From nobody Fri May 3 02:14:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) client-ip=205.139.110.120; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com ARC-Seal: i=1; a=rsa-sha256; t=1596459241; cv=none; d=zohomail.com; s=zohoarc; b=Q8ZjTKXmwY6gILci9pQkuwNnD6ZCvSTWjg7gJaEjHogiHTW6srHgem1U1mm88RDzPu7zrBqZzMg9cJ4vGjuqZLziVomdTDZnqubstmls5YCk2qe+w5nZtdvtFAjxOP8cStgyIL9s0tJN6sSaFWxVPv2oMq2BIsOjYljqlC09Nto= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1596459241; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=6qqUClemNrTZeMdv8RB8XeU7cEpXeq5eG86PwxBvbnM=; b=aKD6bUtScQZsLSvplo252fa1d+fDhsk+DGnJs8EyErKiI4IFqnt78vAnhV2YUT5y8Q4ernceiKr/g0MJgLcRs8SarNuQWpMGazBXkLhTNoVeS5X+caqlpMi751T21GPF6yr2C6EzO9528ZiEVJkQD2YxdpmzwlRLMu7aBL/lBig= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) by mx.zohomail.com with SMTPS id 1596459241016756.1506420327406; Mon, 3 Aug 2020 05:54:01 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-508-9mnimpmpO2KIQOPG6TFUbQ-1; Mon, 03 Aug 2020 08:53:57 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 3B0DE19200C4; Mon, 3 Aug 2020 12:53:52 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 18B821002391; Mon, 3 Aug 2020 12:53:52 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id DA59B1800B71; Mon, 3 Aug 2020 12:53:51 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 073Cpsu3006945 for ; Mon, 3 Aug 2020 08:51:54 -0400 Received: by smtp.corp.redhat.com (Postfix) id 9019D49C1A; Mon, 3 Aug 2020 12:51:54 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast02.extmail.prod.ext.rdu2.redhat.com [10.11.55.18]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7DBC949B01 for ; Mon, 3 Aug 2020 12:51:54 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 698F88001E2 for ; Mon, 3 Aug 2020 12:51:54 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-121-D9R2M0hfM0GUhyorz_inIg-1; Mon, 03 Aug 2020 08:51:52 -0400 Received: from 2.general.paelzer.uk.vpn ([10.172.196.173] helo=Keschdeichel.fritz.box) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1k2Zf5-0004mo-PI; Mon, 03 Aug 2020 12:33:51 +0000 X-MC-Unique: 9mnimpmpO2KIQOPG6TFUbQ-1 X-MC-Unique: D9R2M0hfM0GUhyorz_inIg-1 From: Christian Ehrhardt To: libvir-list@redhat.com Subject: [PATCH 1/8] apparmor: allow default pki path Date: Mon, 3 Aug 2020 14:33:39 +0200 Message-Id: <20200803123346.3987430-2-christian.ehrhardt@canonical.com> In-Reply-To: <20200803123346.3987430-1-christian.ehrhardt@canonical.com> References: <20200803123346.3987430-1-christian.ehrhardt@canonical.com> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false; X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-loop: libvir-list@redhat.com Cc: =?UTF-8?q?Guido=20G=C3=BCnther?= , Jamie Strandboge , Sam Hartman , Andrea Bolognani , Christian Ehrhardt X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sam Hartman /etc/pki/qemu is a pki path recommended by qemu tls docs [1] and one that can cause issues with spice connections when missing. Add the path to the allowed list of pki paths to fix the issue. Note: this is active in Debian/Ubuntu [1] for quite a while already. [1]: https://www.qemu.org/docs/master/system/tls.html [2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D930100 Signed-off-by: Christian Ehrhardt --- src/security/apparmor/libvirt-qemu | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/lib= virt-qemu index 1a4b226612..2d08d6f7ad 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -94,6 +94,8 @@ /etc/pki/CA/* r, /etc/pki/libvirt{,-spice,-vnc}/ r, /etc/pki/libvirt{,-spice,-vnc}/** r, + /etc/pki/qemu/ r, + /etc/pki/qemu/** r, =20 # the various binaries /usr/bin/kvm rmix, --=20 2.27.0 From nobody Fri May 3 02:14:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) client-ip=207.211.31.120; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com