From nobody Sun Sep 7 23:51:09 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=canonical.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1755705132883476.3090607811613; Wed, 20 Aug 2025 08:52:12 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 02FEB128A; Wed, 20 Aug 2025 11:52:11 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 460EB12DF; Wed, 20 Aug 2025 11:50:52 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id EE2ED1286; Wed, 20 Aug 2025 11:50:48 -0400 (EDT) Received: from smtp-relay-canonical-1.canonical.com (smtp-relay-canonical-1.canonical.com [185.125.188.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 0B0E811B4 for ; Wed, 20 Aug 2025 11:50:45 -0400 (EDT) Received: from localhost.localdomain (unknown [10.101.192.134]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPSA id EF7E941CA0 for ; Wed, 20 Aug 2025 15:50:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-3.1 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1755705044; bh=XMWwauMOcsrYeYQSKWH7iWE/RcQSmNBU47k+4MHD7aI=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=jUB1Upjzv7GoSHV7pYWrB/jKwEFRH1nqtx75W9tA8TBsgMPEjV5xy0AZ9EDK84hM+ 0f2QhXJKdEMzh7VHiXV53s0eXfRChWr220XvwcJl/fIi/+ZJHbf0J6hWUqHAJKOozQ PckTrz/A7xQkXEE1rqQAmNBOsq8FA3dJbBPuiv/xyxMsw3YAR35nGt6rONEIOo6Mg2 B8eecLWuki9DLCHQw5nqbX6xg3MKpCXcHAtiF7eDBe+fh1fzNEd8tvrS0UU3Uy2TUT 1+B7II2HLeFOPf4w/biCLM02EXNUqKP37o6NiWeG69VVQZlqLPz5LOTanyK9X8PqCf 3W0HqA9bxBDKQ== From: Hector CAO To: devel@lists.libvirt.org Subject: [PATCH v2 1/1] virt-aa-helper: Avoid duplicate when append rule Date: Wed, 20 Aug 2025 17:49:59 +0200 Message-Id: <20250820154959.20598-2-hector.cao@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250820154959.20598-1-hector.cao@canonical.com> References: <20250820154959.20598-1-hector.cao@canonical.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: NUCMKL4PJDPDTO2YIQEPSOTJYLMTTWFG X-Message-ID-Hash: NUCMKL4PJDPDTO2YIQEPSOTJYLMTTWFG X-MailFrom: hector.cao@canonical.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Computed bodyhash is different from the expected one) X-ZM-MESSAGEID: 1755705135408124100 Content-Type: text/plain; charset="utf-8" From: Hector Cao when a device is dynamically attached to a VM, and it needs a special system access for apparmor, libvirt calls virt-aa-helper (with argument -F) to append a new rule to the apparmor profile of the VM. virt-aa-helper does not check for duplicate and blindly appends the rule to the profile. since there is no rule removal when a device is detached, this can make the profi= le grow in size if a big number of attach/detach operations are done and the profile might hit the size limit and futur attach operations might dysfunct= ion because no rule can be added into the apparmor profile. this patch tries to mitigate this issue by doing a duplicate check when rules are appended into the profile. this fix does not guarantee the absence of duplicates but should be enough to prevent the profile to grow significantly in size and reach its size limit. Signed-off-by: Hector CAO Reviewed-by: Michal Privoznik --- src/security/virt-aa-helper.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index b662d971cb..63d5f48025 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -208,10 +208,21 @@ update_include_file(const char *include_file, const c= har *included_files, return -1; } =20 - if (append && virFileExists(include_file)) + if (append && existing) { + /* duplicate check: include_files might contain multiple rules + * the best is to check for each rule (separated by \n) but + * it might be overkilled, just do the check for the whole + * include_files. + * most of the time, include_files contains only one rule + * so this check is ok to avoid the overflow of the profile + * duplicates might still exist though. + */ + if (strstr(existing, included_files) !=3D NULL) + return 0; pcontent =3D g_strdup_printf("%s%s", existing, included_files); - else + } else { pcontent =3D g_strdup_printf("%s%s", warning, included_files); + } =20 plen =3D strlen(pcontent); if (plen > MAX_FILE_LEN) { --=20 2.34.1