1. Patchew
  2. Libvirt
  3. View series

[PATCH] apparmor: Allow /usr/libexec for libxl-save-helper and pygrub

Jim Fehlig posted 1 patch 3 years, 6 months ago
Test syntax-check failed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20200922223422.28254-1-jfehlig@suse.com
src/security/apparmor/usr.sbin.libvirtd.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
[PATCH] apparmor: Allow /usr/libexec for libxl-save-helper and pygrub
Posted by Jim Fehlig 3 years, 6 months ago 
Like other distros, openSUSE Tumbleweed recently changed libexecdir from
/usr/lib to /usr/libexec. Add it as an allowed path for libxl-save-helper
and pygrub.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
---

I considered including /usr/lib64, but I don't think any distros are
installing xen libexecdir targets to /usr/lib64. Happy to include it
if I'm wrong :-).

 src/security/apparmor/usr.sbin.libvirtd.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
index f2030764cd..bf4563e1e8 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -86,8 +86,8 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
   /{usr/,}lib/udev/scsi_id PUx,
   /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
   /usr/{lib,lib64}/xen/bin/* Ux,
-  /usr/lib/xen-*/bin/libxl-save-helper PUx,
-  /usr/lib/xen-*/bin/pygrub PUx,
+  /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx,
+  /usr/{lib,libexec}/xen-*/bin/pygrub PUx,
   /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
   /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
 
-- 
2.28.0
Re: [PATCH] apparmor: Allow /usr/libexec for libxl-save-helper and pygrub
Posted by Christian Ehrhardt 3 years, 6 months ago 
On Wed, Sep 23, 2020 at 12:35 AM Jim Fehlig <jfehlig@suse.com> wrote:
>
> Like other distros, openSUSE Tumbleweed recently changed libexecdir from
> /usr/lib to /usr/libexec. Add it as an allowed path for libxl-save-helper
> and pygrub.

Hi Jim,
ack to the intention, but I think since this should use @libexecdir@ I think.
Or did anything change that this doesn't apply anymore ... in that
case I beg your pardon.

[1]: https://libvirt.org/git/?p=libvirt.git;a=commit;h=5c8bd31c881e99261ac098e867a79b300440731a

> Signed-off-by: Jim Fehlig <jfehlig@suse.com>
> ---
>
> I considered including /usr/lib64, but I don't think any distros are
> installing xen libexecdir targets to /usr/lib64. Happy to include it
> if I'm wrong :-).
>
>  src/security/apparmor/usr.sbin.libvirtd.in | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
> index f2030764cd..bf4563e1e8 100644
> --- a/src/security/apparmor/usr.sbin.libvirtd.in
> +++ b/src/security/apparmor/usr.sbin.libvirtd.in
> @@ -86,8 +86,8 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
>    /{usr/,}lib/udev/scsi_id PUx,
>    /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
>    /usr/{lib,lib64}/xen/bin/* Ux,
> -  /usr/lib/xen-*/bin/libxl-save-helper PUx,
> -  /usr/lib/xen-*/bin/pygrub PUx,
> +  /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx,
> +  /usr/{lib,libexec}/xen-*/bin/pygrub PUx,
>    /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
>    /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
>
> --
> 2.28.0
>
>


-- 
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
Re: [PATCH] apparmor: Allow /usr/libexec for libxl-save-helper and pygrub
Posted by Jim Fehlig 3 years, 6 months ago 
On 9/23/20 7:26 AM, Christian Ehrhardt wrote:
> On Wed, Sep 23, 2020 at 12:35 AM Jim Fehlig <jfehlig@suse.com> wrote:
>>
>> Like other distros, openSUSE Tumbleweed recently changed libexecdir from
>> /usr/lib to /usr/libexec. Add it as an allowed path for libxl-save-helper
>> and pygrub.
> 
> Hi Jim,
> ack to the intention, but I think since this should use @libexecdir@ I think.
> Or did anything change that this doesn't apply anymore ... in that
> case I beg your pardon.
> 
> [1]: https://libvirt.org/git/?p=libvirt.git;a=commit;h=5c8bd31c881e99261ac098e867a79b300440731a

Heh, I see that skipped over the xen stuff :-). I'll send a V2 later.

Regards,
Jim
Re: [PATCH] apparmor: Allow /usr/libexec for libxl-save-helper and pygrub
Posted by Jim Fehlig 3 years, 6 months ago 
On 9/23/20 7:51 AM, Jim Fehlig wrote:
> On 9/23/20 7:26 AM, Christian Ehrhardt wrote:
>> On Wed, Sep 23, 2020 at 12:35 AM Jim Fehlig <jfehlig@suse.com> wrote:
>>>
>>> Like other distros, openSUSE Tumbleweed recently changed libexecdir from
>>> /usr/lib to /usr/libexec. Add it as an allowed path for libxl-save-helper
>>> and pygrub.
>>
>> Hi Jim,
>> ack to the intention, but I think since this should use @libexecdir@ I think.
>> Or did anything change that this doesn't apply anymore ... in that
>> case I beg your pardon.
>>
>> [1]: 
>> https://libvirt.org/git/?p=libvirt.git;a=commit;h=5c8bd31c881e99261ac098e867a79b300440731a 
>>
> 
> Heh, I see that skipped over the xen stuff :-). I'll send a V2 later.

