Re: [PATCH] apparmor: Add user session path for PID and socket files used by passt

[Jim Fehlig <jfehlig@xxxxxxxx>]

On 1/30/24 11:55, Andrea Bolognani wrote:
> On Tue, Jan 30, 2024 at 10:47:54AM -0800, Andrea Bolognani wrote:
> > On Tue, Jan 30, 2024 at 07:15:51PM +0100, Stefano Brivio wrote:
> > > Commit 7a39b04d683f ("apparmor: Enable passt support") grants
> > > passt(1) read-write access to /{,var/}run/libvirt/qemu/passt/* if
> > > started by the libvirt daemon. That's the path where passt creates
> > > PID and socket files only if the guest is started by the root user.
> > >
> > > If the guest is started by another user, though, the path is more
> > > commonly /var/run/user/$UID/libvirt/qemu/run/passt: add it as
> > > read-write location. Otherwise, passt won't be able to start, as
> > > reported by Andreas.
> > >
> > > While at it, replace /{,var/}run/ in the existing rule by its
> > > corresponding tunable variable, @{run}.
> > >
> > > Reported-by: Andreas B. Mundt <andi@xxxxxxxxxx>
> > > Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061678
> > > Fixes: 7a39b04d683f ("apparmor: Enable passt support")
> > > Signed-off-by: Stefano Brivio <sbrivio@xxxxxxxxxx>
> > > ---
> > >   src/security/apparmor/libvirt-qemu.in | 3 ++-
> > >   1 file changed, 2 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/libvirt-qemu.in
> > > index f40f471891..8b92915281 100644
> > > --- a/src/security/apparmor/libvirt-qemu.in
> > > +++ b/src/security/apparmor/libvirt-qemu.in
> > > @@ -196,7 +196,8 @@
> > >       signal (receive) set=("term") peer=libvirtd,
> > >       signal (receive) set=("term") peer=virtqemud,
> > >
> > > -    owner /{,var/}run/libvirt/qemu/passt/* rw,
> > > +    owner @{run}/user/[0-9]*/libvirt/qemu/run/passt/* rw,
> > > +    owner @{run}/libvirt/qemu/passt/* rw,
> >
> > Makes sense to me, so
> >
> >    Reviewed-by: Andrea Bolognani <abologna@xxxxxxxxxx>
> >
> > I'll give Jim and others a chance to take a look before pushing.

LGTM,

     Reviewed-by: Jim Fehlig <jfehlig@xxxxxxxx>

> I just realized that you sent the patch to the old mailing list
> address. We've migrated somewhat recently, so that's completely
> understandable :)

Thanks for noticing and adjusting the recipient!

Regards,
Jim
_______________________________________________
Devel mailing list -- devel@xxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx