From nobody Mon Sep 16 19:14:35 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail header.i=@cisco.com; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1717499867; cv=none; d=zohomail.com; s=zohoarc; b=H2WpS4W6FpL5cm1gxnQCEzsQqWz9HcOx917NfKemBPls9g+DKyGtRbTcXlIjxGmiTKOTobmMUyYSwSv/VMqg5KW39xl1NZ1zlMfckt8tPhIp+26cP6rTg7xYdNjrXuo/DgVB/OOJu0kNSvWYnB087R79BgkSzqu/L+cJYqcchWc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1717499867; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:Subject:Subject:To:To:Message-Id; bh=a0e2y2P/KySiFWnfmes2WHivRs3wgH66JG/4fqXomg0=; b=l/5L9cEMnh9IPE0nkoJDNicatL+pnFA7x70hpHgspMJ6JXdTwiftLJQ3YyBY4/kr+gV3tiudvMrgXJBrIVRr6mCPnNVhXZwHTOpAxxh5ugld5nffvN3zfRC9i2bOv7DipxE5jxxtYOGZA2wpF/fHqRqf6S16XswFJ6xX/T3uS1k= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail header.i=@cisco.com; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1717499867045297.95592940685117; Tue, 4 Jun 2024 04:17:47 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 0363A182A; Tue, 4 Jun 2024 07:17:45 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 4318A1E84; Tue, 4 Jun 2024 07:15:23 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id CCC8A1D66; Tue, 4 Jun 2024 07:13:44 -0400 (EDT) Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 39DD31D51 for ; Tue, 4 Jun 2024 07:13:42 -0400 (EDT) Received: from alln-core-11.cisco.com ([173.36.13.133]) by alln-iport-1.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Jun 2024 11:12:38 +0000 Received: from mirlos-docker.cisco.com (virl-rtp10-labnat-04.cisco.com [10.122.58.60]) by alln-core-11.cisco.com (8.15.2/8.15.2) with ESMTP id 454BCcUI005873; Tue, 4 Jun 2024 11:12:38 GMT X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-3.1 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,T_SCC_BODY_TEXT_LINE,T_SPF_HELO_PERMERROR autolearn=unavailable autolearn_force=no version=3.4.4 X-Greylist: delayed 62 seconds by postgrey-1.37 at lists.libvirt.org; Tue, 04 Jun 2024 07:13:42 EDT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=1330; q=dns/txt; s=iport; t=1717499622; x=1718709222; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=vfvFCHbEktl4w1FVpJIzecftuYn1FrjdiiNqKQr2CnQ=; b=FCyWUzhIli3SIBfT9KYfUht+eG3022LhDnQDg5eKb+6EJNA05aZf5cus pBKt/cYOgu+42wYwBoqHYGzZGbuhtYP/po/LN+V10DMnabgg8XdBxzlPo ymqXU3xOejbXOvJraDhHfitte/mIZrpk4lRmRqK0c9ySqdjLPOZQom9ez s=; X-CSE-ConnectionGUID: yIC5xsvSQ8S0hZONa0K+QQ== X-CSE-MsgGUID: c5PBMH9cTOKP61b2jAo2eQ== X-IronPort-AV: E=Sophos;i="6.08,213,1712620800"; d="scan'208";a="295734326" To: devel@lists.libvirt.org Subject: [PATCH] security: AppArmor allow write when os loader readonly=no Date: Tue, 4 Jun 2024 11:10:59 +0000 Message-Id: <20240604111059.2831855-1-mirlos@cisco.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Outbound-SMTP-Client: 10.122.58.60, virl-rtp10-labnat-04.cisco.com X-Outbound-Node: alln-core-11.cisco.com Content-Transfer-Encoding: quoted-printable X-MailFrom: mirlos@cisco.com X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0 Message-ID-Hash: QARICONPHUIN3OOGC3ZT6T5XE5AYJTHP X-Message-ID-Hash: QARICONPHUIN3OOGC3ZT6T5XE5AYJTHP X-Mailman-Approved-At: Tue, 04 Jun 2024 11:15:14 -0400 CC: Miroslav Los X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: From: Miroslav Los via Devel Reply-To: Miroslav Los X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1717499867709100001 Content-Type: text/plain; charset="utf-8" Since libvirt commit 3ef9b51b10e52886e8fe8d75e36d0714957616b7, the pflash storage for the os loader file follows its read-only flag, and qemu tries to open the file for writing if set so. This patches virt-aa-helper to generate the VM's AppArmor rules that allow this, using the same domain definition flag and default. Signed-off-by: Miroslav Los Reviewed-by and push the patch. --- src/security/virt-aa-helper.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 0374581f07..2f57664a4c 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1001,9 +1001,14 @@ get_files(vahControl * ctl) if (vah_add_file(&buf, ctl->def->os.slic_table, "r") !=3D 0) goto cleanup; =20 - if (ctl->def->os.loader && ctl->def->os.loader->path) - if (vah_add_file(&buf, ctl->def->os.loader->path, "rk") !=3D 0) + if (ctl->def->os.loader && ctl->def->os.loader->path) { + bool readonly =3D false; + virTristateBoolToBool(ctl->def->os.loader->readonly, &readonly); + if (vah_add_file(&buf, + ctl->def->os.loader->path, + readonly ? "rk" : "rwk") !=3D 0) goto cleanup; + } =20 if (ctl->def->os.loader && ctl->def->os.loader->nvram) { if (storage_source_add_files(ctl->def->os.loader->nvram, &buf, 0) = < 0) --=20 2.25.1