Thinking about it more, perhaps it is best to go with this V1 patch since these 
are not files provided by libvirt but xen, where conceivably libvirt and xen 
could be built with different libexecdir? IMO it would be best to explicitly 
list the known paths distros have used for libxl-save-helper and pygrub.

Regards,
Jim
Re: [PATCH] apparmor: Allow /usr/libexec for libxl-save-helper and pygrub
Posted by Neal Gompa 3 years, 6 months ago 
On Wed, Sep 23, 2020 at 12:46 PM Jim Fehlig <jfehlig@suse.com> wrote:
>
> On 9/23/20 7:51 AM, Jim Fehlig wrote:
> > On 9/23/20 7:26 AM, Christian Ehrhardt wrote:
> >> On Wed, Sep 23, 2020 at 12:35 AM Jim Fehlig <jfehlig@suse.com> wrote:
> >>>
> >>> Like other distros, openSUSE Tumbleweed recently changed libexecdir from
> >>> /usr/lib to /usr/libexec. Add it as an allowed path for libxl-save-helper
> >>> and pygrub.
> >>
> >> Hi Jim,
> >> ack to the intention, but I think since this should use @libexecdir@ I think.
> >> Or did anything change that this doesn't apply anymore ... in that
> >> case I beg your pardon.
> >>
> >> [1]:
> >> https://libvirt.org/git/?p=libvirt.git;a=commit;h=5c8bd31c881e99261ac098e867a79b300440731a
> >>
> >
> > Heh, I see that skipped over the xen stuff :-). I'll send a V2 later.
>
> Thinking about it more, perhaps it is best to go with this V1 patch since these
> are not files provided by libvirt but xen, where conceivably libvirt and xen
> could be built with different libexecdir? IMO it would be best to explicitly
> list the known paths distros have used for libxl-save-helper and pygrub.
>

It is entirely possible that one has not been updated yet, or someone
is mixing packages, so this patch makes sense over having it assume a
specific path.


-- 
真実はいつも一つ!/ Always, there's only one truth!
Re: [PATCH] apparmor: Allow /usr/libexec for libxl-save-helper and pygrub
Posted by Christian Ehrhardt 3 years, 6 months ago 
On Wed, Sep 23, 2020 at 6:45 PM Jim Fehlig <jfehlig@suse.com> wrote:
>
> On 9/23/20 7:51 AM, Jim Fehlig wrote:
> > On 9/23/20 7:26 AM, Christian Ehrhardt wrote:
> >> On Wed, Sep 23, 2020 at 12:35 AM Jim Fehlig <jfehlig@suse.com> wrote:
> >>>
> >>> Like other distros, openSUSE Tumbleweed recently changed libexecdir from
> >>> /usr/lib to /usr/libexec. Add it as an allowed path for libxl-save-helper
> >>> and pygrub.
> >>
> >> Hi Jim,
> >> ack to the intention, but I think since this should use @libexecdir@ I think.
> >> Or did anything change that this doesn't apply anymore ... in that
> >> case I beg your pardon.
> >>
> >> [1]:
> >> https://libvirt.org/git/?p=libvirt.git;a=commit;h=5c8bd31c881e99261ac098e867a79b300440731a
> >>
> >
> > Heh, I see that skipped over the xen stuff :-). I'll send a V2 later.
>
> Thinking about it more, perhaps it is best to go with this V1 patch since these
> are not files provided by libvirt but xen, where conceivably libvirt and xen
> could be built with different libexecdir? IMO it would be best to explicitly
> list the known paths distros have used for libxl-save-helper and pygrub.

You are right, and in >99% of the cases it will be one of the two
paths you have in your rule anyway.
Sorry for the detour Jim

Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>


> Regards,
> Jim
>


-- 
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
Re: [PATCH] apparmor: Allow /usr/libexec for libxl-save-helper and pygrub
Posted by Neal Gompa 3 years, 6 months ago 
On Tue, Sep 22, 2020 at 6:35 PM Jim Fehlig <jfehlig@suse.com> wrote:
>
> Like other distros, openSUSE Tumbleweed recently changed libexecdir from
> /usr/lib to /usr/libexec. Add it as an allowed path for libxl-save-helper
> and pygrub.
>
> Signed-off-by: Jim Fehlig <jfehlig@suse.com>
> ---
>
> I considered including /usr/lib64, but I don't think any distros are
> installing xen libexecdir targets to /usr/lib64. Happy to include it
> if I'm wrong :-).
>
>  src/security/apparmor/usr.sbin.libvirtd.in | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
> index f2030764cd..bf4563e1e8 100644
> --- a/src/security/apparmor/usr.sbin.libvirtd.in
> +++ b/src/security/apparmor/usr.sbin.libvirtd.in
> @@ -86,8 +86,8 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
>    /{usr/,}lib/udev/scsi_id PUx,
>    /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
>    /usr/{lib,lib64}/xen/bin/* Ux,
> -  /usr/lib/xen-*/bin/libxl-save-helper PUx,
> -  /usr/lib/xen-*/bin/pygrub PUx,
> +  /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx,
> +  /usr/{lib,libexec}/xen-*/bin/pygrub PUx,
>    /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
>    /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
>
> --
> 2.28.0
>

Yay! Looks great to me!

Reviewed-by: Neal Gompa <ngompa13@gmail.com>


-- 
真実はいつも一つ!/ Always, there's only one truth!

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.