Re: Re: [PATCH] apparmor: Add user session path for PID and socket files used by passt

Andrea Bolognani <abologna@xxxxxxxxxx> · Tue, 30 Jan 2024 10:55:10 -0800

On Tue, Jan 30, 2024 at 10:47:54AM -0800, Andrea Bolognani wrote:
> On Tue, Jan 30, 2024 at 07:15:51PM +0100, Stefano Brivio wrote:
> > Commit 7a39b04d683f ("apparmor: Enable passt support") grants
> > passt(1) read-write access to /{,var/}run/libvirt/qemu/passt/* if
> > started by the libvirt daemon. That's the path where passt creates
> > PID and socket files only if the guest is started by the root user.
> >
> > If the guest is started by another user, though, the path is more
> > commonly /var/run/user/$UID/libvirt/qemu/run/passt: add it as
> > read-write location. Otherwise, passt won't be able to start, as
> > reported by Andreas.
> >
> > While at it, replace /{,var/}run/ in the existing rule by its
> > corresponding tunable variable, @{run}.
> >
> > Reported-by: Andreas B. Mundt <andi@xxxxxxxxxx>
> > Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061678
> > Fixes: 7a39b04d683f ("apparmor: Enable passt support")
> > Signed-off-by: Stefano Brivio <sbrivio@xxxxxxxxxx>
> > ---
> >  src/security/apparmor/libvirt-qemu.in | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/libvirt-qemu.in
> > index f40f471891..8b92915281 100644
> > --- a/src/security/apparmor/libvirt-qemu.in
> > +++ b/src/security/apparmor/libvirt-qemu.in
> > @@ -196,7 +196,8 @@
> >      signal (receive) set=("term") peer=libvirtd,
> >      signal (receive) set=("term") peer=virtqemud,
> >
> > -    owner /{,var/}run/libvirt/qemu/passt/* rw,
> > +    owner @{run}/user/[0-9]*/libvirt/qemu/run/passt/* rw,
> > +    owner @{run}/libvirt/qemu/passt/* rw,
>
> Makes sense to me, so
>
>   Reviewed-by: Andrea Bolognani <abologna@xxxxxxxxxx>
>
> I'll give Jim and others a chance to take a look before pushing.

I just realized that you sent the patch to the old mailing list
address. We've migrated somewhat recently, so that's completely
understandable :)

I've adjusted the recipient now. I don't think it's necessary for you
to post the patch again, as its contents are fully contained within
the quoted part of this message.

-- 
Andrea Bolognani / Red Hat / Virtualization
_______________________________________________
Devel mailing list -- devel@xxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx