1. Patchew
  2. Libvirt
  3. View series

[PATCH v2] apparmor: avoid denials on libpmem initialization

Christian Ehrhardt posted 1 patch 4 years ago
Test syntax-check failed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20200409045227.267925-1-christian.ehrhardt@canonical.com
src/security/apparmor/libvirt-qemu | 5 +++++
1 file changed, 5 insertions(+)
[PATCH v2] apparmor: avoid denials on libpmem initialization
Posted by Christian Ehrhardt 4 years ago 
With libpmem support compiled into qemu it will trigger the following
denials on every startup.
  apparmor="DENIED" operation="open" name="/"
  apparmor="DENIED" operation="open" name="/sys/bus/nd/devices/"

This is due to [1] that tries to auto-detect if the platform supports
auto flush for all region.

Once we know all the paths that are potentially needed if this feature
is really used we can add them conditionally in virt-aa-helper and labelling
calls in case </pmem> is enabled.

But until then the change here silences the denial warnings seen above.

[1]: https://github.com/pmem/pmdk/blob/master/src/libpmem2/auto_flush_linux.c#L131

Bug: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1871354

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
 src/security/apparmor/libvirt-qemu | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 80986aec61..1a4b226612 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -227,3 +227,8 @@
   # required for sasl GSSAPI plugin
   /etc/gss/mech.d/ r,
   /etc/gss/mech.d/* r,
+
+  # required by libpmem init to fts_open()/fts_read() the symlinks in
+  # /sys/bus/nd/devices
+  / r, # harmless on any lsb compliant system
+  /sys/bus/nd/devices/{,**/} r,
-- 
2.26.0
Re: [PATCH v2] apparmor: avoid denials on libpmem initialization
Posted by Jamie Strandboge 4 years ago 
On Thu, 09 Apr 2020, Christian Ehrhardt wrote:

> With libpmem support compiled into qemu it will trigger the following
> denials on every startup.
>   apparmor="DENIED" operation="open" name="/"
>   apparmor="DENIED" operation="open" name="/sys/bus/nd/devices/"
> 
> This is due to [1] that tries to auto-detect if the platform supports
> auto flush for all region.
> 
> Once we know all the paths that are potentially needed if this feature
> is really used we can add them conditionally in virt-aa-helper and labelling
> calls in case </pmem> is enabled.
> 
> But until then the change here silences the denial warnings seen above.
> 
> [1]: https://github.com/pmem/pmdk/blob/master/src/libpmem2/auto_flush_linux.c#L131
> 
> Bug: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1871354
> 
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> ---
>  src/security/apparmor/libvirt-qemu | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
> index 80986aec61..1a4b226612 100644
> --- a/src/security/apparmor/libvirt-qemu
> +++ b/src/security/apparmor/libvirt-qemu
> @@ -227,3 +227,8 @@
>    # required for sasl GSSAPI plugin
>    /etc/gss/mech.d/ r,
>    /etc/gss/mech.d/* r,
> +
> +  # required by libpmem init to fts_open()/fts_read() the symlinks in
> +  # /sys/bus/nd/devices
> +  / r, # harmless on any lsb compliant system
> +  /sys/bus/nd/devices/{,**/} r,

LGTM. Thanks!

-- 
Jamie Strandboge             | http://www.canonical.com
Re: [PATCH v2] apparmor: avoid denials on libpmem initialization
Posted by Christian Ehrhardt 4 years ago 
On Thu, Apr 9, 2020 at 6:57 PM Jamie Strandboge <jamie@canonical.com> wrote:
>
> On Thu, 09 Apr 2020, Christian Ehrhardt wrote:
>
> > With libpmem support compiled into qemu it will trigger the following
> > denials on every startup.
> >   apparmor="DENIED" operation="open" name="/"
> >   apparmor="DENIED" operation="open" name="/sys/bus/nd/devices/"
> >
> > This is due to [1] that tries to auto-detect if the platform supports
> > auto flush for all region.
> >
> > Once we know all the paths that are potentially needed if this feature
> > is really used we can add them conditionally in virt-aa-helper and labelling
> > calls in case </pmem> is enabled.
> >
> > But until then the change here silences the denial warnings seen above.
> >
> > [1]: https://github.com/pmem/pmdk/blob/master/src/libpmem2/auto_flush_linux.c#L131
> >
> > Bug: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1871354
> >
> > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> > ---
> >  src/security/apparmor/libvirt-qemu | 5 +++++
> >  1 file changed, 5 insertions(+)
> >
> > diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
> > index 80986aec61..1a4b226612 100644
> > --- a/src/security/apparmor/libvirt-qemu
> > +++ b/src/security/apparmor/libvirt-qemu
> > @@ -227,3 +227,8 @@
> >    # required for sasl GSSAPI plugin
> >    /etc/gss/mech.d/ r,
> >    /etc/gss/mech.d/* r,
> > +
> > +  # required by libpmem init to fts_open()/fts_read() the symlinks in
> > +  # /sys/bus/nd/devices
> > +  / r, # harmless on any lsb compliant system
> > +  /sys/bus/nd/devices/{,**/} r,
>
> LGTM. Thanks!

Thanks, it also works fine in all my tests and there was no other
negative feedback.
Added your acked-by and pushing to the repo now ...

> --
> Jamie Strandboge             | http://www.canonical.com



-- 
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.