apparmor: Preserve macvtap path in domain profile

[PATCH v4 0/3] apparmor: Preserve macvtap path in domain profile

Wesley Hershberger via Devel posted 3 patches 1 day, 14 hours ago

Download series mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20260413-apparmor-races-v4-0-3e476b52bb68@canonical.com

src/conf/domain_conf.c                    |  8 ++++++++
src/conf/domain_conf.h                    |  1 +
src/hypervisor/domain_interface.c         |  2 +-
src/lxc/lxc_process.c                     |  1 +
src/qemu/qemu_interface.c                 |  1 +
src/security/security_apparmor.c          |  1 +
src/security/virt-aa-helper.c             |  5 +++++
src/util/virnetdevmacvlan.c               | 18 +++++++++++-------
src/util/virnetdevmacvlan.h               |  4 +++-
tests/qemustatusxml2xmldata/modern-in.xml |  7 +++++++
10 files changed, 39 insertions(+), 9 deletions(-)

Expand all Fold all

[PATCH v4 0/3] apparmor: Preserve macvtap path in domain profile

Posted by Wesley Hershberger via Devel 1 day, 14 hours ago

I will open a separate issue for tracking the blockcommit r/w
permissions side of this (as I should have done all along).

I've opened a MR to libvirt-tck with a test case that demonstrates the
bug [1]. apparmor/110-macvtap.t passes with these patches applied.

Thanks for the reviews and continued consideration.

[1] https://gitlab.com/libvirt/libvirt-tck/-/merge_requests/73

Resolves: https://gitlab.com/libvirt/libvirt/-/issues/692
Signed-off-by: Wesley Hershberger <wesley.hershberger@canonical.com>
---
Changes in v4:
- Split apparmor changes to separate patches
- virBufferEscapeString for formatting in XML
- Fix dangling pointer in virNetDevMacVLanTapOpen
- Added tapfd path to qemustatusxml2xmldata

Changes in v3:
- Fix buglink in commit message
- Link to v2: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/IPEBLU63JTLWMHZZDEP3KQ6AMVC53VKR/

Changes in v2:
- Drop `virt-aa-helper: Ask for no deny rule...` as it was applied
- Drop `qemu: Store blockcommit permissions...` due to unresolved concerns
- Pass tapfd path through netdef instead of resolving from fd
- Link to v1: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/UNNBQCMTOCLILQFBDG75734OCQZIXWQF/

---
Wesley Hershberger (3):
      qemu: Store tapfd path in domstatus XML
      apparmor: Pass status XML to virt-aa-helper
      virt-aa-helper: Include macvtap tapfd path

 src/conf/domain_conf.c                    |  8 ++++++++
 src/conf/domain_conf.h                    |  1 +
 src/hypervisor/domain_interface.c         |  2 +-
 src/lxc/lxc_process.c                     |  1 +
 src/qemu/qemu_interface.c                 |  1 +
 src/security/security_apparmor.c          |  1 +
 src/security/virt-aa-helper.c             |  5 +++++
 src/util/virnetdevmacvlan.c               | 18 +++++++++++-------
 src/util/virnetdevmacvlan.h               |  4 +++-
 tests/qemustatusxml2xmldata/modern-in.xml |  7 +++++++
 10 files changed, 39 insertions(+), 9 deletions(-)
---
base-commit: 792cb6bf60e774ee8ecf9e7d3cd2b6f21011ab43
change-id: 20260105-apparmor-races-d03238ee4d93

Best regards,
-- 
Wesley Hershberger <wesley.hershberger@canonical.com>