Add info used by AppArmor to domstatus XML

[PATCH 0/3] Add info used by AppArmor to domstatus XML

Wesley Hershberger via Devel posted 3 patches 3 weeks, 6 days ago

Download series mbox

Failed in applying to current master (apply log)

src/conf/domain_conf.c           | 17 +++++++++++++++++
src/conf/domain_conf.h           |  1 +
src/conf/storage_source_conf.c   |  2 ++
src/conf/storage_source_conf.h   |  3 +++
src/qemu/qemu_block.c            | 26 ++++++++++++++++++++++++++
src/qemu/qemu_blockjob.c         |  8 ++++++++
src/qemu/qemu_command.c          |  9 +++++++++
src/qemu/qemu_security.c         |  7 +++++++
src/security/security_apparmor.c |  1 +
src/security/virt-aa-helper.c    | 14 ++++++++------
10 files changed, 82 insertions(+), 6 deletions(-)

Expand all Fold all

[PATCH 0/3] Add info used by AppArmor to domstatus XML

Posted by Wesley Hershberger via Devel 3 weeks, 6 days ago

This series has two independent changes following from a thread back in
November (#692) [1][2]. Broadly speaking I agree that regenerating the
apparmor profile from scratch feels fragile. That said, this issue has
been on my back burner for a while; it's out of scope for me to take on
that (much larger) effort.

I'm including the first patch for completeness' sake, as all blockcommit
operations fail without it when using the AppArmor driver (#806 [3]).
It was rejected in 2017 but is still carried in Ubuntu [4]. Feel free
not to pull it - the solution to that issue is separate and not my
primary concern. I can send a new version of patch 3 that applies
without it.

My understanding is that the domstatus XML is only used by libvirt
internally (stored in /var/run to persist runtime info over libvirtd
restarts). Since this is the case, I haven't included documentation for
the new items here; please let me know if I missed where they should be
documented.

I'm happy to consider this a first draft; feedback is welcome.

I've opened a MR to libvirt-tck with test cases that demonstrate the
bugs that this fixes [5]. Those tests pass with the series applied.

Thanks for your consideration.
~Wesley

[1] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/QUJITQCZZDLO2BJMJGYKJFJMWPXB76CC/
[2] https://gitlab.com/libvirt/libvirt/-/issues/692
[3] https://gitlab.com/libvirt/libvirt/-/issues/806
[4] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/3WIDPAU3UNWSS7CZG7IF7QWJZCPDKBD3/
[5] https://gitlab.com/libvirt/libvirt-tck/-/merge_requests/73

---
Serge Hallyn (1):
      virt-aa-helper: Ask for no deny rule for readonly disk elements

Wesley Hershberger (2):
      qemu: Store tapfd path in domstatus XML
      qemu: Store blockcommit permissions in domstatus XML

 src/conf/domain_conf.c           | 17 +++++++++++++++++
 src/conf/domain_conf.h           |  1 +
 src/conf/storage_source_conf.c   |  2 ++
 src/conf/storage_source_conf.h   |  3 +++
 src/qemu/qemu_block.c            | 26 ++++++++++++++++++++++++++
 src/qemu/qemu_blockjob.c         |  8 ++++++++
 src/qemu/qemu_command.c          |  9 +++++++++
 src/qemu/qemu_security.c         |  7 +++++++
 src/security/security_apparmor.c |  1 +
 src/security/virt-aa-helper.c    | 14 ++++++++------
 10 files changed, 82 insertions(+), 6 deletions(-)
---
base-commit: 16804acf14616d7357ad6a336f2ffd6d255a8d63
change-id: 20260105-apparmor-races-d03238ee4d93

Best regards,
-- 
Wesley Hershberger <wesley.hershberger@canonical.com>