Re: [PATCH 1/2] apparmor: Allow access to filesystem mounts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 28.01.2014 15:04, Jamie Strandboge wrote:
> On 01/26/2014 03:47 PM, Felix Geyer wrote:
>> Make virt-aa-helper create rules to allow VMs access to filesystem
>> mounts from the host.
>
> Note that virt-aa-helper access to various parts of the filesystem is generally
> ok. However, can you be more specific about the problem you're trying to solve?
> Eg, is there a bug number?

virt-aa-helper doesn't create the appropriate rules to allow qemu access to
shared filesystem mounts:
http://libvirt.org/formatdomain.html#elementsFilesystems
This made it necessary to manually modify the libivrt-<UUID> profile.

There is a report about this on the Ubuntu bugtracker:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/943680

Regards,
Felix

>
>> ---
>>  src/security/virt-aa-helper.c | 26 ++++++++++++++++++++------
>>  1 file changed, 20 insertions(+), 6 deletions(-)
>>
>> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
>> index b9282b4..e1f7848 100644
>> --- a/src/security/virt-aa-helper.c
>> +++ b/src/security/virt-aa-helper.c
>> @@ -578,9 +578,6 @@ valid_path(const char *path, const bool readonly)
>>              return -1;
>> 
>>          switch (sb.st_mode & S_IFMT) {
>> -            case S_IFDIR:
>> -                return 1;
>> -                break;
>>              case S_IFSOCK:
>>                  return 1;
>>                  break;
>> @@ -747,7 +744,7 @@ get_definition(vahControl * ctl, const char *xmlStr)
>>  }
>> 
>>  static int
>> -vah_add_file(virBufferPtr buf, const char *path, const char *perms)
>> +vah_add_path(virBufferPtr buf, const char *path, const char *perms, bool recursive)
>>  {
>>      char *tmp = NULL;
>>      int rc = -1;
>> @@ -788,10 +785,14 @@ vah_add_file(virBufferPtr buf, const char *path, const char *perms)
>>          goto cleanup;
>>      }
>> 
>> -    virBufferAsprintf(buf, "  \"%s\" %s,\n", tmp, perms);
>> +    virBufferAsprintf(buf, "  \"%s%s\" %s,\n", tmp, recursive ? "/**" : "", perms);
>>      if (readonly) {
>>          virBufferAddLit(buf, "  # don't audit writes to readonly files\n");
>> -        virBufferAsprintf(buf, "  deny \"%s\" w,\n", tmp);
>> +        virBufferAsprintf(buf, "  deny \"%s%s\" w,\n", tmp, recursive ? "/**" : "");
>> +    }
>> +    if (recursive) {
>> +        // allow reading (but not creating) the dir
>> +        virBufferAsprintf(buf, "  \"%s/\" r,\n", tmp);
>>      }
>> 
>>    cleanup:
>> @@ -801,6 +802,12 @@ vah_add_file(virBufferPtr buf, const char *path, const char *perms)
>>  }
>> 
>>  static int
>> +vah_add_file(virBufferPtr buf, const char *path, const char *perms)
>> +{
>> +    return vah_add_path(buf, path, perms, false);
>> +}
>> +
>> +static int
>>  vah_add_file_chardev(virBufferPtr buf,
>>                       const char *path,
>>                       const char *perms,
>> @@ -1049,6 +1056,13 @@ get_files(vahControl * ctl)
>>              } /* switch */
>>          }
>> 
>> +    for (i = 0; i < ctl->def->nfss; i++) {
>> +        virDomainFSDefPtr fs = ctl->def->fss[i];
>> +
>> +        if (vah_add_path(&buf, fs->src, fs->readonly ? "r" : "rw", true) != 0)
>> +            goto cleanup;
>> +    }
>> +
>>      if (ctl->newfile)
>>          if (vah_add_file(&buf, ctl->newfile, "rw") != 0)
>>              goto cleanup;
>>


--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]