Re: [libvirt PATCH 1/1] apparmor: Allow umount(/dev)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 1/18/23 03:45, Andrea Bolognani wrote:
On Wed, Jan 18, 2023 at 11:00:33AM +0100, Michal Prívozník wrote:
On 1/18/23 10:43, Andrea Bolognani wrote:
Commit 379c0ce4bfed introduced a call to umount(/dev) performed
inside the namespace that we run QEMU in.

As a result of this, on machines using AppArmor, VM startup now
fails with

   internal error: Process exited prior to exec: libvirt:
   QEMU Driver error: failed to umount devfs on /dev: Permission denied

The corresponding denial is

   AVC apparmor="DENIED" operation="umount" profile="libvirtd"
       name="/dev/" pid=70036 comm="rpc-libvirtd"

Extend the AppArmor configuration for virtqemud and libvirtd so
that this operation is allowed.

Signed-off-by: Andrea Bolognani <abologna@xxxxxxxxxx>
---
  src/security/apparmor/usr.sbin.libvirtd.in  | 1 +
  src/security/apparmor/usr.sbin.virtqemud.in | 1 +
  2 files changed, 2 insertions(+)

Reviewed-by: Michal Privoznik <mprivozn@xxxxxxxxxx>

For more background on why umount is needed see my reply to Jim's
question from earlier:

https://listman.redhat.com/archives/libvir-list/2023-January/237149.html

Welp, missed that one O:-)

Jim, it looks like you came up with exactly the same solution as
me, despite concerns about the size of the resulting hammer. Any
other ideas, or should we just go ahead and merge this as-is?

My apparmor skills are too weak to select a smaller tool, so I'd say merge as-is. It wasn't clear to me if/why the umount of /dev was actually needed, but Michal did an excellent job of describing why it is.

Regards,
Jim





[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux