From nobody Sat May 18 18:58:00 2024
Delivered-To: importer@patchew.org
Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied
 by domain of lists.libvirt.org) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain
 of lists.libvirt.org)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	arc=fail (BodyHash is different from the expected one);
	dmarc=fail(p=quarantine dis=quarantine)  header.from=suse.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1702946123530889.2097929191776;
 Mon, 18 Dec 2023 16:35:23 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 357C71B7C; Mon, 18 Dec 2023 19:35:22 -0500 (EST)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id 451B91884;
	Mon, 18 Dec 2023 19:34:10 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id DD7F11B75; Mon, 18 Dec 2023 19:34:05 -0500 (EST)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com
 (mail-vi1eur05on2042.outbound.protection.outlook.com [40.107.21.42])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id D61871884
	for <devel@lists.libvirt.org>; Mon, 18 Dec 2023 19:34:01 -0500 (EST)
Received: from PAXPR04MB8623.eurprd04.prod.outlook.com (2603:10a6:102:21a::11)
 by PAXPR04MB9256.eurprd04.prod.outlook.com (2603:10a6:102:2ba::22) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7091.37; Tue, 19 Dec
 2023 00:33:57 +0000
Received: from PAXPR04MB8623.eurprd04.prod.outlook.com
 ([fe80::be92:1441:1177:e77]) by PAXPR04MB8623.eurprd04.prod.outlook.com
 ([fe80::be92:1441:1177:e77%5]) with mapi id 15.20.7091.034; Tue, 19 Dec 2023
 00:33:57 +0000
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=5.0 tests=FORGED_SPF_HELO,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,T_SCC_BODY_TEXT_LINE autolearn=no
	autolearn_force=no version=3.4.4
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=md6g3cdevEa0HqGHD8OTntVEozRS7rDbkXlqYKjh/OdkBGTT/N8hUwPi6LfCLbn5wJBuM2KZDOD4Yo+8iACSO8h0oCl3LuJ1HKV4On43WL+JN/zpfZs5+rbi/+FBdgHJrxTYdGopJOk5vGpjIaeygqfOWKKq6I3Sbz0GqBbiMM60PVcgQtvTXHuGi8A7zIsCeFlocolh7CceQCaDQ3ujCCJBTU1IupnHleODUU6eB6LiSpcSKCai6bFs9QuoPlvX1yMqpSaZ2WIWXI1fTeCP4kdcQXhna8uParIoq1G1uGigKOwfBsxJFeL46VLgzvqD8JshKgxme59BHnxSAXGuxA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=7Q0T63BYJxot3WIovlP2RfRZ8smuljt05BBB29i11qo=;
 b=KjK4vFR6+CUnrbOGlzmeEnxgteWS694ialbfsn5dC50UEY4gd+qgLYXsG7lGi1Z5etyU2xms/uArkRCvvCo0cLipl+Gg7GHJSiBva4w1cYobA5Bm8TpdMWi55Hf/WIzUcktMD7Hgbu2on1I8UZJ38zOZLmx+rdTmMLQOS3kiYhT0RY4NKITLIZsGshRZ5eqv+5D/d6WEHB5MhqIRC7e/62gFhlXuolSLr+4M8x/PmNCJsIGvgA4yMgmDw+/7kH3Yf9iyZ96Bhcm7awSx89dMMOIVqp7EeavzaQrxz8D573e3j+4TvYrH/D65EQCrZdtqDrYZ/WGjVGrYDfKKBRl9Cw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com;
 dkim=pass header.d=suse.com; arc=none
From: Jim Fehlig <jfehlig@suse.com>
To: devel@lists.libvirt.org
Subject: [PATCH] apparmor: Add capabilities for PCI passthrough to virtxend
 profile
Date: Mon, 18 Dec 2023 17:33:30 -0700
Message-ID: <20231219003352.15876-1-jfehlig@suse.com>
X-Mailer: git-send-email 2.43.0