ARC-Seal: i=1; a=rsa-sha256; t=1596459320; cv=none; d=zohomail.com; s=zohoarc; b=G6KCApuRxBe9qFGa97yu01pf4kQmwrF+Mm2MewaSxGgP6/X126y+gI34B4IWiOl++CEDEmBeSVqVhtopnROrGnZ7skBOR/hl9iHLuDMPu9Rl9JrJqUvVb9T46Sck8La9kLJR61DbVZZy4xDwjGxw5+9W/VpwPSUBqEUqVXzUmu4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1596459320; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=lS3jLbxpPwIvQGb88uBIppTkmQ4K6EsTJ8KnVFMdW74=; b=nVbedOm8DFqwdbE39wL7QKv57ckWmfIbY/ve6rK9TELkaGAun/auLEHlu4HX1LHS0ROOuPecDsXX8TPTUquBd9CgF1Mt0fL8Cyp7o555rt2viR/ya6Wfb9nrqzBsIRLipJm0Y7jVTbLMi3KQExP3JnwrsFdCMpKNsGK6Eaf8XGA= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) by mx.zohomail.com with SMTPS id 1596459320886694.8942062195947; Mon, 3 Aug 2020 05:55:20 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-273-BLsYPPk7Moqh3HGyt4iT_w-1; Mon, 03 Aug 2020 08:55:17 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 1627D102C81A; Mon, 3 Aug 2020 12:55:10 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E701D19D7D; Mon, 3 Aug 2020 12:55:09 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id B1AB71809563; Mon, 3 Aug 2020 12:55:09 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 073CprgM006939 for ; Mon, 3 Aug 2020 08:51:54 -0400 Received: by smtp.corp.redhat.com (Postfix) id B4F2B2157F26; Mon, 3 Aug 2020 12:51:53 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A3986217B433 for ; Mon, 3 Aug 2020 12:51:50 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 820A51049845 for ; Mon, 3 Aug 2020 12:51:50 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-206-uP6ZCLkkOYuoRtQdN4xFhg-1; Mon, 03 Aug 2020 08:51:48 -0400 Received: from 2.general.paelzer.uk.vpn ([10.172.196.173] helo=Keschdeichel.fritz.box) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1k2Zf6-0004mo-3E; Mon, 03 Aug 2020 12:33:52 +0000 X-MC-Unique: BLsYPPk7Moqh3HGyt4iT_w-1 X-MC-Unique: uP6ZCLkkOYuoRtQdN4xFhg-1 From: Christian Ehrhardt To: libvir-list@redhat.com Subject: [PATCH 2/8] apparmor: allow libvirtd to call pygrub Date: Mon, 3 Aug 2020 14:33:40 +0200 Message-Id: <20200803123346.3987430-3-christian.ehrhardt@canonical.com> In-Reply-To: <20200803123346.3987430-1-christian.ehrhardt@canonical.com> References: <20200803123346.3987430-1-christian.ehrhardt@canonical.com> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false; X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-loop: libvir-list@redhat.com Cc: =?UTF-8?q?Guido=20G=C3=BCnther?= , Jamie Strandboge , Andrea Bolognani , Stefan Bader , Christian Ehrhardt X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Stefan Bader When using xen through libxl in Debian/Ubuntu it needs to be able to call pygrub. This is placed in a versioned path like /usr/lib/xen-4.11/bin. In theory the rule could be more strict by rendering the libexec_dir setting pkg-config can derive from libbxen-dev. But that would make particular libvirt/xen packages version-depend on each other. It seems more reasonable to avoid these versioned dependencies and use a wildcard rule instead as it is already in place for libxl-save-helper. Note: This change was in Debian [1] and Ubuntu [2] for quite some time already. [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D931768 [2]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1326003 Signed-off-by: Christian Ehrhardt --- src/security/apparmor/usr.sbin.libvirtd.in | 1 + 1 file changed, 1 insertion(+) diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/appa= rmor/usr.sbin.libvirtd.in index 1e137039e9..312fa4b6d1 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -86,6 +86,7 @@ profile libvirtd @sbindir@/libvirtd flags=3D(attach_disco= nnected) { /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, /usr/{lib,lib64}/xen/bin/* Ux, /usr/lib/xen-*/bin/libxl-save-helper PUx, + /usr/lib/xen-*/bin/pygrub PUx, /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx, =20 # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to --=20 2.27.0 From nobody Fri May 3 02:14:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) client-ip=205.139.110.61; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-1.