Re: [PATCH 1/2] virt-aa-helper: Avoid using RUNSTATEDIR

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Feb 26, 2025 at 01:27:19PM +0100, Michal Privoznik wrote:
> On some systems /run is mounted as:
> 
>   tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,relatime,size=348508k,mode=755,inode64)
> 
> and /var/run is then just a symlink:
> 
>   # ls -ld /var/run
>   lrwxrwxrwx 1 root root 4 Apr 23  2024 /var/run -> /run
> 
> But because we still think it's 2004 and FHS 2.3 is active we
> have a rule in our meson.build which constructs RUNSTATEDIR as
> the following:
> 
>   runstatedir = get_option('runstatedir')
>   if runstatedir == ''
>     runstatedir = localstatedir / 'run'
>   endif
> 
> which (if unspecified on meson setup line) results in "/var/run".
> 
> This in turn means, when when we're generating an AppArmor
> profile for a domain with allowed paths it contains stuff like:
> 
>   /var/run/libvirt/qemu/swtpm/2-guest-swtpm.sock
> 
> But because of the aforementioned symlink the real path is:
> 
>   /run/libvirt/qemu/swtpm/2-guest-swtpm.sock
> 
> and thus AppArmor denies access:
> 
>   audit: type=1400 audit(1740480419.348:415): apparmor="DENIED" operation="connect" class="file" profile="libvirt-126f2720-6f8e-45ab-a886-ec9277079a67" name="/run/libvirt/qemu/swtpm/2-guest-swtpm.sock" pid=8080 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=64055 ouid=64055
> 
> Fortunately, there's a nice trick: AppArmor profile variables. We
> already use some of them (@{PROC}, @{HOME}, @{multiarch}) and
> instead of RUNSTATEDIR we can use @{run} which is declared as:
> 
>   # cat /etc/apparmor.d/tunables/run
>   @{run}=/run/ /var/run/

But that will break if @{run} is not the same as the value
someone gives to -Drundir, where -Drundir is a real path.

It feels like the real problem here is that the paths decided in meson are
wrong for the system in question.

With -Dsystem we should just pick '/run' by default.

Without -Dsystem, distros/users should be responsible
for setting -Drundir to the right (non-symlink) path.


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux