Re: [libvirt PATCH v2 1/3] scripts: Check spelling

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Jan 10, 2022 at 03:58:55PM -0700, Jim Fehlig wrote:
> On 1/10/22 11:21, Andrea Bolognani wrote:
> > On Mon, Jan 10, 2022 at 04:41:25PM +0100, Tim Wiederhake wrote:
> > > +    ("/src/security/apparmor/libvirt-lxc", "devic"),
> >
> > Looking at the context where this appears:
> >
> >    deny /sys/d[^e]*{,/**} wklx,
> >    deny /sys/de[^v]*{,/**} wklx,
> >    deny /sys/dev[^i]*{,/**} wklx,
> >    deny /sys/devi[^c]*{,/**} wklx,
> >    deny /sys/devic[^e]*{,/**} wklx,
> >    deny /sys/device[^s]*{,/**} wklx,
> >    deny /sys/devices/[^v]*{,/**} wklx,
> >    deny /sys/devices/v[^i]*{,/**} wklx,
> >    deny /sys/devices/vi[^r]*{,/**} wklx,
> >    deny /sys/devices/vir[^t]*{,/**} wklx,
> >    deny /sys/devices/virt[^u]*{,/**} wklx,
> >    deny /sys/devices/virtu[^a]*{,/**} wklx,
> >    deny /sys/devices/virtua[^l]*{,/**} wklx,
> >    deny /sys/devices/virtual/[^n]*{,/**} wklx,
> >    deny /sys/devices/virtual/n[^e]*{,/**} wklx,
> >    deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
> >    deny /sys/devices/virtual/net?*{,/**} wklx,
> >    deny /sys/devices/virtual?*{,/**} wklx,
> >    deny /sys/devices?*{,/**} wklx,
> >
> > I mean, I don't speak AppArmor but this can't be right, can it? :D
>
> It's valid apparmor. At least the apparmor parser doesn't complain :-). ISTM
> the last rule should cover the others.

I was not really suggesting that it was not a valid configuration,
it's just that looking at it immediately triggered a "that can't be
the best way to do it" reaction in me ;)

> > Jim, do you think we actually need such a slippery slope of deny
> > rules, or can we simplify things a bit?
>
> I don't know why all of these deny rules are defined in this manner.
> /sys/class, /proc/sys/kernel, and others are defined similarly. They were
> added by Cedric in commit 9265f8ab67d. Cedric, do you recall the purpose of
> defining the rules in this way?

The script that generated those rules is

  https://github.com/lxc/lxc/blob/master/config/apparmor/lxc-generate-aa-rules.py

and that's apparently its intended behavior. So there has to be a
reason why it's done this way, right? I just have no idea what it
could possibly be.

-- 
Andrea Bolognani / Red Hat / Virtualization
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux