From nobody Tue Feb 10 04:02:28 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1534227518598508.1630588374072; Mon, 13 Aug 2018 23:18:38 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3840FC057F92; Tue, 14 Aug 2018 06:18:36 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 056C6AD029; Tue, 14 Aug 2018 06:18:36 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id A2B1818037EF; Tue, 14 Aug 2018 06:18:35 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w7E6IXog031688 for ; Tue, 14 Aug 2018 02:18:34 -0400 Received: by smtp.corp.redhat.com (Postfix) id EF0EE1001F44; Tue, 14 Aug 2018 06:18:33 +0000 (UTC) Received: from mx1.redhat.com (ext-mx10.extmail.prod.ext.phx2.redhat.com [10.5.110.39]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E6BB81001F49 for ; Tue, 14 Aug 2018 06:18:33 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 40CE45D5E6 for ; Tue, 14 Aug 2018 06:18:31 +0000 (UTC) Received: from 1.general.paelzer.uk.vpn ([10.172.196.172] helo=lap.fritz.box) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1fpSf0-0002Mo-1r; Tue, 14 Aug 2018 06:18:30 +0000 From: Christian Ehrhardt To: libvir-list@redhat.com, =?UTF-8?q?Guido=20G=C3=BCnther?= , intrigeri , Jamie Strandboge Date: Tue, 14 Aug 2018 08:18:21 +0200 Message-Id: <20180814061822.15439-5-christian.ehrhardt@canonical.com> In-Reply-To: <20180814061822.15439-1-christian.ehrhardt@canonical.com> References: <20180814061822.15439-1-christian.ehrhardt@canonical.com> X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 212 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Tue, 14 Aug 2018 06:18:31 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Tue, 14 Aug 2018 06:18:31 +0000 (UTC) for IP:'91.189.89.112' DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com' FROM:'christian.ehrhardt@canonical.com' RCPT:'' X-RedHat-Spam-Score: -5 (RCVD_IN_DNSWL_HI) 91.189.89.112 youngberry.canonical.com 91.189.89.112 youngberry.canonical.com X-Scanned-By: MIMEDefang 2.78 on 10.5.110.39 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-loop: libvir-list@redhat.com Cc: Christian Ehrhardt Subject: [libvirt] [PATCH v2 4/5] apparmor: allow qemu-smb access in /tmp X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk Reply-To: 20180813143946.29346-1-christian.ehrhardt@canonical.com List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.27 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Tue, 14 Aug 2018 06:18:36 +0000 (UTC) X-ZohoMail: RDMRC_1 RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" The samba feature of qemu will place the samba config file in /tmp/qemu-smb.. But at least it has a predictable path identifying qemu-smb feature itself by an infix in the path. This is a compromise of security and usability as the "owner" restriction will not protect guests among each other. Therefore the rule added makes the feature usable, but does not allow cross guest protection. Core issue is, that it is currently impossible to predict the PID which wou= ld follow "qemu-smb-", but long term, once the samba feature would be exposed = in guest XML we'd prefer a virt-aa-helper based solution that can render the samba rule on demand and with a custom PID into the per guest profile. But the same is true for manual user overrides for this feature as well, they can neither predict the PID, nor have a local include per-guest. There= by punting this to the user to add the rule later will not make it safer, but only less usable. Signed-off-by: Christian Ehrhardt --- examples/apparmor/libvirt-qemu | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 6971d3db03..350b13b824 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -191,6 +191,11 @@ # want more unique paths per rule. /{,var/}tmp/ r, owner /{,var/}tmp/**/ r, + # allow qemu smb feature specific path with write access + # TODO: This is a compromise between security and usability - once e.g. = samba + # would be expressed in libvirt XML it should be added on demand via + # virt-aa-helper instead. + owner /tmp/qemu-smb.*/{,**} rw, =20 # for file-posix getting limits since 9103f1ce /sys/devices/**/block/*/queue/max_segments r, --=20 2.17.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list