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com ARC-Seal: i=1; a=rsa-sha256; t=1596459315; cv=none; d=zohomail.com; s=zohoarc; b=CjvRyK2sU6xFqV4iJuKll7a6wkotXZTVcQ4MtpKhSAA41Zbh+V24UZ+J15lGdkhfElZLMsNxJw4fP6QKIeMoQ9z8IuBvYKiG5l9qPSI/lvZ5nt44PFswjjZMJGFEZYxdHhn80ydGDEfE042M3pGdr4Guf/gSv5qEVFZ0ffuhTWc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1596459315; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=qm+r2VnHdZyhuhKpjVBQXQtImSz0mOjgKWtCbnbh5kc=; b=fsPZkoge0jcpslgwtC4iFXrrCd41XXdsc4Kg5kT7PnW4oWnqVHFnf0yHzn+HZJmueQ4xytrswT8t4s4HX+XtjuWj/qZ+pp5lwP2kcOBoLLnuceJJ5J0IDNSIOoc2c+pjbQXrq9nyH/8nA4Q/1h2tJQ2YirPg2tWKIfp2Tswvldo= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) by mx.zohomail.com with SMTPS id 1596459315747175.0375100713734; Mon, 3 Aug 2020 05:55:15 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-204--Gk562ppP8KeUafiMrVAHw-1; Mon, 03 Aug 2020 08:55:12 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id AC20A193249E; Mon, 3 Aug 2020 12:55:06 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8699F6115F; Mon, 3 Aug 2020 12:55:06 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 553761809554; Mon, 3 Aug 2020 12:55:06 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 073Cpm5w006881 for ; Mon, 3 Aug 2020 08:51:48 -0400 Received: by smtp.corp.redhat.com (Postfix) id 2A3E7114F265; Mon, 3 Aug 2020 12:51:48 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast03.extmail.prod.ext.rdu2.redhat.com [10.11.55.19]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 101F21007A2E for ; Mon, 3 Aug 2020 12:51:47 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id EF0D4800802 for ; Mon, 3 Aug 2020 12:51:46 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-131-EsQCHupKNK6h53Kc1th-Aw-1; Mon, 03 Aug 2020 08:51:44 -0400 Received: from 2.general.paelzer.uk.vpn ([10.172.196.173] helo=Keschdeichel.fritz.box) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1k2Zf6-0004mo-Cj; Mon, 03 Aug 2020 12:33:52 +0000 X-MC-Unique: -Gk562ppP8KeUafiMrVAHw-1 X-MC-Unique: EsQCHupKNK6h53Kc1th-Aw-1 From: Christian Ehrhardt To: libvir-list@redhat.com Subject: [PATCH 3/8] apparmor: allow virt-aa-helper nameservices Date: Mon, 3 Aug 2020 14:33:41 +0200 Message-Id: <20200803123346.3987430-4-christian.ehrhardt@canonical.com> In-Reply-To: <20200803123346.3987430-1-christian.ehrhardt@canonical.com> References: <20200803123346.3987430-1-christian.ehrhardt@canonical.com> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false; X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-loop: libvir-list@redhat.com Cc: =?UTF-8?q?Guido=20G=C3=BCnther?= , Jamie Strandboge , Andrea Bolognani , Christian Ehrhardt X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Since quite a while libvirt-aa-helper triggers nss related apparmor denials like: operation=3D"open" profile=3D"virt-aa-helper" name=3D"/etc/nsswitch.conf" operation=3D"open" profile=3D"virt-aa-helper" name=3D"/etc/host.conf" operation=3D"open" profile=3D"virt-aa-helper" name=3D"/etc/resolv.conf" operation=3D"open" profile=3D"virt-aa-helper" name=3D"/etc/hosts" Rules to allow these are in Debian [1] / Ubuntu [2] since quite a while but do not seem to be specific to those distributions. There can be much more reasons than one would think to inadvertently use/trigger nameservices as can be seen in the comments in profiles/apparmor.d/abstractions/nameservice at [3]. The nameservices abstraction provides a nice and upgrade safe way to cover all of them. [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D882979 [2]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674 [3]: https://gitlab.com/apparmor/apparmor Signed-off-by: Christian Ehrhardt --- src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 + 1 file changed, 1 insertion(+) diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/= security/apparmor/usr.lib.libvirt.virt-aa-helper.in index dd18c8ab89..dfc61e8de4 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -2,6 +2,7 @@ =20 profile virt-aa-helper @libexecdir@/virt-aa-helper { #include + #include =20 # needed for searching directories capability dac_override, --=20 2.27.0 From nobody Fri May 3 02:14:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) client-ip=205.139.110.61; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-1.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com ARC-Seal: i=1; a=rsa-sha256; t=1596459324; cv=none; d=zohomail.com; s=zohoarc; b=j9cLHBBcov/aASEQqvyvXzbvc+s80RSrkA1XPyWh8xOHgpxq2Pio/58PsX8Ptf9m86X1Kdy/DqH5lgnMymTujc8XTomzEfalRqvSkaW05Y5w/GI8l+3vzfRE/F84JOhmRweLrThcOlz7ka0wandQlq6LoowZ+47K3HI6ie04mkY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1596459324; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=j5ejgFyHXnAEbhjcIDnWaG6Ye9wBIcdFZBoVrasVpQM=; b=V6qCfMYcNY0L3R9xpdTfHPMlQK49rxMW4+ywflV+ZKijPvn9KS6LW0jI5/IN2gIvnwsquveJzs+/p+xdkQIkygKwxE2JwOrRcyKvGlFaUVqjkfT/4NNSiwvIU3jfPVvuPp3rPzPNeMUiAH0jVEluheFkRyJimL5kgnREPE6YHLI= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) by mx.zohomail.com with SMTPS id 1596459324350650.0691102316016; Mon, 3 Aug 2020 05:55:24 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-114-sNRwBhTZMAGiCzcKCJgnmQ-1; Mon, 03 Aug 2020 08:55:20 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 93E37102C81D; Mon, 3 Aug 2020 12:55:10 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 70C6D101E1BF; Mon, 3 Aug 2020 12:55:10 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 3CB841800B71; Mon, 3 Aug 2020 12:55:10 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 073Cpmnf006889 for ; Mon, 3 Aug 2020 08:51:48 -0400 Received: by smtp.corp.redhat.com (Postfix) id 8DB731007A2D; Mon, 3 Aug 2020 12:51:48 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast02.extmail.prod.ext.rdu2.redhat.com [10.11.55.18]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 897A41007A38 for ; Mon, 3 Aug 2020 12:51:48 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 75F158001E2 for ; Mon, 3 Aug 2020 12:51:48 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-109-f6F0n2EOOLKJJ9c4Nfjplg-1; Mon, 03 Aug 2020 08:51:46 -0400 Received: from 2.general.paelzer.uk.vpn ([10.172.196.173] helo=Keschdeichel.fritz.box) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1k2Zf6-0004mo-NK; Mon, 03 Aug 2020 12:33:52 +0000 X-MC-Unique: sNRwBhTZMAGiCzcKCJgnmQ-1 X-MC-Unique: f6F0n2EOOLKJJ9c4Nfjplg-1 From: Christian Ehrhardt To: libvir-list@redhat.com Subject: [PATCH 4/8] apparmor: read only access to overcommit_memory Date: Mon, 3 Aug 2020 14:33:42 +0200 Message-Id: <20200803123346.3987430-5-christian.ehrhardt@canonical.com> In-Reply-To: <20200803123346.3987430-1-christian.ehrhardt@canonical.com> References: <20200803123346.3987430-1-christian.ehrhardt@canonical.com> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false; X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-loop: libvir-list@redhat.com Cc: Stefan Bader , =?UTF-8?q?Guido=20G=C3=BCnther?