From nobody Mon Apr 29 17:01:47 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1513005860772365.4820734658093;
 Mon, 11 Dec 2017 07:24:20 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
 [10.5.11.11])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 35EC36A7CD;
	Mon, 11 Dec 2017 15:24:18 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 625ED6064A;
	Mon, 11 Dec 2017 15:24:17 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id B0B4E1800BD3;
	Mon, 11 Dec 2017 15:24:15 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
	[10.5.11.11])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id vBBFODGM024474 for <libvir-list@listman.util.phx.redhat.com>;
	Mon, 11 Dec 2017 10:24:13 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id C49276064B; Mon, 11 Dec 2017 15:24:13 +0000 (UTC)
Received: from mx1.redhat.com (ext-mx06.extmail.prod.ext.phx2.redhat.com
	[10.5.110.30])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id C03B460BB6
	for <libvir-list@redhat.com>; Mon, 11 Dec 2017 15:24:11 +0000 (UTC)
Received: from smtp.nue.novell.com (smtp.nue.novell.com [195.135.221.5])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 1D422267CF
	for <libvir-list@redhat.com>; Mon, 11 Dec 2017 15:24:05 +0000 (UTC)
Received: from emea4-mta.ukb.novell.com ([10.120.13.87])
	by smtp.nue.novell.com with ESMTP (TLS encrypted);
	Mon, 11 Dec 2017 16:24:03 +0100
Received: from laptop.tf.local (nwb-a10-snat.microfocus.com [10.120.13.202])
	by emea4-mta.ukb.novell.com with ESMTP (TLS encrypted);
	Mon, 11 Dec 2017 15:23:49 +0000
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
To: libvir-list@redhat.com
Date: Mon, 11 Dec 2017 16:23:44 +0100
Message-Id: <20171211152344.24823-1-cbosdonnat@suse.com>
X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 207
	matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com
	[10.5.110.30]); Mon, 11 Dec 2017 15:24:05 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com
 [10.5.110.30]);
	Mon, 11 Dec 2017 15:24:05 +0000 (UTC) for IP:'195.135.221.5'
	DOMAIN:'smtp.nue.novell.com' HELO:'smtp.nue.novell.com'
	FROM:'cbosdonnat@suse.com' RCPT:''
X-RedHat-Spam-Score: -2.301  (RCVD_IN_DNSWL_MED,
	SPF_PASS) 195.135.221.5 smtp.nue.novell.com 195.135.221.5
	smtp.nue.novell.com <cbosdonnat@suse.com>
X-Scanned-By: MIMEDefang 2.78 on 10.5.110.30
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-loop: libvir-list@redhat.com
Cc: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Subject: [libvirt] [PATCH] virt-aa-helper: handle more disk images
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]);
 Mon, 11 Dec 2017 15:24:19 +0000 (UTC)
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

virt-aa-helper needs read access to the disk image to resolve symlinks
and add the proper rules to the profile. Its profile whitelists a few
common paths, but users can place their images anywhere.

This commit helps users allowing access to their images by adding their
own rules in apparmor.d/local/usr.lib.libvirt.virt-aa-helper.

This commit also adds rules to allow reading files named:
  - *.raw as this is a rather common disk image extension
  - /run/libvirt/**[vd]d[a-z] as these are used by virt-sandbox
---
 examples/Makefile.am                             | 24 ++++++++++++++++++++=
++--
 examples/apparmor/usr.lib.libvirt.virt-aa-helper |  4 ++++
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/examples/Makefile.am b/examples/Makefile.am
index ef2f79db3..8a1d6919a 100644
--- a/examples/Makefile.am
+++ b/examples/Makefile.am
@@ -67,6 +67,9 @@ admin_client_info_SOURCES =3D admin/client_info.c
 admin_client_close_SOURCES =3D admin/client_close.c
 admin_logging_SOURCES =3D admin/logging.c
=20
+INSTALL_DATA_LOCAL =3D
+UNINSTALL_LOCAL =3D
+
 if WITH_APPARMOR_PROFILES
 apparmordir =3D $(sysconfdir)/apparmor.d/
 apparmor_DATA =3D \
@@ -85,20 +88,37 @@ templates_DATA =3D \
 	apparmor/TEMPLATE.qemu \
 	apparmor/TEMPLATE.lxc \
 	$(NULL)
+
+APPARMOR_LOCAL_DIR =3D "$(DESTDIR)$(apparmordir)/local"
+install-apparmor-local:
+	$(MKDIR_P) "$(APPARMOR_LOCAL_DIR)"
+	echo "# Site-specific additions and overrides for \
+  		 'usr.lib.libvirt.virt-aa-helper'" \
+		 >$(APPARMOR_LOCAL_DIR)/usr.lib.libvirt.virt-aa-helper
+
+INSTALL_DATA_LOCAL +=3D install-apparmor-local
+UNINSTALL_LOCAL +=3D uninstall-apparmor-local
 endif WITH_APPARMOR_PROFILES
=20
 if WITH_NWFILTER
 NWFILTER_DIR =3D "$(DESTDIR)$(sysconfdir)/libvirt/nwfilter"
=20
-install-data-local:
+install-nwfilter-local:
 	$(MKDIR_P) "$(NWFILTER_DIR)"
 	for f in $(FILTERS); do \
 		$(INSTALL_DATA) $$f "$(NWFILTER_DIR)"; \
 	done
=20
-uninstall-local::
+uninstall-nwfilter-local::
 	for f in $(FILTERS); do \
 		rm -f "$(NWFILTER_DIR)/`basename $$f`"; \
 	done
 	-test -z "$(shell ls $(NWFILTER_DIR))" || rmdir $(NWFILTER_DIR)
+
+INSTALL_DATA_LOCAL +=3D install-nwfilter-local
+UNINSTALL_LOCAL +=3D uninstall-nwfilter-local
 endif WITH_NWFILTER
+
+install-data-local: $(INSTALL_DATA_LOCAL)
+
+uninstall-local: $(UNINSTALL_LOCAL)
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/ap=
parmor/usr.lib.libvirt.virt-aa-helper
index bd6181d00..f3069d369 100644
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -3,6 +3,7 @@
=20
 profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
   #include <abstractions/base>
+  #include <local/usr.lib.libvirt.virt-aa-helper>
=20
   # needed for searching directories
   capability dac_override,
@@ -50,8 +51,11 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-=
helper {
   /var/lib/libvirt/images/ r,
   /var/lib/libvirt/images/** r,
   /{media,mnt,opt,srv}/** r,
+  # For virt-sandbox
+  /run/libvirt/**/[sv]d[a-z] r
=20
   /**.img r,
+  /**.raw r,
   /**.qcow{,2} r,
   /**.qed r,
   /**.vmdk r,
--=20
2.15.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list