On 10/23/20 4:19 PM, Christian Schoenebeck wrote:
On Donnerstag, 22. Oktober 2020 19:07:33 CEST Michal Privoznik wrote:
[Please don't CC random people on patches until asked to, we are all
subscribed to the list]
Got it, I'll refrain from CCing on libvirt in future.
Not as erratic as it looks like though: I CCed people who touched this
specific AppArmor permission before, plus the virtiofs maintainers.
Yeah, I understand that. BTW: it's okay to CC people when replying :-)
On 10/22/20 4:58 PM, Christian Schoenebeck wrote:
Guests should be allowed to create hard links on mounted pathes, since
many applications rely on this functionality and would error on guest
with current "rw" AppArmor permission with 9pfs.
Signed-off-by: Christian Schoenebeck <qemu_oss@xxxxxxxxxxxxx>
---
src/security/virt-aa-helper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 12429278fb..5a6f4a5f7d 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1142,7 +1142,7 @@ get_files(vahControl * ctl)
/* We don't need to add deny rw rules for readonly mounts,
* this can only lead to troubles when mounting / readonly.
*/
- if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" :
"rw", true) != 0) + if (vah_add_path(&buf, fs->src->path,
fs->readonly ? "R" : "rwl", true) != 0)>
goto cleanup;
}
}
Reviewed-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
but I will give a day or two for other developers to chime in.
Michal
Yes, please wait couple days to see whether there are reactions.
Okay, so nobody objected and we can expect the freeze of upstream today,
so I am pushing this.