= , Jamie Strandboge , Andrea Bolognani , Christian Ehrhardt X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Jamie Strandboge Allow qemu to read @{PROC}/sys/vm/overcommit_memory. This is read on guest start-up and (as read-only) not a critical secret that has to stay hidden. Signed-off-by: Christian Ehrhardt Signed-off-by: Stefan Bader Signed-off-by: Jamie Strandboge --- src/security/apparmor/libvirt-qemu | 1 + 1 file changed, 1 insertion(+) diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/lib= virt-qemu index 2d08d6f7ad..b132cf0226 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -32,6 +32,7 @@ # only modify its comm value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, @{PROC}/sys/kernel/cap_last_cap r, + @{PROC}/sys/vm/overcommit_memory r, =20 # For hostdev access. The actual devices will be added dynamically /sys/bus/usb/devices/ r, --=20 2.27.0 From nobody Fri May 3 02:14:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) client-ip=207.211.31.120; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com ARC-Seal: i=1; a=rsa-sha256; t=1596459316; cv=none; d=zohomail.com; s=zohoarc; b=WUl11qrzn2oMImb3zlGLrfQ7j7M9aVcNldnU++zLYnJPUzTOUJZcdhZjE1CIIQJlNEl70JdLzk4MnHev1QXJkemvhdSjWcSY0jeWe/WcpdDjxCV0/rY9HJd2w+KiNUklZ1we0wW37F/snu9kPexxHryh+AcHlkUradjynPLVUOE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1596459316; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=8Wz1B78Zm4avrOXKylf4kNIMmmOkvFCxZVZWIRHugHg=; b=lWV5rtAKxmp4XPOTLm53uaFlYm5Rxt9JH8nexxDyuD8voDjBufZqqIfMJadW6z/F59Vq4kkYBiQ3DYoKfZn60ZZZcGdNuVPaO2vXMkAV2yuySA2MYs3bciFxE7BzG4UZPr4lUyVSxwQNlYCS7RAw/GzOznKShMArNWt3k78LdoQ= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) by mx.zohomail.com with SMTPS id 159645931685793.80152672526276; Mon, 3 Aug 2020 05:55:16 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-299-NE7DQC4fMiy6R4e8YAbu1g-1; Mon, 03 Aug 2020 08:55:13 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 9B23980047B; Mon, 3 Aug 2020 12:55:07 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7B0B5171EB; Mon, 3 Aug 2020 12:55:07 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 208BE9A112; Mon, 3 Aug 2020 12:55:07 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 073Cpix4006862 for ; Mon, 3 Aug 2020 08:51:44 -0400 Received: by smtp.corp.redhat.com (Postfix) id 78F6920234B2; Mon, 3 Aug 2020 12:51:44 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 744B420234B0 for ; Mon, 3 Aug 2020 12:51:41 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 5AC608A1997 for ; Mon, 3 Aug 2020 12:51:41 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-497-D6oXKWfVMDmd8jcEz9KHMA-1; Mon, 03 Aug 2020 08:51:39 -0400 Received: from 2.general.paelzer.uk.vpn ([10.172.196.173] helo=Keschdeichel.fritz.box) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1k2Zf7-0004mo-0s; Mon, 03 Aug 2020 12:33:53 +0000 X-MC-Unique: NE7DQC4fMiy6R4e8YAbu1g-1 X-MC-Unique: D6oXKWfVMDmd8jcEz9KHMA-1 From: Christian Ehrhardt To: libvir-list@redhat.com Subject: [PATCH 5/8] apparmor: qemu access to @{PROC}/*/auxv for hw_cap Date: Mon, 3 Aug 2020 14:33:43 +0200 Message-Id: <20200803123346.3987430-6-christian.ehrhardt@canonical.com> In-Reply-To: <20200803123346.3987430-1-christian.ehrhardt@canonical.com> References: <20200803123346.3987430-1-christian.ehrhardt@canonical.com> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false; X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-loop: libvir-list@redhat.com Cc: =?UTF-8?q?Guido=20G=C3=BCnther?= , Jamie Strandboge , Andrea Bolognani , Stefan Bader , Christian Ehrhardt X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Stefan Bader On some architectures (ppc, s390x, sparc, arm) qemu will read auxv to detect hardware capabilities via qemu_getauxval. Allow that access read-only for the entry owned by the current qemu process. Signed-off-by: Christian Ehrhardt Signed-off-by: Stefan Bader --- src/security/apparmor/libvirt-qemu | 1 + 1 file changed, 1 insertion(+) diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/lib= virt-qemu index b132cf0226..25eff20b82 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -33,6 +33,7 @@ owner @{PROC}/@{pid}/task/@{tid}/comm rw, @{PROC}/sys/kernel/cap_last_cap r, @{PROC}/sys/vm/overcommit_memory r, + owner @{PROC}/*/auxv r, =20 # For hostdev access. The actual devices will be added dynamically /sys/bus/usb/devices/ r, --=20 2.27.0 From nobody Fri May 3 02:14:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) client-ip=207.211.31.81; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-1.