From nobody Sun May 5 06:07:52 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1505921368299648.0594177264321; Wed, 20 Sep 2017 08:29:28 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A3F17806B2; Wed, 20 Sep 2017 15:29:26 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 80A8260472; Wed, 20 Sep 2017 15:29:26 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 3C76D410B3; Wed, 20 Sep 2017 15:29:26 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v8KExKAt027954 for ; Wed, 20 Sep 2017 10:59:20 -0400 Received: by smtp.corp.redhat.com (Postfix) id D6AD918B8E; Wed, 20 Sep 2017 14:59:20 +0000 (UTC) Received: from mx1.redhat.com (ext-mx10.extmail.prod.ext.phx2.redhat.com [10.5.110.39]) by smtp.corp.redhat.com (Postfix) with ESMTPS id CEE7B60241 for ; Wed, 20 Sep 2017 14:59:16 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B617251165 for ; Wed, 20 Sep 2017 14:59:15 +0000 (UTC) Received: from 167-139-067-156.ip-addr.inexio.net ([156.67.139.167] helo=lap.fritz.box) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1dugT4-0001Vi-Ht; Wed, 20 Sep 2017 14:59:14 +0000 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com A3F17806B2 Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; dmarc=fail (p=none dis=none) header.from=canonical.com Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com A3F17806B2 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com B617251165 Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=fail (p=none dis=none) header.from=canonical.com Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=none smtp.mailfrom=christian.ehrhardt@canonical.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com B617251165 From: Christian Ehrhardt To: Libvirt Devel Date: Wed, 20 Sep 2017 16:59:06 +0200 Message-Id: <1505919549-19756-2-git-send-email-christian.ehrhardt@canonical.com> In-Reply-To: <1505919549-19756-1-git-send-email-christian.ehrhardt@canonical.com> References: <1505919549-19756-1-git-send-email-christian.ehrhardt@canonical.com> X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 205 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Wed, 20 Sep 2017 14:59:15 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Wed, 20 Sep 2017 14:59:15 +0000 (UTC) for IP:'91.189.89.112' DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com' FROM:'christian.ehrhardt@canonical.com' RCPT:'' X-RedHat-Spam-Score: -2.321 (RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, RP_MATCHES_RCVD) 91.189.89.112 youngberry.canonical.com 91.189.89.112 youngberry.canonical.com X-Scanned-By: MIMEDefang 2.78 on 10.5.110.39 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-loop: libvir-list@redhat.com Cc: Jamie Strandboge , Guido Guenther , Christian Ehrhardt Subject: [libvirt] [PATCH 1/4] virt-aa-helper: fix paths for usb hostdevs X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Wed, 20 Sep 2017 15:29:27 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" If users only specified vendor&product (the common case) then parsing the xml via virDomainHostdevSubsysUSBDefParseXML would only set these. Bus and Device would much later be added when the devices are prepared to be added. Due to that a hot-add of a usb hostdev works as the device is prepared and virt-aa-helper processes the new internal xml. But on an initial guest start at the time virt-aa-helper renders the apparmor rules the bus/device id's are not set yet: p ctl->def->hostdevs[0]->source.subsys.u.usb $12 =3D {autoAddress =3D false, bus =3D 0, device =3D 0, vendor =3D 1921, p= roduct =3D 21888} That causes rules to be wrong: "/dev/bus/usb/000/000" rw, The fix calls virHostdevFindUSBDevice after reading the XML from irt-aa-helper to only add apparmor rules for devices that could be found and now are fully known to be able to write the rule correctly. It uncondtionally sets virHostdevFindUSBDevice mandatory attribute as adding an apparmor rule for a device not found makes no sense no matter what startup policy it has set. Signed-off-by: Christian Ehrhardt --- src/security/virt-aa-helper.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 7944dc1..d1518ea 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -55,6 +55,7 @@ #include "virrandom.h" #include "virstring.h" #include "virgettext.h" +#include "virhostdev.h" =20 #include "storage/storage_source.h" =20 @@ -1069,6 +1070,9 @@ get_files(vahControl * ctl) if (usb =3D=3D NULL) continue; =20 + if (virHostdevFindUSBDevice(dev, true, &usb) < 0) + continue; + rc =3D virUSBDeviceFileIterate(usb, file_iterate_hostdev_c= b, &buf); virUSBDeviceFree(usb); if (rc !=3D 0) --=20 2.7.4 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun May 5 06:07:52 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1505922532678437.24818447120765; Wed, 20 Sep 2017 08:48:52 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 97338C074F11; Wed, 20 Sep 2017 15:48:51 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 77F1D17552; Wed, 20 Sep 2017 15:48:51 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 409C93FACE; Wed, 20 Sep 2017 15:48:51 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v8KExMp0027964 for ; Wed, 20 Sep 2017 10:59:22 -0400 Received: by smtp.corp.redhat.com (Postfix) id 242CF600C2; Wed, 20 Sep 2017 14:59:22 +0000 (UTC) Received: from mx1.redhat.com (ext-mx09.extmail.prod.ext.phx2.redhat.com [10.5.110.38]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 1E4E86017B for ; Wed, 20 Sep 2017 14:59:16 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 03D1763E08 for ; Wed, 20 Sep 2017 14:59:16 +0000 (UTC) Received: from 167-139-067-156.ip-addr.inexio.net ([156.67.139.167] helo=lap.fritz.box) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1dugT4-0001Vi-Nm; Wed, 20 Sep 2017 14:59:14 +0000 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 97338C074F11 Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; dmarc=fail (p=none dis=none) header.from=canonical.com Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 97338C074F11 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 03D1763E08 Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; dmarc=fail (p=none dis=none) header.from=canonical.com Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; spf=none smtp.mailfrom=christian.ehrhardt@canonical.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 03D1763E08 From: Christian Ehrhardt To: Libvirt Devel Date: Wed, 20 Sep 2017 16:59:07 +0200 Message-Id: <1505919549-19756-3-git-send-email-christian.ehrhardt@canonical.com> In-Reply-To: <1505919549-19756-1-git-send-email-christian.ehrhardt@canonical.com> References: <1505919549-19756-1-git-send-email-christian.ehrhardt@canonical.com> X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 205 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Wed, 20 Sep 2017 14:59:16 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Wed, 20 Sep 2017 14:59:16 +0000 (UTC) for IP:'91.189.89.112' DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com' FROM:'christian.ehrhardt@canonical.com' RCPT:'' X-RedHat-Spam-Score: -2.321 (RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, RP_MATCHES_RCVD) 91.189.89.112 youngberry.canonical.com 91.189.89.112 youngberry.canonical.com X-Scanned-By: MIMEDefang 2.78 on 10.5.110.38 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Cc: Jamie Strandboge , Guido Guenther , Christian Ehrhardt Subject: [libvirt] [PATCH 2/4] virt-aa-helper: fix libusb access to udev usb data X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Wed, 20 Sep 2017 15:48:52 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" libusb as used by qemu needs to read data from /run/udev/data/ about usb devices. That is read once on the first initialization of libusb_init by qemu. Therefore generating just the device we need would not be sufficient as another hotplug later can need another device which would fail as the data is no more re-read at this point. But we can restrict the paths very much to just the major number of potential usb devices which will make it match approximately the detail that e.g. an lsusb -v would reveal - that is much safer than the "/run/udev/data/* r" blanket many users are using now as a workaround. Signed-off-by: Christian Ehrhardt --- examples/apparmor/libvirt-qemu | 3 +++ 1 file changed, 3 insertions(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index dcfb1a5..b341e31 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -29,6 +29,9 @@ # For hostdev access. The actual devices will be added dynamically /sys/bus/usb/devices/ r, /sys/devices/**/usb[0-9]*/** r, + # libusb needs udev data about usb devices (~equal to content of lsusb -= v) + /run/udev/data/c16[6,7]* r, + /run/udev/data/c18[0,8,9]* r, =20 # WARNING: this gives the guest direct access to host hardware and speci= fic # portions of shared memory. This is required for sound using ALSA with = kvm, --=20 2.7.4 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun May 5 06:07:52 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1505922512365596.0249417020534; Wed, 20 Sep 2017 08:48:32 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0124F68C0; Wed, 20 Sep 2017 15:48:31 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id CDB9A60487; Wed, 20 Sep 2017 15:48:30 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 941231855944; Wed, 20 Sep 2017 15:48:30 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v8KExKul027946 for ; Wed, 20 Sep 2017 10:59:20 -0400 Received: by smtp.corp.redhat.com (Postfix) id 915F05D986; Wed, 20 Sep 2017 14:59:20 +0000 (UTC) Received: from mx1.redhat.com (ext-mx08.extmail.prod.ext.phx2.redhat.com [10.5.110.32]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8CDBE5D98E for ; Wed, 20 Sep 2017 14:59:17 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 17D31C0546D5 for ; Wed, 20 Sep 2017 14:59:16 +0000 (UTC) Received: from 167-139-067-156.ip-addr.inexio.net ([156.67.139.167] helo=lap.fritz.box) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1dugT4-0001Vi-Tb; Wed, 20 Sep 2017 14:59:14 +0000 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 0124F68C0 Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; dmarc=fail (p=none dis=none) header.from=canonical.com Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 0124F68C0 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 17D31C0546D5 Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=fail (p=none dis=none) header.from=canonical.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=none smtp.mailfrom=christian.ehrhardt@canonical.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 17D31C0546D5 From: Christian Ehrhardt To: Libvirt Devel Date: Wed, 20 Sep 2017 16:59:08 +0200 Message-Id: <1505919549-19756-4-git-send-email-christian.ehrhardt@canonical.com> In-Reply-To: <1505919549-19756-1-git-send-email-christian.ehrhardt@canonical.com> References: <1505919549-19756-1-git-send-email-christian.ehrhardt@canonical.com> X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 205 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Wed, 20 Sep 2017 14:59:16 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Wed, 20 Sep 2017 14:59:16 +0000 (UTC) for IP:'91.189.89.112' DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com' FROM:'christian.ehrhardt@canonical.com' RCPT:'' X-RedHat-Spam-Score: -2.321 (RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, RP_MATCHES_RCVD) 91.189.89.112 youngberry.canonical.com 91.189.89.112 youngberry.canonical.com X-Scanned-By: MIMEDefang 2.78 on 10.5.110.32 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-loop: libvir-list@redhat.com Cc: Jamie Strandboge , Guido Guenther , Christian Ehrhardt Subject: [libvirt] [PATCH 3/4] virt-aa-helper: allow spaces in vm names X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Wed, 20 Sep 2017 15:48:31 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" libvirt allows spaces in vm names, there were issues in the past but it seems not removed so the assumption has to be that spaces are continuing to be allowed. Therefore virt-aa-helper should not reject spaces in vm names anymore if it is goign to be refused causing issues then the parser or xml schema should do so. Apparmor rules are in quotes, so a space in a path based on the name works. Signed-off-by: Christian Ehrhardt --- src/security/virt-aa-helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index d1518ea..5f4519d 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -449,7 +449,7 @@ valid_name(const char *name) { /* just try to filter out any dangerous characters in the name that ca= n be * used to subvert the profile */ - const char *bad =3D " /[]*"; + const char *bad =3D "/[]*"; =20 if (strlen(name) =3D=3D 0) return -1; --=20 2.7.4 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun May 5 06:07:52 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1505922490638810.9237129100712; Wed, 20 Sep 2017 08:48:10 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 415CB7E42B; Wed, 20 Sep 2017 15:48:09 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 20E1B60E3B; Wed, 20 Sep 2017 15:48:09 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id DD2141855943; Wed, 20 Sep 2017 15:48:08 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v8KExJAf027937 for ; Wed, 20 Sep 2017 10:59:19 -0400 Received: by smtp.corp.redhat.com (Postfix) id 353BF6063A; Wed, 20 Sep 2017 14:59:19 +0000 (UTC) Received: from mx1.redhat.com (ext-mx06.extmail.prod.ext.phx2.redhat.com [10.5.110.30]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3038760BE3 for ; Wed, 20 Sep 2017 14:59:16 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3930F267D4 for ; Wed, 20 Sep 2017 14:59:16 +0000 (UTC) Received: from 167-139-067-156.ip-addr.inexio.net ([156.67.139.167] helo=lap.fritz.box) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1dugT5-0001Vi-39; Wed, 20 Sep 2017 14:59:15 +0000 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 415CB7E42B Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; dmarc=fail (p=none dis=none) header.from=canonical.com Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 415CB7E42B DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 3930F267D4 Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; dmarc=fail (p=none dis=none) header.from=canonical.com Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; spf=none smtp.mailfrom=christian.ehrhardt@canonical.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 3930F267D4 From: Christian Ehrhardt To: Libvirt Devel Date: Wed, 20 Sep 2017 16:59:09 +0200 Message-Id: <1505919549-19756-5-git-send-email-christian.ehrhardt@canonical.com> In-Reply-To: <1505919549-19756-1-git-send-email-christian.ehrhardt@canonical.com> References: <1505919549-19756-1-git-send-email-christian.ehrhardt@canonical.com> X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 205 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Wed, 20 Sep 2017 14:59:16 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Wed, 20 Sep 2017 14:59:16 +0000 (UTC) for IP:'91.189.89.112' DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com' FROM:'christian.ehrhardt@canonical.com' RCPT:'' X-RedHat-Spam-Score: -2.321 (RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, RP_MATCHES_RCVD) 91.189.89.112 youngberry.canonical.com 91.189.89.112 youngberry.canonical.com X-Scanned-By: MIMEDefang 2.78 on 10.5.110.30 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com Cc: Jamie Strandboge , Guido Guenther , Christian Ehrhardt Subject: [libvirt] [PATCH 4/4] virt-aa-helper: put static rules in quotes X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Wed, 20 Sep 2017 15:48:09 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" To avoid any issues later on if paths ever change (unlikely but possible) and to match the style of other generated rules the paths of the static rules have to be quoted as well. Signed-off-by: Christian Ehrhardt --- src/security/virt-aa-helper.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 5f4519d..95906e6 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1149,11 +1149,11 @@ get_files(vahControl * ctl) } } if (needsvhost) - virBufferAddLit(&buf, " /dev/vhost-net rw,\n"); + virBufferAddLit(&buf, " \"/dev/vhost-net\" rw,\n"); =20 if (needsVfio) { - virBufferAddLit(&buf, " /dev/vfio/vfio rw,\n"); - virBufferAddLit(&buf, " /dev/vfio/[0-9]* rw,\n"); + virBufferAddLit(&buf, " \"/dev/vfio/vfio\" rw,\n"); + virBufferAddLit(&buf, " \"/dev/vfio/[0-9]*\" rw,\n"); } =20 if (ctl->newfile) --=20 2.7.4 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list