X-ClientProxiedBy: CY5PR19CA0093.namprd19.prod.outlook.com
 (2603:10b6:930:83::19) To PAXPR04MB8623.eurprd04.prod.outlook.com
 (2603:10a6:102:21a::11)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: PAXPR04MB8623:EE_|PAXPR04MB9256:EE_
X-MS-Office365-Filtering-Correlation-Id: 515c00c3-f871-49f2-0d19-08dc002a2f8a
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 CfxDGcAiMODSBCTlgL80Y9O4eAGVMz57/ADL/JtYpVHA0qxHwhfmZHuc926JyR0YMpMLVqXnA9wO7BA0RSAhyepYkzn9EX92Uuyxq9IF4JwOVgpL7UgogUsUTwJfh1RZmK1g44gKn305ylzfgpySdYiWx5GXoIfQAuPSENW1IlcdbQXMh+0JewTJaqgY2AlsUZV15GELYiLJvuY1IOhJ92pWfjzXSV8ucV6mtpU3EO9yCmn9vykGJZP6P+BHVaLH2NWQfB6W9TcjyJSljgJXDYsC10u5WGdxEckpvKN40QhZbwzAl9tEB9cDZ9fPFnU7eDOWsTG11rgufM7MaHVAxF9jO4aGJuB5BkVqxQE41VjKc2G1jGxHEncgD2bJS//IlZYlGnTrnA56H6EPNAFa96uCEF61DeodJoZiDRt9BbKFAtURco1N1Odc7JoATOlXhp2qdjN1LuOf38hkR6ayxKWtKbHbP8RXCtijJABl8kNHRK6H7fllEddx/2vqbjx5RwtpotKsqVNjKUneSIgOIwS/FRjf9PRvXYl/NawcPFmtq33K2tu0Mbm6+aKNLegb
X-Forefront-Antispam-Report: 
 CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PAXPR04MB8623.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(376002)(136003)(366004)(346002)(39850400004)(396003)(230922051799003)(64100799003)(186009)(1800799012)(451199024)(8936002)(6666004)(5660300002)(2906002)(8676002)(38100700002)(6512007)(6506007)(6916009)(83380400001)(316002)(66476007)(66946007)(66556008)(41300700001)(86362001)(478600001)(1076003)(6486002)(26005)(2616005)(36756003);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 =?us-ascii?Q?4bZ2ut/5I4jvJ9axdlKh375gGy/m3F8Wwx0irEYt33P6Zv/7sn68OvDV8AfA?=
 =?us-ascii?Q?OI2GY9xwq6b8hWxnBh+wtN68wqs8alWP/h298LCk6GpzXVTvnvvjPkRveGk6?=
 =?us-ascii?Q?CdbmL+7ah4x1Ntt9fK6NL5uFVzc4iPS1VU/dPuooaQvpfTX8z0yVGGyCQn5W?=
 =?us-ascii?Q?YwuHw+a7yXU3Uf1xVndGa+nX54XjgvL3wL+y+oCyNy6zXgyJvyDBiyk5LW33?=
 =?us-ascii?Q?GE90ouBVbPr8PV2hvJz5F80U7KFHe6RQwYHYw4IQ4aQdiGKw8zK3KpJbKiU/?=
 =?us-ascii?Q?QaA+mkVk07/P8kmmH8M0VlbigFDtmkmWJBqWGlIs9qjU2aUmmXuEhNFtf5IE?=
 =?us-ascii?Q?NjP08wICD8+ceJqgDHbJWKbciYg2ES3G15vpU7I776UawS/9hm2JSksIPIJu?=
 =?us-ascii?Q?vF6TF80rtDPeBVczLN4ALMAZfcTBGn8jQ0B544ltG7V/kuMSYWaEt6/6Jxnk?=
 =?us-ascii?Q?/ZuvnfFiIcc0sDXYJSXnLsn3z07c6W09F2mid4w61XGPGrRVNhhrXJwLvTay?=
 =?us-ascii?Q?iNmorMSLrPUvWGz50d27yG6NBrZgwCmSASFZFoz+FEDBbmzkO/UeS6rq3KCW?=
 =?us-ascii?Q?ab2slTbmry8ulNmwAxFvJDN8haWHOwgtkGIF2ldrNvc41eZnCntJ6Y7vPdH8?=
 =?us-ascii?Q?2/POkVO8iCbl5f47Ys2oaYyfjUp0bnGewbsRikpNfTroIsDkR6eXvux32hZK?=
 =?us-ascii?Q?9xTVoPwsijuLe/f6+punu/t4ESK01AlCBqtRK77rcELNP7YlBZKzvSa+KaMF?=
 =?us-ascii?Q?y+uIzHQWHK8Z9eF2zwKFrlwtuwdDbRqu1JQhqt2RwRmGKuyJ7t3UG8LB3xNG?=
 =?us-ascii?Q?xIWNxPSPRIRnXJq2GEXn+ua/Tk0rGetPLxghyVEc5Ce4Fp4QsmaEvIjc80Ag?=
 =?us-ascii?Q?0vu8WQJ/HU9KYih3Jrps+lzBH7Wdb1hf8wdUS/PUdIXO55E1Muy8A+Ppgih6?=
 =?us-ascii?Q?ixHLlL/ZmEN2zRxD5GAnzjW/JiNkX3VNCWMmAwRLQ9aVm9lYLE/dwRHo3UjJ?=
 =?us-ascii?Q?pg2Df/sLSXBLqVIF5iWNDg5Kk9xX/0XX3Fn+Jsb7exmxsF5ZtzZKDRQsJJEn?=
 =?us-ascii?Q?dH5td69+SSroLYL66Uhx+mFbx9Eow5Ph/G2Pyxn0Rc/3gzcSqZBjAihFRIV2?=
