.04 based openvswitch-dpdk system and dropped the rule.
Once with vhostuserclient and once on an older system with the older vhostuser type connection.

Things are still working, so I'm removing this rule from this series as well as from the Ubuntu builds.
 
--
Jamie Strandboge             | http://www.canonical.com


--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux