1. Patchew
  2. Libvirt
  3. View series

[PATCH] apparmor: Add capabilities for PCI passthrough to virtxend profile

Jim Fehlig posted 1 patch 4 months, 2 weeks ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20231219003352.15876-1-jfehlig@suse.com
src/security/apparmor/usr.sbin.virtxend.in | 2 ++
1 file changed, 2 insertions(+)
[PATCH] apparmor: Add capabilities for PCI passthrough to virtxend profile
Posted by Jim Fehlig 4 months, 2 weeks ago 
When splitting out the apparmor modular daemon profiles from the
libvirtd profile, the net_admin and sys_admin capabilities were
dropped from the virtxend profile. It was not known at the time
that these capabilities were needed for PCI passthrough. Without
the capabilities, the following messages are emitted from the audit
subsystem

audit: type=1400 audit(1702939277.946:63): apparmor="DENIED" \
operation="capable" class="cap" profile="virtxend" pid=3611 \
comm="rpc-virtxend" capability=21  capname="sys_admin"
audit: type=1400 audit(1702940304.818:63): apparmor="DENIED" \
operation="capable" class="cap" profile="virtxend" pid=3731 \
comm="rpc-virtxend" capability=12  capname="net_admin"

It appears sys_admin is needed to simply read from the PCI dev's
sysfs config file. The net_admin capability is needed when setting
the MAC address of an SR-IOV virtual function.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
---
 src/security/apparmor/usr.sbin.virtxend.in | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/security/apparmor/usr.sbin.virtxend.in b/src/security/apparmor/usr.sbin.virtxend.in
index 78a11305f5..77fedce352 100644
--- a/src/security/apparmor/usr.sbin.virtxend.in
+++ b/src/security/apparmor/usr.sbin.virtxend.in
@@ -5,8 +5,10 @@ profile virtxend @sbindir@/virtxend flags=(attach_disconnected) {
   #include <abstractions/dbus>
 
   capability kill,
+  capability net_admin,
   capability setgid,
   capability setuid,
+  capability sys_admin,
   capability sys_pacct,
   capability ipc_lock,
 
-- 
2.43.0
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org
Re: [PATCH] apparmor: Add capabilities for PCI passthrough to virtxend profile
Posted by Michal Prívozník 4 months, 2 weeks ago 
On 12/19/23 01:33, Jim Fehlig wrote:
> When splitting out the apparmor modular daemon profiles from the
> libvirtd profile, the net_admin and sys_admin capabilities were
> dropped from the virtxend profile. It was not known at the time
> that these capabilities were needed for PCI passthrough. Without
> the capabilities, the following messages are emitted from the audit
> subsystem
> 
> audit: type=1400 audit(1702939277.946:63): apparmor="DENIED" \
> operation="capable" class="cap" profile="virtxend" pid=3611 \
> comm="rpc-virtxend" capability=21  capname="sys_admin"
> audit: type=1400 audit(1702940304.818:63): apparmor="DENIED" \
> operation="capable" class="cap" profile="virtxend" pid=3731 \
> comm="rpc-virtxend" capability=12  capname="net_admin"
> 
> It appears sys_admin is needed to simply read from the PCI dev's
> sysfs config file. The net_admin capability is needed when setting
> the MAC address of an SR-IOV virtual function.
> 
> Signed-off-by: Jim Fehlig <jfehlig@suse.com>
> ---
>  src/security/apparmor/usr.sbin.virtxend.in | 2 ++
>  1 file changed, 2 insertions(+)
> 

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

Michal
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.