 =?us-ascii?Q?8eM95cUild/VqXXY4BbVhrabV74PhKTcZWeUZLK2/v2O3VeN16ccUTiw5jw8?=
 =?us-ascii?Q?RLTs8pJGtmf4OFaOpMkuTH10pniv8JBDKV9SKK0J5PzvtdrpGwZl5en+4pAK?=
 =?us-ascii?Q?DFeDF6Zqjc0W0gsb+SWVO052ZEJMwqdlig9zMOG6ruWEUIoIj2f6y1CmIoJ+?=
 =?us-ascii?Q?FI0pihhgmV4gTOsykyCMztmEzCED5kyLTF0jNBeAUSOYy3kI11201jOvIDHm?=
 =?us-ascii?Q?OCwY3zzqpxgM4zSAiKjtZ0INZ2ieQLm97J46GpDyCi5hQYVgCLnZO0aBpDqb?=
 =?us-ascii?Q?V2O5wslLgJKKRlqBaG2sjedtvh69o/1v4xw86FenvyjaY/oeDy48eGF+Aox4?=
 =?us-ascii?Q?o/dc1gS/Z7p6pJqy7JZZkdlHqGunHpspJJijvekJdCvW5btN2DiihHuYsC9m?=
 =?us-ascii?Q?BXdLGJhgAcVUcBijsOJLmerHdD+JQj1u4j+PgGTj?=
X-OriginatorOrg: suse.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 515c00c3-f871-49f2-0d19-08dc002a2f8a
X-MS-Exchange-CrossTenant-AuthSource: PAXPR04MB8623.eurprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Dec 2023 00:33:56.8888
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 QBNMX90q0jzDg8xztcc7/jgc7jIX6YQjDJpgkFJ4o5NS8j484mC+UotTbQu6F553xzZVl7F8UhiurpScx+bk5Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR04MB9256
Message-ID-Hash: 2C26HQ7RGP6Y23I7ZXJKK5WJJRIMQTIT
X-Message-ID-Hash: 2C26HQ7RGP6Y23I7ZXJKK5WJJRIMQTIT
X-MailFrom: jfehlig@suse.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/2C26HQ7RGP6Y23I7ZXJKK5WJJRIMQTIT/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZM-MESSAGEID: 1702946124838100001

When splitting out the apparmor modular daemon profiles from the
libvirtd profile, the net_admin and sys_admin capabilities were
dropped from the virtxend profile. It was not known at the time
that these capabilities were needed for PCI passthrough. Without
the capabilities, the following messages are emitted from the audit
subsystem

audit: type=3D1400 audit(1702939277.946:63): apparmor=3D"DENIED" \
operation=3D"capable" class=3D"cap" profile=3D"virtxend" pid=3D3611 \
comm=3D"rpc-virtxend" capability=3D21  capname=3D"sys_admin"
audit: type=3D1400 audit(1702940304.818:63): apparmor=3D"DENIED" \
operation=3D"capable" class=3D"cap" profile=3D"virtxend" pid=3D3731 \
comm=3D"rpc-virtxend" capability=3D12  capname=3D"net_admin"

It appears sys_admin is needed to simply read from the PCI dev's
sysfs config file. The net_admin capability is needed when setting
the MAC address of an SR-IOV virtual function.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/security/apparmor/usr.sbin.virtxend.in | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/security/apparmor/usr.sbin.virtxend.in b/src/security/appa=
rmor/usr.sbin.virtxend.in
index 78a11305f5..77fedce352 100644
--- a/src/security/apparmor/usr.sbin.virtxend.in
+++ b/src/security/apparmor/usr.sbin.virtxend.in
@@ -5,8 +5,10 @@ profile virtxend @sbindir@/virtxend flags=3D(attach_discon=
nected) {
   #include <abstractions/dbus>
=20
   capability kill,
+  capability net_admin,
   capability setgid,
   capability setuid,
+  capability sys_admin,
   capability sys_pacct,
   capability ipc_lock,
=20
--=20
2.43.0
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org