From nobody Sun May 5 12:02:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1549984951618674.42238580639; Tue, 12 Feb 2019 07:22:31 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6ED1EC0624A0; Tue, 12 Feb 2019 15:22:29 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3F35D18971; Tue, 12 Feb 2019 15:22:29 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id E8A0D1819AF9; Tue, 12 Feb 2019 15:22:28 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x1CFMJht023041 for ; Tue, 12 Feb 2019 10:22:19 -0500 Received: by smtp.corp.redhat.com (Postfix) id 54E8210027DA; Tue, 12 Feb 2019 15:22:19 +0000 (UTC) Received: from mx1.redhat.com (ext-mx05.extmail.prod.ext.phx2.redhat.com [10.5.110.29]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4B5ED10021B6 for ; Tue, 12 Feb 2019 15:22:12 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 655052F3 for ; Tue, 12 Feb 2019 15:22:11 +0000 (UTC) Received: from 051-134-067-156.ip-addr.inexio.net ([156.67.134.51] helo=Keschdeichel.fritz.box) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1gtZsw-000807-1K; Tue, 12 Feb 2019 15:22:10 +0000 From: Christian Ehrhardt To: libvir-list@redhat.com Date: Tue, 12 Feb 2019 16:22:06 +0100 Message-Id: <20190212152207.19524-2-christian.ehrhardt@canonical.com> In-Reply-To: <20190212152207.19524-1-christian.ehrhardt@canonical.com> References: <20190212152207.19524-1-christian.ehrhardt@canonical.com> X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 216 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Tue, 12 Feb 2019 15:22:11 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Tue, 12 Feb 2019 15:22:11 +0000 (UTC) for IP:'91.189.89.112' DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com' FROM:'christian.ehrhardt@canonical.com' RCPT:'' X-RedHat-Spam-Score: -5 (RCVD_IN_DNSWL_HI) 91.189.89.112 youngberry.canonical.com 91.189.89.112 youngberry.canonical.com X-Scanned-By: MIMEDefang 2.78 on 10.5.110.29 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-loop: libvir-list@redhat.com Cc: =?UTF-8?q?Guido=20G=C3=BCnther?= , Christian Ehrhardt Subject: [libvirt] [PATCH 1/2] security: aa-helper: allow virt-aa-helper to read /dev/dri X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Tue, 12 Feb 2019 15:22:30 +0000 (UTC) Content-Type: text/plain; charset="utf-8" Change fb01e1a44 "virt-aa-helper: generate rules for gl enabled graphics devices" implemented the detection for gl enabled devices in virt-aa-helper. But it will in certain cases e.g. if no rendernode was explicitly specified need to read /dev/dri which it currently isn't allowed. Add a rule to the apparmor profile of virt-aa-helper itself to be able to do that. Signed-off-by: Christian Ehrhardt --- src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/sec= urity/apparmor/usr.lib.libvirt.virt-aa-helper index de9436872c..78994bcda6 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper @@ -19,6 +19,9 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-h= elper { =20 /etc/libnl-3/classid r, =20 + # for gl enabled graphics + /dev/dri/{,*} r, + # for hostdev /sys/devices/ r, /sys/devices/** r, --=20 2.17.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun May 5 12:02:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1549984943144742.9783902190956; Tue, 12 Feb 2019 07:22:23 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D74C72F3; Tue, 12 Feb 2019 15:22:19 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 041C7620D7; Tue, 12 Feb 2019 15:22:19 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 739663F7D0; Tue, 12 Feb 2019 15:22:18 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x1CFMHNN023031 for ; Tue, 12 Feb 2019 10:22:17 -0500 Received: by smtp.corp.redhat.com (Postfix) id 52F1B1754E; Tue, 12 Feb 2019 15:22:17 +0000 (UTC) Received: from mx1.redhat.com (ext-mx07.extmail.prod.ext.phx2.redhat.com [10.5.110.31]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4A69D171DA for ; Tue, 12 Feb 2019 15:22:13 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5AF90C01DDF2 for ; Tue, 12 Feb 2019 15:22:11 +0000 (UTC) Received: from 051-134-067-156.ip-addr.inexio.net ([156.67.134.51] helo=Keschdeichel.fritz.box) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1gtZsw-000807-6L; Tue, 12 Feb 2019 15:22:10 +0000 From: Christian Ehrhardt To: libvir-list@redhat.com Date: Tue, 12 Feb 2019 16:22:07 +0100 Message-Id: <20190212152207.19524-3-christian.ehrhardt@canonical.com> In-Reply-To: <20190212152207.19524-1-christian.ehrhardt@canonical.com> References: <20190212152207.19524-1-christian.ehrhardt@canonical.com> X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 216 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Tue, 12 Feb 2019 15:22:11 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Tue, 12 Feb 2019 15:22:11 +0000 (UTC) for IP:'91.189.89.112' DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com' FROM:'christian.ehrhardt@canonical.com' RCPT:'' X-RedHat-Spam-Score: -5 (RCVD_IN_DNSWL_HI) 91.189.89.112 youngberry.canonical.com 91.189.89.112 youngberry.canonical.com X-Scanned-By: MIMEDefang 2.78 on 10.5.110.31 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: libvir-list@redhat.com Cc: =?UTF-8?q?Guido=20G=C3=BCnther?= , Christian Ehrhardt Subject: [libvirt] [PATCH 2/2] security: aa-helper: generate more rules for gl devices X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Tue, 12 Feb 2019 15:22:21 +0000 (UTC) Content-Type: text/plain; charset="utf-8" Change fb01e1a44 "virt-aa-helper: generate rules for gl enabled graphics devices" implemented the detection for gl enabled devices in virt-aa-helper. But further testing showed that it will need much more access for the full gl stack to work. Upstream apparmor just recently split those things out and now has two related abstractions at https://gitlab.com/apparmor/apparmor/blob/master: - dri-common at /profiles/apparmor.d/abstractions/dri-common - mesa: at /profiles/apparmor.d/abstractions/mesa If would be great to just include that for the majority of rules, but they are not yet in any distribution so we need to add rules inspired by them based on the testing that we can do. Furthermore qemu with opengl will also probe the backing device of the rendernode for attributes which should be safe as read-only wildcard rules. Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1815452 Signed-off-by: Christian Ehrhardt --- src/security/virt-aa-helper.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 8e22e9978a..46c1914f58 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -937,7 +937,7 @@ get_files(vahControl * ctl) size_t i; char *uuid; char uuidstr[VIR_UUID_STRING_BUFLEN]; - bool needsVfio =3D false, needsvhost =3D false; + bool needsVfio =3D false, needsvhost =3D false, needsgl =3D false; =20 /* verify uuid is same as what we were given on the command line */ virUUIDFormat(ctl->def->uuid, uuidstr); @@ -1065,9 +1065,11 @@ get_files(vahControl * ctl) =20 if (rendernode) { vah_add_file(&buf, rendernode, "rw"); + needsgl =3D true; } else { if (virDomainGraphicsNeedsAutoRenderNode(graphics)) { char *defaultRenderNode =3D virHostGetDRMRenderNode(); + needsgl =3D true; =20 if (defaultRenderNode) { vah_add_file(&buf, defaultRenderNode, "rw"); @@ -1267,6 +1269,22 @@ get_files(vahControl * ctl) virBufferAddLit(&buf, " \"/dev/vfio/vfio\" rw,\n"); virBufferAddLit(&buf, " \"/dev/vfio/[0-9]*\" rw,\n"); } + if (needsgl) { + /* if using gl all sorts of further dri related paths will be need= ed */ + virBufferAddLit(&buf, " # DRI/Mesa/(e)GL config and driver paths\= n"); + virBufferAddLit(&buf, " \"/usr/lib{,32,64}/dri/**\" mr,\n"); + virBufferAddLit(&buf, " \"/usr/lib/@{multiarch}/dri/**\" mr,\n"); + virBufferAddLit(&buf, " \"/usr/lib/fglrx/dri/**\" mr,\n"); + virBufferAddLit(&buf, " \"/etc/drirc\" r,\n"); + virBufferAddLit(&buf, " \"/usr/share/drirc.d/{,*.conf}\" r,\n"); + virBufferAddLit(&buf, " \"/etc/glvnd/egl_vendor.d/{,*}\" r,\n"); + virBufferAddLit(&buf, " \"/usr/share/glvnd/egl_vendor.d/{,*}\" r,= \n"); + virBufferAddLit(&buf, " owner \"/var/lib/libvirt/.cache/\" w,\n"); + virBufferAddLit(&buf, " # Probe DRI device attributes\n"); + virBufferAddLit(&buf, " \"/dev/dri/\" r,\n"); + virBufferAddLit(&buf, " \"/sys/devices/*/*/{uevent,vendor,device,= subsystem_vendor,subsystem_device}\" r,\n"); + virBufferAddLit(&buf, " \"/sys/devices/*/*/drm/*/{uevent,vendor,d= evice,subsystem_vendor,subsystem_device}\" r,\n"); + } =20 if (ctl->newfile) if (vah_add_file(&buf, ctl->newfile, "rwk") !=3D 0) --=20 2.17.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list