From nobody Sat May 4 00:22:27 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1550509328926469.24798617899216; Mon, 18 Feb 2019 09:02:08 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D003DC079915; Mon, 18 Feb 2019 17:02:06 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 90CFC5ED46; Mon, 18 Feb 2019 17:02:06 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 45BF0181A00B; Mon, 18 Feb 2019 17:02:06 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x1IH0TbR030254 for ; Mon, 18 Feb 2019 12:00:29 -0500 Received: by smtp.corp.redhat.com (Postfix) id 4FD3E5D724; Mon, 18 Feb 2019 17:00:29 +0000 (UTC) Received: from mx1.redhat.com (ext-mx08.extmail.prod.ext.phx2.redhat.com [10.5.110.32]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2DD995D719 for ; Mon, 18 Feb 2019 17:00:02 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 9C97EC067825 for ; Mon, 18 Feb 2019 17:00:00 +0000 (UTC) Received: from [194.158.46.138] (helo=Keschdeichel.c.hoisthospitality.com) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1gvmGt-00023x-7t; Mon, 18 Feb 2019 16:59:59 +0000 From: Christian Ehrhardt To: libvir-list@redhat.com Date: Mon, 18 Feb 2019 17:59:54 +0100 Message-Id: <20190218165955.4209-2-christian.ehrhardt@canonical.com> In-Reply-To: <20190218165955.4209-1-christian.ehrhardt@canonical.com> References: <20190218165955.4209-1-christian.ehrhardt@canonical.com> X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 216 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Mon, 18 Feb 2019 17:00:00 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Mon, 18 Feb 2019 17:00:00 +0000 (UTC) for IP:'91.189.89.112' DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com' FROM:'christian.ehrhardt@canonical.com' RCPT:'' X-RedHat-Spam-Score: -5 (RCVD_IN_DNSWL_HI) 91.189.89.112 youngberry.canonical.com 91.189.89.112 youngberry.canonical.com X-Scanned-By: MIMEDefang 2.78 on 10.5.110.32 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com Cc: =?UTF-8?q?Guido=20G=C3=BCnther?= , Christian Ehrhardt Subject: [libvirt] [PATCH v2 1/2] security: aa-helper: allow virt-aa-helper to read /dev/dri X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Mon, 18 Feb 2019 17:02:07 +0000 (UTC) Content-Type: text/plain; charset="utf-8" Change fb01e1a44 "virt-aa-helper: generate rules for gl enabled graphics devices" implemented the detection for gl enabled devices in virt-aa-helper. But it will in certain cases e.g. if no rendernode was explicitly specified need to read /dev/dri which it currently isn't allowed. Add a rule to the apparmor profile of virt-aa-helper itself to be able to do that. Acked-by: Jamie Strandboge Signed-off-by: Christian Ehrhardt --- src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/sec= urity/apparmor/usr.lib.libvirt.virt-aa-helper index de9436872c..78994bcda6 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper @@ -19,6 +19,9 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-h= elper { =20 /etc/libnl-3/classid r, =20 + # for gl enabled graphics + /dev/dri/{,*} r, + # for hostdev /sys/devices/ r, /sys/devices/** r, --=20 2.17.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sat May 4 00:22:27 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1550509333925807.7683954825312; Mon, 18 Feb 2019 09:02:13 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id F12C1C0E0150; Mon, 18 Feb 2019 17:02:11 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B593419C5A; Mon, 18 Feb 2019 17:02:11 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 53DBF181A010; Mon, 18 Feb 2019 17:02:11 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x1IH0bAi030275 for ; Mon, 18 Feb 2019 12:00:37 -0500 Received: by smtp.corp.redhat.com (Postfix) id A71175FC36; Mon, 18 Feb 2019 17:00:37 +0000 (UTC) Received: from mx1.redhat.com (ext-mx08.extmail.prod.ext.phx2.redhat.com [10.5.110.32]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A084E171E7 for ; Mon, 18 Feb 2019 17:00:03 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 38EDFC0E0135 for ; Mon, 18 Feb 2019 17:00:01 +0000 (UTC) Received: from [194.158.46.138] (helo=Keschdeichel.c.hoisthospitality.com) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1gvmGt-00023x-MW; Mon, 18 Feb 2019 16:59:59 +0000 From: Christian Ehrhardt To: libvir-list@redhat.com Date: Mon, 18 Feb 