From nobody Mon Apr 29 10:49:00 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 205.139.110.120 as permitted sender) client-ip=205.139.110.120; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of redhat.com designates 205.139.110.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com ARC-Seal: i=1; a=rsa-sha256; t=1571746756; cv=none; d=zoho.com; s=zohoarc; b=TlN/ysXSlG6fgOMeObFdwiO/XVvmGGmmE0Ls3mZW3bGVoWz/nTA845GSZNdOs/uemR1dG8pRvP3B52Uh2+VAhRrQS4cdJOCN9nmReom/yrHlowe7wphuwTfyD5G3uofd6OmZO9wAK32paRjgHS+amBYBD5zMN6/f18/UM74kDdQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1571746756; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=jKjnmCeRGdIyqYJ14VAHRT7M9Ur7ZCOGBDSuNZqeF78=; b=mmhF6uPghQOdN4ffgkcXuCzhoHYOeLlXItHAkZT9BZB4uA1jW2/91oKz8WPdM2tvaqlCj0vWlzm2CRgZXhnTVEDtBuYVpDENkP6w1CV4CruXwOwuZBoWj4+try8p+QC+UQ3cFDb42VKHJ5LigIbLckTYV9UBEjH46W/UqAAuBpI= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of redhat.com designates 205.139.110.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) by mx.zohomail.com with SMTPS id 1571746756465900.4872375904281; Tue, 22 Oct 2019 05:19:16 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-222-4H0mvVKRMyyhm-OIpHwEOw-1; Tue, 22 Oct 2019 08:19:12 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 786F0107AD31; Tue, 22 Oct 2019 12:19:07 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 504D460C5D; Tue, 22 Oct 2019 12:19:07 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id E7E3A1800B74; Tue, 22 Oct 2019 12:19:06 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x9MCJ5M9028595 for ; Tue, 22 Oct 2019 08:19:05 -0400 Received: by smtp.corp.redhat.com (Postfix) id 5FD225C1D4; Tue, 22 Oct 2019 12:19:05 +0000 (UTC) Received: from mx1.redhat.com (ext-mx23.extmail.prod.ext.phx2.redhat.com [10.5.110.64]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 1948B5C219; Tue, 22 Oct 2019 12:19:03 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 437F810DCC91; Tue, 22 Oct 2019 12:19:02 +0000 (UTC) Received: from 2.general.paelzer.uk.vpn ([10.172.196.173] helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iMt7t-0000bS-2q; Tue, 22 Oct 2019 12:19:01 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1571746753; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=jKjnmCeRGdIyqYJ14VAHRT7M9Ur7ZCOGBDSuNZqeF78=; b=A/u5B8/p043sRsTxc6q7Hl8CKNCSgE291ouUaopPl7auKK3GbIQJAQlzZIYf6JhZj4qJAH kwEqNFDDjx0iD8lzGIIApHWnE4j5W4pXYl5yz2kT3oOPrXN+v3N8w0g7Hs9cKz39NKzxTz cxM0HqSAxoevNwgMwUsFwilkUSUEY/Q= From: Christian Ehrhardt To: libvir-list@redhat.com Date: Tue, 22 Oct 2019 14:18:57 +0200 Message-Id: <20191022121858.16871-2-christian.ehrhardt@canonical.com> In-Reply-To: <20191022121858.16871-1-christian.ehrhardt@canonical.com> References: <20191022121858.16871-1-christian.ehrhardt@canonical.com> MIME-Version: 1.0 X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 238 matched, not delayed by milter-greylist-4.6.2 (mx1.redhat.com [10.5.110.64]); Tue, 22 Oct 2019 12:19:02 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.6.2 (mx1.redhat.com [10.5.110.64]); Tue, 22 Oct 2019 12:19:02 +0000 (UTC) for IP:'91.189.89.112' DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com' FROM:'christian.ehrhardt@canonical.com' RCPT:'' X-RedHat-Spam-Score: -4.998 (RCVD_IN_DNSWL_HI, SPF_HELO_NONE, SPF_NONE) 91.189.89.112 youngberry.canonical.com 91.189.89.112 youngberry.canonical.com X-Scanned-By: MIMEDefang 2.84 on 10.5.110.64 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Cc: Christian Ehrhardt , Cole Robinson Subject: [libvirt] [PATCH 1/2] virt-aa-helper: add rules for shmem devices X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-MC-Unique: 4H0mvVKRMyyhm-OIpHwEOw-1 X-Mimecast-Spam-Score: 0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" Shared memory devices need qemu to be able to access certain paths either for the shared memory directly (mostly ivshmem-plain) or for a socket (mostly ivshmem-doorbell). Add logic to virt-aa-helper to render those apparmor rules based on the domain configuration. https://bugzilla.redhat.com/show_bug.cgi?id=3D1761645 Signed-off-by: Christian Ehrhardt Reviewed-by: Cole Robinson --- src/security/virt-aa-helper.c | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 7d7262ca39..8c261f0010 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -958,6 +958,7 @@ get_files(vahControl * ctl) int rc =3D -1; size_t i; char *uuid; + char *mem_path =3D NULL; char uuidstr[VIR_UUID_STRING_BUFLEN]; bool needsVfio =3D false, needsvhost =3D false, needsgl =3D false; =20 @@ -1224,6 +1225,39 @@ get_files(vahControl * ctl) } } =20 + for (i =3D 0; i < ctl->def->nshmems; i++) { + if (ctl->def->shmems[i]) { + virDomainShmemDef *shmem =3D ctl->def->shmems[i]; + /* server path can be on any type and overwrites defaults */ + if (shmem->server.enabled && + shmem->server.chr.data.nix.path) { + if (vah_add_file(&buf, shmem->server.chr.data.nix.path, + "rw") !=3D 0) + goto cleanup; + } else { + switch (shmem->model) { + case VIR_DOMAIN_SHMEM_MODEL_IVSHMEM_PLAIN: + /* until exposed, recreate qemuBuildShmemBackendMemPro= ps */ + if (virAsprintf(&mem_path, "/dev/shm/%s", shmem->name)= < 0) + goto cleanup; + break; + case VIR_DOMAIN_SHMEM_MODEL_IVSHMEM_DOORBELL: + case VIR_DOMAIN_SHMEM_MODEL_IVSHMEM: + /* until exposed, recreate qemuDomainPrepareShmemChar= dev */ + if (virAsprintf(&mem_path, "/var/lib/libvirt/shmem-%s-= sock", + shmem->name) < 0) + goto cleanup; + break; + } + if (mem_path !=3D NULL) { + if (vah_add_file(&buf, mem_path, "rw") !=3D 0) + goto cleanup; + } + } + } + } + + if (ctl->def->tpm) { char *shortName =3D NULL; const char *tpmpath =3D NULL; @@ -1324,6 +1358,7 @@ get_files(vahControl * ctl) ctl->files =3D virBufferContentAndReset(&buf); =20 cleanup: + VIR_FREE(mem_path); VIR_FREE(uuid); return rc; } --=20 2.23.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Mon Apr 29 10:49:00 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 207.211.31.120 as permitted sender) client-ip=207.211.31.120; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of redhat.com designates 207.211.31.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com ARC-Seal: i=1; a=rsa-sha256; t=1571746757; cv=none; d=zoho.com; s=zohoarc; b=Pryzwubx7q5F3b3MIlnUlqT9lbqpT/ObEC5dFkSxLnRcliUcvqVxJaso/Bt3y1ssD6txbI8g2Q949IOVxCwY7Kb9IlRx8tIQNEmVSOx4aWHk2YtnMMM6+Hw51/jEwpIKX9oRhR5bwGZcHUCNnMItGEXfOfh4OuXh3ZCzHOw5ge8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1571746757; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=M/3HsEz/vaVrVNQLPP7tzwytK41ul0FMAQE8s4C5ZHM=; b=I22jnUqLvmPJsRVVkwfQUcC51h9qWRfuKKe/r+SfVcPvjC6X4cv+Jv7i1ERoxX96wgzUG232k+wCNSqTlfsoolzDGdzdgexRwJajFqarWKOCJ+sQOyA+M9d3JR3JIuxXkersZFwtr9Hf251L6YeQ1VIhaB2pvr7BGWRN5Qb+5vg= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of redhat.com designates 207.211.31.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) by mx.zohomail.com with SMTPS id 1571746757869477.9772661023728; Tue, 22 Oct 2019 05:19:17 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-369-V2xXcmUqMqmVRXOqNUwR4w-1; Tue, 22 Oct 2019 08:19:11 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 70613800D4E; Tue, 22 Oct 2019 12:19:07 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4B72F60856; Tue, 22 Oct 2019 12:19:07 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 71009180085A; Tue, 22 Oct 2019 12:19:06 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x9MCJ5ZW028601 for ; Tue, 22 Oct 2019 08:19:05 -0400 Received: by smtp.corp.redhat.com (Postfix) id 695161001DE0; Tue, 22 Oct 2019 12:19:05 +0000 (UTC) Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com [10.5.110.43]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 1C89E1001B23; Tue, 22 Oct 2019 12:19:03 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7544B308FC4B; Tue, 22 Oct 2019 12:19:02 +0000 (UTC) Received: from 2.general.paelzer.uk.vpn ([10.172.196.173] helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iMt7t-0000bS-8J; Tue, 22 Oct 2019 12:19:01 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1571746753; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=M/3HsEz/vaVrVNQLPP7tzwytK41ul0FMAQE8s4C5ZHM=; b=CLOJ4WIHalMtEiQTMfjjoju3WmbBoE8TW8z6c0YdhyPaS1IY8u2s67jmupifBnfF/ckZQm gRE0mCoP4GzyoyWygRUlEsOODYdbDjaPHMNfgbDWvWMf6wnS5bArApCFZwJ9gp0TJlIGOA xSZSyEC/mid7MLhYwrLeJA0kkK0CRRs= From: Christian Ehrhardt To: libvir-list@redhat.com Date: Tue, 22 Oct 2019 14:18:58 +0200 Message-Id: <20191022121858.16871-3-christian.ehrhardt@canonical.com> In-Reply-To: <20191022121858.16871-1-christian.ehrhardt@canonical.com> References: <20191022121858.16871-1-christian.ehrhardt@canonical.com> MIME-Version: 1.0 X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 238 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.43]); Tue, 22 Oct 2019 12:19:02 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.43]); Tue, 22 Oct 2019 12:19:02 +0000 (UTC) for IP:'91.189.89.112' DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com' FROM:'christian.ehrhardt@canonical.com' RCPT:'' X-RedHat-Spam-Score: -4.998 (RCVD_IN_DNSWL_HI, SPF_HELO_NONE, SPF_NONE) 91.189.89.112 youngberry.canonical.com 91.189.89.112 youngberry.canonical.com X-Scanned-By: MIMEDefang 2.84 on 10.5.110.43 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-loop: libvir-list@redhat.com Cc: Christian Ehrhardt , Cole Robinson Subject: [libvirt] [PATCH 2/2] virt-aa-helper: testcase for shmem devices X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-MC-Unique: V2xXcmUqMqmVRXOqNUwR4w-1 X-Mimecast-Spam-Score: 0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" Adding build time self tests for basic (deprecated), doorbell and plain mod= e. Signed-off-by: Christian Ehrhardt --- tests/virt-aa-helper-test | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tests/virt-aa-helper-test b/tests/virt-aa-helper-test index 6e674bfe5c..6a6703ecf5 100755 --- a/tests/virt-aa-helper-test +++ b/tests/virt-aa-helper-test @@ -384,6 +384,21 @@ testme "0" "dri egl" "-r -u $valid_uuid" "$test_xml" "= /dev/dri/testegl1.*rw,$" sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,,= ,g" "$template_xml" > "$test_xml" testme "0" "dri spice" "-r -u $valid_uuid" "$test_xml" "/dev/dri/testegl2.= *rw,$" =20 +sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,,= 4,g" "$template_xml" > "$test_xml" +testme "0" "shmem" "-r -u $valid_uuid" "$test_xml" "\"/var/lib/libvirt/shm= em-my_shmem0-sock\"\s*rw,$" + +sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,,= 4,g" "$= template_xml" > "$test_xml" +testme "0" "shmem serverpath" "-r -u $valid_uuid" "$test_xml" "\"/var/lib/= libvirt/ivshmem_socket\"\s*rw,$" + +sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,,= 4= ,g" "$template_xml" > "$test_xml" +testme "0" "shmem plain" "-r -u $valid_uuid" "$test_xml" "\"/dev/shm/my_sh= mem0\"\s*rw,$" + +sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,,= ,g" "$template_xml" > "$test_xml" +testme "0" "shmem doorbell" "-r -u $valid_uuid" "$test_xml" "\"/var/lib/li= bvirt/shmem-shmem_server-sock\"\s*rw,$" + +sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,,= ,g" "$template_xml"= > "$test_xml" +testme "0" "shmem doorbell serverpath" "-r -u $valid_uuid" "$test_xml" "\"= /var/lib/libvirt/ivshmem_socket\"\s*rw,$" + testme "0" "help" "-h" =20 echo "" >$output --=20 2.23.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list