From nobody Thu May 16 07:01:28 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 207.211.31.120 as permitted sender) client-ip=207.211.31.120;
 envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=fail(p=none dis=none)  header.from=canonical.com
ARC-Seal: i=1; a=rsa-sha256; t=1586407969; cv=none;
	d=zohomail.com; s=zohoarc;
	b=W/zXjRXkTtx5T6sbqj8eZSSRLogRl5iQgtVMAA5XPkrXmZmuTaPPxpsAcdk5b7Rj5skaOZE4YgJtU8JtR9QzuJ2YtyDBjix6g3fwshXRCe8XvVyDz1tw3CKFpbhsGsoA29TDZS8DvXR+sgWHB3RUAvFo7WXBTY2DLRxRlGlqNpY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1586407969;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To;
	bh=AUmEwLz5BMV25F4ze1EZYl0uNtS9FS2k0o247Gxd+jg=;
	b=MXH5pqL3UuZxIg5y6xoGTZTiL56rGyZkvxoru/cUyKxMq6zUNTrZ8zByIEI+2OnX70rUZz3aGV6XbG13mz+kPK/zw8783GF/AHQ5tJfWYaagu88rq72bF4rR9j4Zm/g1zC/xdB2+MM5OR+/fmYCkNC45DTDkfyQPzxYqDs+ihnI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=fail header.from=<christian.ehrhardt@canonical.com> (p=none dis=none)
 header.from=<christian.ehrhardt@canonical.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
 [207.211.31.120]) by mx.zohomail.com
	with SMTPS id 1586407969467984.486754328187;
 Wed, 8 Apr 2020 21:52:49 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-333-_UKpXgRfPaWcah0hY6j4BA-1; Thu, 09 Apr 2020 00:52:44 -0400
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
 [10.5.11.11])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id BCB731800D71;
	Thu,  9 Apr 2020 04:52:38 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id ACE34D766F;
	Thu,  9 Apr 2020 04:52:37 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 42E8E93A97;
	Thu,  9 Apr 2020 04:52:37 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com
	[10.11.54.4])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 0394qZMb030700 for <libvir-list@listman.util.phx.redhat.com>;
	Thu, 9 Apr 2020 00:52:35 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 89FA52026D66; Thu,  9 Apr 2020 04:52:35 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
	(mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 854EC2028CD6
	for <libvir-list@redhat.com>; Thu,  9 Apr 2020 04:52:33 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
	[207.211.31.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 2FBC08F7A27
	for <libvir-list@redhat.com>; Thu,  9 Apr 2020 04:52:33 +0000 (UTC)
Received: from youngberry.canonical.com (youngberry.canonical.com
	[91.189.89.112]) (Using TLS) by relay.mimecast.com with ESMTP id
	us-mta-121-8-fy29q7M_Wucls0oJpITQ-1; Thu, 09 Apr 2020 00:52:30 -0400
Received: from 113-062-210-188.ip-addr.inexio.net ([188.210.62.113]
	helo=Keschdeichel.fritz.box) by youngberry.canonical.com with esmtpsa
	(TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
	(envelope-from <christian.ehrhardt@canonical.com>)
	id 1jMPAz-00009s-AM; Thu, 09 Apr 2020 04:52:29 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1586407968;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=AUmEwLz5BMV25F4ze1EZYl0uNtS9FS2k0o247Gxd+jg=;
	b=S/tqI4hH5yVT17tX8ikY3QYicIy0U5FOLYrALmSFCjkhGfqgD9YT+9WEIkGVqmx5s2Jh61
	Xba+aqXcPA6Nx3OpwCdlsky5cSjRY5mnQULUW8wtp6pSZK2UpRkkLiy52pE5eZkIhE/5bx
	JR4xKq3Ef6rMhFyVI1t6KBwRZQVhLUU=
X-MC-Unique: _UKpXgRfPaWcah0hY6j4BA-1
X-MC-Unique: 8-fy29q7M_Wucls0oJpITQ-1
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
To: libvir-list@redhat.com
Subject: [PATCH v2] apparmor: avoid denials on libpmem initialization
Date: Thu,  9 Apr 2020 06:52:27 +0200
Message-Id: <20200409045227.267925-1-christian.ehrhardt@canonical.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-MIME-Autoconverted: from quoted-printable to 8bit by
	lists01.pubmisc.prod.ext.phx2.redhat.com id 0394qZMb030700
X-loop: libvir-list@redhat.com
Cc: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>,
	Christian Ehrhardt <christian.ehrhardt@canonical.com>
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
Content-Type: text/plain; charset="utf-8"

With libpmem support compiled into qemu it will trigger the following
denials on every startup.
  apparmor=3D"DENIED" operation=3D"open" name=3D"/"
  apparmor=3D"DENIED" operation=3D"open" name=3D"/sys/bus/nd/devices/"

This is due to [1] that tries to auto-detect if the platform supports
auto flush for all region.

Once we know all the paths that are potentially needed if this feature
is really used we can add them conditionally in virt-aa-helper and labelling
calls in case </pmem> is enabled.

But until then the change here silences the denial warnings seen above.

[1]: https://github.com/pmem/pmdk/blob/master/src/libpmem2/auto_flush_linux=
.c#L131

Bug: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1871354

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
 src/security/apparmor/libvirt-qemu | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/lib=
virt-qemu
index 80986aec61..1a4b226612 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -227,3 +227,8 @@
   # required for sasl GSSAPI plugin
   /etc/gss/mech.d/ r,
   /etc/gss/mech.d/* r,
+
+  # required by libpmem init to fts_open()/fts_read() the symlinks in
+  # /sys/bus/nd/devices
+  / r, # harmless on any lsb compliant system
+  /sys/bus/nd/devices/{,**/} r,
--=20
2.26.0