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com ARC-Seal: i=1; a=rsa-sha256; t=1596459310; cv=none; d=zohomail.com; s=zohoarc; b=KGoaKxludID+xc1NT7EDrNGZaxo3tIHVvS0wkl+sJm2IDYjoAd78BnpEwGv2m9l384+0WOqb0AkWfzMFFeXLlMQKZoAPDfim1pTw8F86UNCXFNFSLpMVSwEWdTnmpYhuoIafVhiX9H7sbbM0tG3vH/05Etc2UxCfdq7X4tuyfMI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1596459310; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=zgXennm7boGMCph/8jwqrdy0q3m9uVDfuZk4Y7U5UFk=; b=izIP7CQsl4YuP37l6U1E2tnct03wtVcSs4iGJ2UffqFle+2EaRh/QDBn0VlCsS8M+h41Jh9+rtedkSj5eLjiCbt7LzHoFS7KeqCTrtKpIA2OlqQNYCv6+zeF1g/iRr6B4R6HwdhwFHi46OzckpZXJAtweFUjsepCYuwBMoPxDDM= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) by mx.zohomail.com with SMTPS id 1596459310167551.71390908243; Mon, 3 Aug 2020 05:55:10 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-379-Zu_gvLIaOtq5C-huKPBvhQ-1; Mon, 03 Aug 2020 08:55:06 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E1FDD801E6A; Mon, 3 Aug 2020 12:55:00 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C2ACA71769; Mon, 3 Aug 2020 12:55:00 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id BEC809A10B; Mon, 3 Aug 2020 12:54:59 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 073CpjK9006867 for ; Mon, 3 Aug 2020 08:51:45 -0400 Received: by smtp.corp.redhat.com (Postfix) id 21EBB49C1A; Mon, 3 Aug 2020 12:51:45 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 1CAB28A4CF for ; Mon, 3 Aug 2020 12:51:43 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 190EA1049845 for ; Mon, 3 Aug 2020 12:51:43 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-419-5_vE_3OFOXiy3YnigafOpA-1; Mon, 03 Aug 2020 08:51:41 -0400 Received: from 2.general.paelzer.uk.vpn ([10.172.196.173] helo=Keschdeichel.fritz.box) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1k2Zf7-0004mo-BO; Mon, 03 Aug 2020 12:33:53 +0000 X-MC-Unique: Zu_gvLIaOtq5C-huKPBvhQ-1 X-MC-Unique: 5_vE_3OFOXiy3YnigafOpA-1 From: Christian Ehrhardt To: libvir-list@redhat.com Subject: [PATCH 6/8] apparmor: allow virt-aa-helper to read from tmp Date: Mon, 3 Aug 2020 14:33:44 +0200 Message-Id: <20200803123346.3987430-7-christian.ehrhardt@canonical.com> In-Reply-To: <20200803123346.3987430-1-christian.ehrhardt@canonical.com> References: <20200803123346.3987430-1-christian.ehrhardt@canonical.com> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false; X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-loop: libvir-list@redhat.com Cc: =?UTF-8?q?Guido=20G=C3=BCnther?= , Jamie Strandboge , Andrea Bolognani , Stefan Bader , Christian Ehrhardt X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Stefan Bader temporary directories are a common place images are placed by users for any sort of quick evaluation. Allow virt-aa-helper access to tmp via the existing user-tmp apparmor abstraction. That way if a guest definition has paths in temporary directories virt-aa-helper can properly probe them e.g. for further backing files in the case of qcow2. Signed-off-by: Christian Ehrhardt --- src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 + 1 file changed, 1 insertion(+) diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/= security/apparmor/usr.lib.libvirt.virt-aa-helper.in index dfc61e8de4..3f204799a6 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -3,6 +3,7 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper { #include #include + #include =20 # needed for searching directories capability dac_override, --=20 2.27.0 From nobody Fri May 3 