From nobody Mon May  6 12:20:07 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=fail(p=none dis=none)  header.from=canonical.com
ARC-Seal: i=1; a=rsa-sha256; t=1560928314; cv=none;
	d=zoho.com; s=zohoarc;
	b=TEXvawtVGqoiXVBLmQr1OmBX4GJZJTkeban07t+dEZpr8T7VN/MeN/qFREI0eaBCn9VjHg6Xdgyu9oOFFbBlxB7PFl7iPftxsTGiw3c6az3OzQS+NLV+CUXW3ysO6CmMlMKRoqerR8xRG9ay77qmT1UZwrBCM/HCfkA93Kel44A=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com;
 s=zohoarc;
	t=1560928314;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To:ARC-Authentication-Results;
	bh=MnzreenlqHmls7IF6jtpIWX1M6E1/oAgnAZwvRPlPG8=;
	b=d+7BCEynSJNwYNLfFG51qWojpMB51AtSnzxYrNFUxNjNhR7bhAb3yHuxz6DT6UWWrWmuvBnyGfH70P77nyv6A13EEO8PLKGuQ4MDdnLptLrSHGaAUeg2ffdcyk7sl9nNFlZwZfXloAzPpsbEIqHzh0vdP3Uk+O5GNZIKUQP0afQ=
ARC-Authentication-Results: i=1; mx.zoho.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=fail header.from=<christian.ehrhardt@canonical.com> (p=none dis=none)
 header.from=<christian.ehrhardt@canonical.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 156092831463195.3155645608324;
 Wed, 19 Jun 2019 00:11:54 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com
 [10.5.11.12])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id BBDA8A405A;
	Wed, 19 Jun 2019 07:11:42 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 9FE8B84E9;
	Wed, 19 Jun 2019 07:11:34 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 6C9ED4EBC3;
	Wed, 19 Jun 2019 07:11:23 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com
	[10.5.11.22])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id x5J79OMs028149 for <libvir-list@listman.util.phx.redhat.com>;
	Wed, 19 Jun 2019 03:09:24 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 1840F1001DE4; Wed, 19 Jun 2019 07:09:24 +0000 (UTC)
Received: from mx1.redhat.com (ext-mx03.extmail.prod.ext.phx2.redhat.com
	[10.5.110.27])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 13CBF1001DC3
	for <libvir-list@redhat.com>; Wed, 19 Jun 2019 07:09:21 +0000 (UTC)
Received: from youngberry.canonical.com (youngberry.canonical.com
	[91.189.89.112]) (using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 8B8A081F25
	for <libvir-list@redhat.com>; Wed, 19 Jun 2019 07:09:10 +0000 (UTC)
Received: from 2.general.paelzer.uk.vpn ([10.172.196.173]
	helo=Keschdeichel.fritz.box) by youngberry.canonical.com with esmtpsa
	(TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76)
	(envelope-from <christian.ehrhardt@canonical.com>)
	id 1hdUiP-0004et-5J; Wed, 19 Jun 2019 07:09:05 +0000
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
To: libvir-list@redhat.com
Date: Wed, 19 Jun 2019 09:09:03 +0200
Message-Id: <20190619070903.10417-1-christian.ehrhardt@canonical.com>
MIME-Version: 1.0
X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 216
	matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com
	[10.5.110.27]); Wed, 19 Jun 2019 07:09:10 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com
 [10.5.110.27]);
	Wed, 19 Jun 2019 07:09:10 +0000 (UTC) for IP:'91.189.89.112'
	DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com'
	FROM:'christian.ehrhardt@canonical.com' RCPT:''
X-RedHat-Spam-Score: 0.002  (SPF_HELO_NONE,
	SPF_NONE) 91.189.89.112 youngberry.canonical.com
	91.189.89.112 youngberry.canonical.com
	<christian.ehrhardt@canonical.com>
X-Scanned-By: MIMEDefang 2.78 on 10.5.110.27
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
X-loop: libvir-list@redhat.com
Cc: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Subject: [libvirt] [PATCH] apparmor: Add openGraphicsFD rule for named
	profile
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]);
 Wed, 19 Jun 2019 07:11:49 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"

Commit a3ab6d42 changed the libvirtd profile to a named profile
but neglected to accommodate the change in the qemu profile
ptrace and signal rules.
Later on 4ec3cf9a fixed that for ptrace and signal but openGraphicsFD
is still missing.

As a result, libvirtd is unable to open UI on libvirt >=3D5.1 e.g. with
virt-manager.

Add openGraphicsFD rule that references the libvirtd profile
by name in addition to full binary path.

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1833040

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
 src/security/apparmor/libvirt-qemu | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/lib=
virt-qemu
index 165558fe83..d33348aa05 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -208,6 +208,7 @@
   /sys/firmware/devicetree/** r,
=20
   # allow connect with openGraphicsFD to work
+  unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dlibvirtd),
   unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3D/usr/sbin=
/libvirtd),
=20
   # for gathering information about available host resources
--=20
2.21.0

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list