1. Patchew
  2. Libvirt
  3. View series

[libvirt] [PATCH] apparmor: Add openGraphicsFD rule for named profile

Christian Ehrhardt posted 1 patch 4 years, 10 months ago
Test syntax-check passed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20190619070903.10417-1-christian.ehrhardt@canonical.com
src/security/apparmor/libvirt-qemu | 1 +
1 file changed, 1 insertion(+)
[libvirt] [PATCH] apparmor: Add openGraphicsFD rule for named profile
Posted by Christian Ehrhardt 4 years, 10 months ago 
Commit a3ab6d42 changed the libvirtd profile to a named profile
but neglected to accommodate the change in the qemu profile
ptrace and signal rules.
Later on 4ec3cf9a fixed that for ptrace and signal but openGraphicsFD
is still missing.

As a result, libvirtd is unable to open UI on libvirt >=5.1 e.g. with
virt-manager.

Add openGraphicsFD rule that references the libvirtd profile
by name in addition to full binary path.

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1833040

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
 src/security/apparmor/libvirt-qemu | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 165558fe83..d33348aa05 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -208,6 +208,7 @@
   /sys/firmware/devicetree/** r,
 
   # allow connect with openGraphicsFD to work
+  unix (send, receive) type=stream addr=none peer=(label=libvirtd),
   unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
 
   # for gathering information about available host resources
-- 
2.21.0

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] apparmor: Add openGraphicsFD rule for named profile
Posted by Jamie Strandboge 4 years, 10 months ago 
On Wed, 19 Jun 2019, Christian Ehrhardt wrote:

> Commit a3ab6d42 changed the libvirtd profile to a named profile
> but neglected to accommodate the change in the qemu profile
> ptrace and signal rules.
> Later on 4ec3cf9a fixed that for ptrace and signal but openGraphicsFD
> is still missing.
> 
> As a result, libvirtd is unable to open UI on libvirt >=5.1 e.g. with
> virt-manager.
> 
> Add openGraphicsFD rule that references the libvirtd profile
> by name in addition to full binary path.
> 
> Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1833040
> 
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> ---
>  src/security/apparmor/libvirt-qemu | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
> index 165558fe83..d33348aa05 100644
> --- a/src/security/apparmor/libvirt-qemu
> +++ b/src/security/apparmor/libvirt-qemu
> @@ -208,6 +208,7 @@
>    /sys/firmware/devicetree/** r,
>  
>    # allow connect with openGraphicsFD to work
> +  unix (send, receive) type=stream addr=none peer=(label=libvirtd),
>    unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
>  
>    # for gathering information about available host resources

+1 to apply. Thanks for chasing this down.

-- 
Jamie Strandboge             | http://www.canonical.com
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] apparmor: Add openGraphicsFD rule for named profile
Posted by Christian Ehrhardt 4 years, 10 months ago 
On Wed, Jun 19, 2019 at 2:07 PM Jamie Strandboge <jamie@canonical.com> wrote:
>
> On Wed, 19 Jun 2019, Christian Ehrhardt wrote:
>
> > Commit a3ab6d42 changed the libvirtd profile to a named profile
> > but neglected to accommodate the change in the qemu profile
> > ptrace and signal rules.
> > Later on 4ec3cf9a fixed that for ptrace and signal but openGraphicsFD
> > is still missing.
> >
> > As a result, libvirtd is unable to open UI on libvirt >=5.1 e.g. with
> > virt-manager.
> >
> > Add openGraphicsFD rule that references the libvirtd profile
> > by name in addition to full binary path.
> >
> > Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1833040
> >
> > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> > ---
> >  src/security/apparmor/libvirt-qemu | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
> > index 165558fe83..d33348aa05 100644
> > --- a/src/security/apparmor/libvirt-qemu
> > +++ b/src/security/apparmor/libvirt-qemu
> > @@ -208,6 +208,7 @@
> >    /sys/firmware/devicetree/** r,
> >
> >    # allow connect with openGraphicsFD to work
> > +  unix (send, receive) type=stream addr=none peer=(label=libvirtd),
> >    unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
> >
> >    # for gathering information about available host resources
>
> +1 to apply. Thanks for chasing this down.

Thanks for the review Jamie.
Given that the change is rather safe I'm pushing it without waiting much longer.

> --
> Jamie Strandboge             | http://www.canonical.com



-- 
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.