02:14:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) client-ip=207.211.31.120; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com ARC-Seal: i=1; a=rsa-sha256; t=1596459227; cv=none; d=zohomail.com; s=zohoarc; b=XvJadRQZQLIoX7xc+sYLosFJ7JLpvCp7DpTopAjMq9bvCcFOX9JWOlLOMrgkhhO06VWW2pgCGi1MSV9+nPAOlkgiN50x9GbtFa56ZYi46frhLRlzDUHYO6xOrQbMrjg/yMAI9DWbzQzwz4GfblQhhw67ePOsQFCoJtvbnBNyEjU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1596459227; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=jB7m9+yRIRdgxdvN5GIpXojNHm+qXbuytBRDu3UsOxU=; b=Lpfcd9Ty27rYEdJ5zcMAr3FneQtWItizYOzdaIqI/hOm3C5JFAZZfJZkaZoOH28hBeo5bT9bzSFcQAquH0DtpmpwDw7OHXrHgiWp11kizF82IZWvbE9fHUD5vqa6tm7UHsUTFfXSnbiswPel2PcjB9kNZWZziZ82qEUhnd97Vh4= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) by mx.zohomail.com with SMTPS id 1596459227825850.0223194106937; Mon, 3 Aug 2020 05:53:47 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-49-Nh6oBr-pNuaiFPtdfRye2Q-1; Mon, 03 Aug 2020 08:53:43 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id DB9EC19200C0; Mon, 3 Aug 2020 12:53:37 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 805AF19C58; Mon, 3 Aug 2020 12:53:37 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id BBEB91809547; Mon, 3 Aug 2020 12:53:35 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 073Cpm9S006880 for ; Mon, 3 Aug 2020 08:51:48 -0400 Received: by smtp.corp.redhat.com (Postfix) id 2A11F114F264; Mon, 3 Aug 2020 12:51:48 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast06.extmail.prod.ext.rdu2.redhat.com [10.11.55.22]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 11301114F260 for ; Mon, 3 Aug 2020 12:51:45 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 0F6EC18A6671 for ; Mon, 3 Aug 2020 12:51:45 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-122-3z2yp0DFN62i7ygAPvVcPA-1; Mon, 03 Aug 2020 08:51:42 -0400 Received: from 2.general.paelzer.uk.vpn ([10.172.196.173] helo=Keschdeichel.fritz.box) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1k2Zf7-0004mo-Mw; Mon, 03 Aug 2020 12:33:53 +0000 X-MC-Unique: Nh6oBr-pNuaiFPtdfRye2Q-1 X-MC-Unique: 3z2yp0DFN62i7ygAPvVcPA-1 From: Christian Ehrhardt To: libvir-list@redhat.com Subject: [PATCH 7/8] apparmor: allow virt-aa-helper to read openvswitch sockets Date: Mon, 3 Aug 2020 14:33:45 +0200 Message-Id: <20200803123346.3987430-8-christian.ehrhardt@canonical.com> In-Reply-To: <20200803123346.3987430-1-christian.ehrhardt@canonical.com> References: <20200803123346.3987430-1-christian.ehrhardt@canonical.com> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false; X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-loop: libvir-list@redhat.com Cc: Jamie Strandboge , =?UTF-8?q?Guido=20G=C3=BCnther?= , Serge Hallyn , Andrea Bolognani , Christian Ehrhardt , Stefan Bader X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Serge Hallyn Chardevs/sockets configured for openvswitch-dpdk use cases might be probed by virt-aa-helper. Allow that access to enable virt-aa-helper rendering per-guest rules for the actual qemu guest accessing these sockets eventually. Signed-off-by: Christian Ehrhardt Signed-off-by: Stefan Bader Signed-off-by: Serge Hallyn --- src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/= security/apparmor/usr.lib.libvirt.virt-aa-helper.in index 3f204799a6..877cb04b1e 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -46,6 +46,9 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper { @sysconfdir@/apparmor.d/libvirt/* r, @sysconfdir@/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0= -9a-f]*-[0-9a-f]* rw, =20 + # for openvswitch sockets + /{,var/}run/openvswitch/** rw, + # for backingstore -- allow access to non-hidden files in @{HOME} as well # as storage pools audit deny @{HOME}/.