[libvirt] [PATCH] apparmor: add rules to use qemu_bridge_helper

Christian Ehrhardt posted 1 patch 5 years, 11 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/1523255646-6067-1-git-send-email-christian.ehrhardt@canonical.com
Test syntax-check passed
examples/apparmor/usr.sbin.libvirtd | 8 ++++++++
1 file changed, 8 insertions(+)
[libvirt] [PATCH] apparmor: add rules to use qemu_bridge_helper
Posted by Christian Ehrhardt 5 years, 11 months ago
Due to mediation of socket and signal activity currently qemu:///session
connections calling qemu_bridge_helper fail.

We need the profile for libvirtd itself and the subprofile for
qemu-bridge-helper to be able to talk/notify to each other via unix socket and
signals.

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1754871

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
 examples/apparmor/usr.sbin.libvirtd | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index be4fabf..3102cab 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -65,6 +65,10 @@
   signal (read, send) peer=libvirt-*,
   signal (send) set=("kill", "term") peer=unconfined,
 
+  # For communication/control to qemu-bridge-helper
+  unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd//qemu_bridge_helper),
+  signal (send) set=("term") peer=/usr/sbin/libvirtd//qemu_bridge_helper,
+
   # Very lenient profile for libvirtd since we want to first focus on confining
   # the guests. Guests will have a very restricted profile.
   / r,
@@ -112,6 +116,10 @@
 
    network inet stream,
 
+   # For communication/control from libvirtd
+   unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
+   signal (receive) set=("term") peer=/usr/sbin/libvirtd,
+
    /dev/net/tun rw,
    /etc/qemu/** r,
    owner @{PROC}/*/status r,
-- 
2.7.4

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] apparmor: add rules to use qemu_bridge_helper
Posted by Michal Privoznik 5 years, 11 months ago
On 04/09/2018 08:34 AM, Christian Ehrhardt wrote:
> Due to mediation of socket and signal activity currently qemu:///session
> connections calling qemu_bridge_helper fail.
> 
> We need the profile for libvirtd itself and the subprofile for
> qemu-bridge-helper to be able to talk/notify to each other via unix socket and
> signals.
> 
> Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1754871
> 
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> ---
>  examples/apparmor/usr.sbin.libvirtd | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 

ACK

Michal

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] apparmor: add rules to use qemu_bridge_helper
Posted by Christian Ehrhardt 5 years, 11 months ago
On Wed, Apr 11, 2018 at 11:03 AM, Michal Privoznik <mprivozn@redhat.com>
wrote:

> On 04/09/2018 08:34 AM, Christian Ehrhardt wrote:
> > Due to mediation of socket and signal activity currently qemu:///session
> > connections calling qemu_bridge_helper fail.
> >
> > We need the profile for libvirtd itself and the subprofile for
> > qemu-bridge-helper to be able to talk/notify to each other via unix
> socket and
> > signals.
> >
> > Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1754871
> >
> > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> > ---
> >  examples/apparmor/usr.sbin.libvirtd | 8 ++++++++
> >  1 file changed, 8 insertions(+)
> >
>
> ACK
>
> Michal
>

FYI - Without other feedback so far I pushed it as-is with your ack added.
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] apparmor: add rules to use qemu_bridge_helper
Posted by Guido Günther 5 years, 11 months ago
On Mon, Apr 09, 2018 at 08:34:06AM +0200, Christian Ehrhardt wrote:
> Due to mediation of socket and signal activity currently qemu:///session
> connections calling qemu_bridge_helper fail.
> 
> We need the profile for libvirtd itself and the subprofile for
> qemu-bridge-helper to be able to talk/notify to each other via unix socket and
> signals.
> 
> Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1754871
> 
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> ---
>  examples/apparmor/usr.sbin.libvirtd | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
> index be4fabf..3102cab 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -65,6 +65,10 @@
>    signal (read, send) peer=libvirt-*,
>    signal (send) set=("kill", "term") peer=unconfined,
>  
> +  # For communication/control to qemu-bridge-helper
> +  unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd//qemu_bridge_helper),
> +  signal (send) set=("term") peer=/usr/sbin/libvirtd//qemu_bridge_helper,
> +
>    # Very lenient profile for libvirtd since we want to first focus on confining
>    # the guests. Guests will have a very restricted profile.
>    / r,
> @@ -112,6 +116,10 @@
>  
>     network inet stream,
>  
> +   # For communication/control from libvirtd
> +   unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
> +   signal (receive) set=("term") peer=/usr/sbin/libvirtd,
> +
>     /dev/net/tun rw,
>     /etc/qemu/** r,
>     owner @{PROC}/*/status r,

Reviewed-by: Guido Günther <agx@sigxcpu.org>

> -- 
> 2.7.4
> 

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list