2019 17:59:55 +0100 Message-Id: <20190218165955.4209-3-christian.ehrhardt@canonical.com> In-Reply-To: <20190218165955.4209-1-christian.ehrhardt@canonical.com> References: <20190218165955.4209-1-christian.ehrhardt@canonical.com> X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 216 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Mon, 18 Feb 2019 17:00:01 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Mon, 18 Feb 2019 17:00:01 +0000 (UTC) for IP:'91.189.89.112' DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com' FROM:'christian.ehrhardt@canonical.com' RCPT:'' X-RedHat-Spam-Score: -5 (RCVD_IN_DNSWL_HI) 91.189.89.112 youngberry.canonical.com 91.189.89.112 youngberry.canonical.com X-Scanned-By: MIMEDefang 2.78 on 10.5.110.32 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Cc: =?UTF-8?q?Guido=20G=C3=BCnther?= , Christian Ehrhardt Subject: [libvirt] [PATCH v2 2/2] security: aa-helper: generate more rules for gl devices X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Mon, 18 Feb 2019 17:02:12 +0000 (UTC) Content-Type: text/plain; charset="utf-8" Change fb01e1a44 "virt-aa-helper: generate rules for gl enabled graphics devices" implemented the detection for gl enabled devices in virt-aa-helper. But further testing showed that it will need much more access for the full gl stack to work. Upstream apparmor just recently split those things out and now has two related abstractions at https://gitlab.com/apparmor/apparmor/blob/master: - dri-common at /profiles/apparmor.d/abstractions/dri-common - mesa: at /profiles/apparmor.d/abstractions/mesa If would be great to just include that for the majority of rules, but they are not yet in any distribution so we need to add rules inspired by them based on the testing that we can do. Furthermore qemu with opengl will also probe the backing device of the rendernode for attributes which should be safe as read-only wildcard rules. Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1815452 Signed-off-by: Christian Ehrhardt --- src/security/virt-aa-helper.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 8e22e9978a..784ee49e61 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -937,7 +937,7 @@ get_files(vahControl * ctl) size_t i; char *uuid; char uuidstr[VIR_UUID_STRING_BUFLEN]; - bool needsVfio =3D false, needsvhost =3D false; + bool needsVfio =3D false, needsvhost =3D false, needsgl =3D false; =20 /* verify uuid is same as what we were given on the command line */ virUUIDFormat(ctl->def->uuid, uuidstr); @@ -1065,9 +1065,11 @@ get_files(vahControl * ctl) =20 if (rendernode) { vah_add_file(&buf, rendernode, "rw"); + needsgl =3D true; } else { if (virDomainGraphicsNeedsAutoRenderNode(graphics)) { char *defaultRenderNode =3D virHostGetDRMRenderNode(); + needsgl =3D true; =20 if (defaultRenderNode) { vah_add_file(&buf, defaultRenderNode, "rw"); @@ -1267,6 +1269,23 @@ get_files(vahControl * ctl) virBufferAddLit(&buf, " \"/dev/vfio/vfio\" rw,\n"); virBufferAddLit(&buf, " \"/dev/vfio/[0-9]*\" rw,\n"); } + if (needsgl) { + /* if using gl all sorts of further dri related paths will be need= ed */ + virBufferAddLit(&buf, " # DRI/Mesa/(e)GL config and driver paths\= n"); + virBufferAddLit(&buf, " \"/usr/lib{,32,64}/dri/**.so\" mr,\n"); + virBufferAddLit(&buf, " \"/usr/lib/@{multiarch}/dri/**.so\" mr,\n= "); + virBufferAddLit(&buf, " \"/usr/lib/fglrx/dri/**.so\" mr,\n"); + virBufferAddLit(&buf, " \"/etc/drirc\" r,\n"); + virBufferAddLit(&buf, " \"/usr/share/drirc.d/{,*.conf}\" r,\n"); + virBufferAddLit(&buf, " \"/etc/glvnd/egl_vendor.d/{,*}\" r,\n"); + virBufferAddLit(&buf, " \"/usr/share/glvnd/egl_vendor.d/{,*}\" r,= \n"); + virBufferAddLit(&buf, " # Probe DRI device attributes\n"); + virBufferAddLit(&buf, " \"/dev/dri/\" r,\n"); + virBufferAddLit(&buf, " \"/sys/devices/*/*/{uevent,vendor,device,= subsystem_vendor,subsystem_device}\" r,\n"); + virBufferAddLit(&buf, " \"/sys/devices/*/*/drm/*/{uevent,vendor,d= evice,subsystem_vendor,subsystem_device}\" r,\n"); + virBufferAddLit(&buf, " # dri libs will trigger that, but t is no= t requited and DAC would deny it anyway\n"); + virBufferAddLit(&buf, " deny \"/var/lib/libvirt/.cache/\" w,\n"); + } =20 if (ctl->newfile) if (vah_add_file(&buf, ctl->newfile, "rwk") !=3D 0) --=20 2.17.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list