* mrwkl, --=20 2.27.0 From nobody Fri May 3 02:14:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) client-ip=205.139.110.120; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com ARC-Seal: i=1; a=rsa-sha256; t=1596459237; cv=none; d=zohomail.com; s=zohoarc; b=Cck28jIhqTldJ7Mqyq9U91qO2cKna5oQN+Th1OfBEIEW3pT8tzvRH5H0BzQJHxsFWRl3x3eVfKqt6y3Q88ioIQVjVwhrkpCK17XR936XUAvBmWDxk8qBUbQxLbBwixLco6iocREEoVssQPpdEf9O4b5RYjENxSW9Qs38yIIHRqg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1596459237; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=V1AVYnbNWKA/E6nxHp7HHXKDC5wZ+19eYUH0lwcAl1g=; b=RCj6k8n3gNRJXid6kEhx6Nu3XCRbaaGH3UVnJW7wazIq4r1AEsZiztLLvbY++hmtqdIl+/BMOJvDGXBakDLzlH0g1b0eIWIE+d+fLl3GtjrDnT7v/e9IloOjd0Ylcn0lQQXQHGyjlPrvzQN7ToauONBRklrLNLrms718SYJ68dM= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) by mx.zohomail.com with SMTPS id 1596459237749132.83980713421124; Mon, 3 Aug 2020 05:53:57 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-430-pdkATgW9OX2gWR9S7HPpTA-1; Mon, 03 Aug 2020 08:53:54 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 1A937100CCC1; Mon, 3 Aug 2020 12:53:49 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EB41971767; Mon, 3 Aug 2020 12:53:48 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 7DB111809563; Mon, 3 Aug 2020 12:53:48 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 073CpqSR006929 for ; Mon, 3 Aug 2020 08:51:52 -0400 Received: by smtp.corp.redhat.com (Postfix) id 50E521007A3C; Mon, 3 Aug 2020 12:51:52 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast06.extmail.prod.ext.rdu2.redhat.com [10.11.55.22]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2ED231007A2D for ; Mon, 3 Aug 2020 12:51:52 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1BAE118A6663 for ; Mon, 3 Aug 2020 12:51:52 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-280-vUj2Vzd9PwKxygbm2Cjeng-1; Mon, 03 Aug 2020 08:51:50 -0400 Received: from 2.general.paelzer.uk.vpn ([10.172.196.173] helo=Keschdeichel.fritz.box) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1k2Zf8-0004mo-21; Mon, 03 Aug 2020 12:33:54 +0000 X-MC-Unique: pdkATgW9OX2gWR9S7HPpTA-1 X-MC-Unique: vUj2Vzd9PwKxygbm2Cjeng-1 From: Christian Ehrhardt To: libvir-list@redhat.com Subject: [PATCH 8/8] apparmor: let qemu load old shared objects after upgrades Date: Mon, 3 Aug 2020 14:33:46 +0200 Message-Id: <20200803123346.3987430-9-christian.ehrhardt@canonical.com> In-Reply-To: <20200803123346.3987430-1-christian.ehrhardt@canonical.com> References: <20200803123346.3987430-1-christian.ehrhardt@canonical.com> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false; X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-loop: libvir-list@redhat.com Cc: =?UTF-8?q?Guido=20G=C3=BCnther?= , Jamie Strandboge , Andrea Bolognani , Christian Ehrhardt X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Since [1] qemu can after upgrade fall back to pre-upgrade modules to still be able to dynamically load qmeu-module based features. The paths for these modules are pre-defined by the code and should be allowed to be mapped and loaded from which will allow packagers avoiding the inability of late feature load [2] after package upgrades. [1]: https://github.com/qemu/qemu/commit/bd83c861 [2]: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1847361 Signed-off-by: Christian Ehrhardt --- src/security/apparmor/libvirt-qemu | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/lib= virt-qemu index 25eff20b82..c6f7149799 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -168,6 +168,11 @@ /usr/{lib,lib64}/qemu/*.so mr, /usr/lib/@{multiarch}/qemu/*.so mr, =20 + # let qemu load old shared objects after upgrades (LP: #1847361) + /{var/,}run/qemu/*/*.so mr, + # but explicitly deny writing to these files + audit deny /{var/,}run/qemu/*/*.so w, + # swtpm /{usr/,}bin/swtpm rmix, /usr/{lib,lib64}/libswtpm_libtpms.so mr, --=20 2.27.0