From nobody Mon Feb 9 12:15:30 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1566208912; cv=none; d=zoho.com; s=zohoarc; b=NgWDR8xTcdkWNFI9LD4E1vLcVuTF8XY1fuu/XWHHPEM+8RwSWdiUv1E3+qk1qIm/WI/t7xUE/HLGKLd3Fp09sIS7MLmD8VbUwOJqMQFEkjSZPBgnIS+jm4pJQr7ons503KFyimMDiMBXdSj0y2hGTOUEtOSJ0QouhGuUXE1eyPw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1566208912; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=qhiGUegXMxZ3kVmwV4OPJeeoUn70Xf3v/n/imrtB6nQ=; b=Ksh+eqw74SaEEHkthXcLPBXuNpVqvOtj6u2gqt5jeL+lf9br+Ll4dMcfTYJzDUsutXSj7/EY8JIcc1epfhvhKaoQ0YKpXsrJFFlRCad2svjfdVAdvRZCabm+tTbTordrI/R/n/2ZY/zp/Q8uwc4Wg7XYLa/hZcQmPbrWUH3vYik= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1566208912978761.2034637349678; Mon, 19 Aug 2019 03:01:52 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A229F11A17; Mon, 19 Aug 2019 10:01:51 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4C6AB50; Mon, 19 Aug 2019 10:01:51 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id C46143CB9; Mon, 19 Aug 2019 10:01:50 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x7JA1otO002056 for ; Mon, 19 Aug 2019 06:01:50 -0400 Received: by smtp.corp.redhat.com (Postfix) id 09413841D2; Mon, 19 Aug 2019 10:01:50 +0000 (UTC) Received: from kinshicho.brq.redhat.com (unknown [10.43.2.73]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 81F2682489 for ; Mon, 19 Aug 2019 10:01:49 +0000 (UTC) From: Andrea Bolognani To: libvir-list@redhat.com Date: Mon, 19 Aug 2019 12:01:42 +0200 Message-Id: <20190819100142.16104-4-abologna@redhat.com> In-Reply-To: <20190819100142.16104-1-abologna@redhat.com> References: <20190819100142.16104-1-abologna@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 3/3] virt-aa-helper: Fix AppArmor profile X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Mon, 19 Aug 2019 10:01:52 +0000 (UTC) Since commit 432faf259b696043ee5d7e8f657d855419a9a3fa Author: Michal Privoznik Date: Tue Jul 2 19:49:51 2019 +0200 virCommand: use procfs to learn opened FDs When spawning a child process, between fork() and exec() we close all file descriptors and keep only those the caller wants us to pass onto the child. The problem is how we do that. Currently, we get the limit of opened files and then iterate through each one of them and either close() it or make it survive exec(). This approach is suboptimal (although, not that much in default configurations where the limit is pretty low - 1024). We have /proc where we can learn what FDs we hold open and thus we can selectively close only those. Signed-off-by: Michal Privoznik Reviewed-by: J=C3=A1n Tomko v5.5.0-173-g432faf259b programs using the virCommand APIs on Linux need read access to /proc/self/fd, or they will fail like error : virCommandWait:2796 : internal error: Child process (LIBVIRT_LOG_OUTPUTS=3D3:stderr /usr/lib/libvirt/virt-aa-helper -c -u libvirt-b20e9a8e-091a-45e0-8823-537119e98bc6) unexpected exit status 1: libvirt: error : cannot open directory '/proc/self/fd': Permission denied virt-aa-helper: error: apparmor_parser exited with error Update the AppArmor profile for virt-aa-helper so that read access to the relevant path is granted. Signed-off-by: Andrea Bolognani Reviewed-by: J=C3=A1n Tomko --- src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/sec= urity/apparmor/usr.lib.libvirt.virt-aa-helper index bf6bd297d1..d81dddef30 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper @@ -17,6 +17,10 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-= helper { owner @{PROC}/[0-9]*/status r, @{PROC}/filesystems r, =20 + # Used when internally running another command (namely apparmor_parser) + @{PROC}/self/fd r, + @{PROC}/@{pid}/fd r, + /etc/libnl-3/classid r, =20 # for gl enabled graphics --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list