From nobody Wed May 15 13:43:56 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 205.139.110.61 as permitted sender) client-ip=205.139.110.61;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-1.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=fail(p=none dis=none)  header.from=canonical.com
ARC-Seal: i=1; a=rsa-sha256; t=1586357940; cv=none;
	d=zohomail.com; s=zohoarc;
	b=kfMZzAvRPFEgAKXD0B+f58Rq1wnY02VSoboozz2BBN4FeVE8stxpx23UqaFq6UBl29NrA5J38m9+T6sHqVoWuOi7kIrD8TLypEs2EsXy7mOpkeSm6lD53CRRWtX5Uv7Mhjvb9j3GNQoRur8cMWi8srT2p8DU5VqKtUgN0iq6qbw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1586357940;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To;
	bh=p4XqiBu94nGDSDBCj+VI+L/qqK9wkKVfIqXbjLMJCoQ=;
	b=UIM+q6i0a9kLolzCjDq8rso1/XMIWe9mJXGrWsEew+BAOsokJ2iKnvb3AsREATm4+64bqjO2Wa956zTL7qayEQX7xmdLXdyyD12sswLNlMdlgwAOTi8XSsP2xgCG5cAgcxlv12v5GYS/AWCZz1x4XRmljzcMtxgKEeR6DzevCqI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=fail header.from=<christian.ehrhardt@canonical.com> (p=none dis=none)
 header.from=<christian.ehrhardt@canonical.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com
 [205.139.110.61]) by mx.zohomail.com
	with SMTPS id 1586357940178188.75412011966364;
 Wed, 8 Apr 2020 07:59:00 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-164-e1O-NpQ6MZuBZIq1ro9oXQ-1; Wed, 08 Apr 2020 10:58:56 -0400
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
 [10.5.11.13])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id D9C511088383;
	Wed,  8 Apr 2020 14:58:47 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 399F85C1C6;
	Wed,  8 Apr 2020 14:58:47 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id C81F118089C8;
	Wed,  8 Apr 2020 14:58:45 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com
	[10.11.54.3])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 038Ewitn016002 for <libvir-list@listman.util.phx.redhat.com>;
	Wed, 8 Apr 2020 10:58:44 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 659A21069F57; Wed,  8 Apr 2020 14:58:44 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
	(mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 61B621069F55
	for <libvir-list@redhat.com>; Wed,  8 Apr 2020 14:58:39 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com
 [205.139.110.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 5DCC18F250D
	for <libvir-list@redhat.com>; Wed,  8 Apr 2020 14:58:39 +0000 (UTC)
Received: from youngberry.canonical.com (youngberry.canonical.com
	[91.189.89.112]) (Using TLS) by relay.mimecast.com with ESMTP id
	us-mta-310-R-Oz7KVcOhePHNgXQh0Hfg-1; Wed, 08 Apr 2020 10:58:36 -0400
Received: from 113-062-210-188.ip-addr.inexio.net ([188.210.62.113]
	helo=Keschdeichel.fritz.box) by youngberry.canonical.com with esmtpsa
	(TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
	(envelope-from <christian.ehrhardt@canonical.com>)
	id 1jMC9z-0007TO-9w; Wed, 08 Apr 2020 14:58:35 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1586357938;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=p4XqiBu94nGDSDBCj+VI+L/qqK9wkKVfIqXbjLMJCoQ=;
	b=a/5LDKu9ZNMq5YY0HNAdzPZuU5T5EDOKtUYqUQ7DAUJvNhNjVj5p3aISk+Vu2AJGNUFsP8
	GWA6v0CBjeahqu4Pe30XHa60O6lvkYjAYlMbUB6nbB3sVm89bJVsmt1E+KygAT2QdaS9Cc
	l3zDxD0sjbZdmROPf+YOZ6giNsNuuWM=
X-MC-Unique: e1O-NpQ6MZuBZIq1ro9oXQ-1
X-MC-Unique: R-Oz7KVcOhePHNgXQh0Hfg-1
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
To: libvir-list@redhat.com
Subject: [PATCH] apparmor: avoid denials on libpmem initialization
Date: Wed,  8 Apr 2020 16:58:29 +0200
Message-Id: <20200408145829.115935-1-christian.ehrhardt@canonical.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3
X-MIME-Autoconverted: from quoted-printable to 8bit by
	lists01.pubmisc.prod.ext.phx2.redhat.com id 038Ewitn016002
X-loop: libvir-list@redhat.com
Cc: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>,
	Christian Ehrhardt <christian.ehrhardt@canonical.com>
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
Content-Type: text/plain; charset="utf-8"

With libpmem support compiled into qemu it will trigger the following
denials on every startup.
  apparmor=3D"DENIED" operation=3D"open" name=3D"/"
  apparmor=3D"DENIED" operation=3D"open" name=3D"/sys/bus/nd/devices/"

This is due to [1] that tries to auto-detect if the platform supports
auto flush for all region.

Once we know all the paths that are potentially needed if this feature
is really used we can add them conditionally in virt-aa-helper and labelling
calls in case </pmem> is enabled.

But until then the change here silences the denial warnings seen above.

[1]: https://github.com/pmem/pmdk/blob/master/src/libpmem2/auto_flush_linux=
.c#L131

Bug: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1871354

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
 src/security/apparmor/libvirt-qemu | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/lib=
virt-qemu
index 80986aec61..602f5eb587 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -227,3 +227,8 @@
   # required for sasl GSSAPI plugin
   /etc/gss/mech.d/ r,
   /etc/gss/mech.d/* r,
+
+  # scanned on libpmem init, but harmless on any lsb compliant system
+  / r,
+  /sys/bus/nd/devices/ r,
+  /sys/bus/nd/devices/* r,
--=20
2.26.0