From nobody Sun Apr 28 22:47:24 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 207.211.31.120 as permitted sender) client-ip=207.211.31.120;
 envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1579942035; cv=none;
	d=zohomail.com; s=zohoarc;
	b=SK0SIly4Yr5YL//PsKC97rR/x6Fwhz/+TM6WJZ5Ww/+aRJSVY8JhQLP+TVjq05/rtxqwlrwbuHqk04PwQ8tYq6nf30r34dQUcdjl7FMjPK31+/duD10j7mQmxsH4zMeE7+4PDvDrp6udPyE40sWhCnJ9CV0Qeks66pBtRW1hZkQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1579942035;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=YjiTeuZl4sg2VQTESkWMsFgpRoq0hEUUoIDjWuKY8B4=;
	b=kuOUtG4r0LbGEknaAeCEmclxUwH1QnbWKB8ZT3l3QPYJMhGkaFxCHqADjSD5N8UBr4U/Gw5ByohgnXuT79CELl8qGXhqSUgfAh4/v2i3+2jC1fo8pgNrVveMJvpT5VJh7xIvAd/z2ckfYk1KzwXaefB1KY68yCCMgY5EdGkfu7c=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<mprivozn@redhat.com> (p=none dis=none)
 header.from=<mprivozn@redhat.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
 [207.211.31.120]) by mx.zohomail.com
	with SMTPS id 1579942035556862.8954347861321;
 Sat, 25 Jan 2020 00:47:15 -0800 (PST)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-111-qsJg-OZ4OsO8W7M8aLM4BA-1; Sat, 25 Jan 2020 03:47:12 -0500
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com
 [10.5.11.22])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id EC7C910054E3;
	Sat, 25 Jan 2020 08:47:05 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 7248F1001B05;
	Sat, 25 Jan 2020 08:47:05 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id F006C8595D;
	Sat, 25 Jan 2020 08:47:02 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com
	[10.5.11.23])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 00P8l0si001414 for <libvir-list@listman.util.phx.redhat.com>;
	Sat, 25 Jan 2020 03:47:00 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 2DA9A28D0C; Sat, 25 Jan 2020 08:47:00 +0000 (UTC)
Received: from localhost.localdomain (ovpn-204-46.brq.redhat.com
	[10.40.204.46])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 79DD5289BC;
	Sat, 25 Jan 2020 08:46:59 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1579942034;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=YjiTeuZl4sg2VQTESkWMsFgpRoq0hEUUoIDjWuKY8B4=;
	b=FC7j+MsiehZ1hQtUXvtl0HB2YZYswEf5UN1K0sxVoV6+oSuuyZZhjbSjFLKDzZn/vDV4mh
	CQdmJN4fy2CeG/rv4BrDXp1/J+l1c4ZnhoX2FLmMF9uEjz5386BNjQnTaUQb82O14QKQE8
	O/dSEXftYZxoxVDXvyp63A1husPs7f4=
From: Michal Privoznik <mprivozn@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH 1/6] apparmor: Fix parthelper,
	iohelper and virt-aa-helper paths in profiles
Date: Sat, 25 Jan 2020 09:46:45 +0100
Message-Id: 
 <534d4f02bbff73ee42217c487dfac25c610b851a.1579941835.git.mprivozn@redhat.com>
In-Reply-To: <cover.1579941835.git.mprivozn@redhat.com>
References: <cover.1579941835.git.mprivozn@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-loop: libvir-list@redhat.com
Cc: christian.ehrhardt@canonical.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
X-MC-Unique: qsJg-OZ4OsO8W7M8aLM4BA-1
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
Content-Type: text/plain; charset="utf-8"

These helper binaries are installed under libexec dir not lib
dir.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 2 +-
 src/security/apparmor/usr.sbin.libvirtd              | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/sec=
urity/apparmor/usr.lib.libvirt.virt-aa-helper
index 11e9c039ca..504c70e0ce 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -39,7 +39,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-h=
elper {
   deny /dev/mapper/ r,
   deny /dev/mapper/* r,
=20
-  /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
+  /usr/libexec/virt-aa-helper mr,
   /{usr/,}sbin/apparmor_parser Ux,
=20
   /etc/apparmor.d/libvirt/* r,
diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmo=
r/usr.sbin.libvirtd
index 29f9936ad9..2089ba1b3e 100644
--- a/src/security/apparmor/usr.sbin.libvirtd
+++ b/src/security/apparmor/usr.sbin.libvirtd
@@ -100,8 +100,8 @@ profile libvirtd /usr/sbin/libvirtd flags=3D(attach_dis=
connected) {
   audit deny /sys/kernel/security/apparmor/.* rwxl,
   /sys/kernel/security/apparmor/profiles r,
   /usr/{lib,lib64}/libvirt/* PUxr,
-  /usr/{lib,lib64}/libvirt/libvirt_parthelper ix,
-  /usr/{lib,lib64}/libvirt/libvirt_iohelper ix,
+  /usr/libexec/libvirt_parthelper ix,
+  /usr/libexec/libvirt_iohelper ix,
   /etc/libvirt/hooks/** rmix,
   /etc/xen/scripts/** rmix,
=20
--=20
2.24.1

From nobody Sun Apr 28 22:47:24 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 207.211.31.120 as permitted sender) client-ip=207.211.31.120;
 envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1579942051; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Bol2mR6hQq1PaDX0JqHId5CbLINvVQmEB+qjdy/gsBkVyUwJXQT1RuvtKbZtz6fOSn9mxEi/Vi6FmVe0Uo7UTgYN+MZtiHGNk7FLYNFRLdwC5wPS/2M0OMyeLtGT+udAvbxfMH+AEV9P2KnIK4PX2DTCWsJ6QhBe4VNozHxjj6k=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1579942051;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=2JczUhk38SimwNx8/WaDzHKzFi6CqbfwMdvDFwmszEw=;
	b=O/dv/BGq9ZeCqAepP7s/UYSeftrnfHHPBMDnlFtg4YohFQ5p0h3JU+ncskKLxB5s6qsegw0RGJepbdbFkNnVzU0GZvDhSiKCCk0Hbg7abulNh0F20PUv1b/27iXiP4YgUclYBshJUG4ifbb1Udneet3AYIAZJKyi4L/XxEnVAYg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<mprivozn@redhat.com> (p=none dis=none)
 header.from=<mprivozn@redhat.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
 [207.211.31.120]) by mx.zohomail.com
	with SMTPS id 1579942051715233.62745364046827;
 Sat, 25 Jan 2020 00:47:31 -0800 (PST)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-349-XnAuVIcaMFybfkHvLEBZFw-1; Sat, 25 Jan 2020 03:47:28 -0500
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
 [10.5.11.11])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 0F98713E4;
	Sat, 25 Jan 2020 08:47:23 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id E0378859D0;
	Sat, 25 Jan 2020 08:47:22 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 6A3D785961;
	Sat, 25 Jan 2020 08:47:22 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com
	[10.5.11.23])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 00P8l1Mt001422 for <libvir-list@listman.util.phx.redhat.com>;
	Sat, 25 Jan 2020 03:47:01 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 3424A28D0C; Sat, 25 Jan 2020 08:47:01 +0000 (UTC)
Received: from localhost.localdomain (ovpn-204-46.brq.redhat.com
	[10.40.204.46])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 8097C289BC;
	Sat, 25 Jan 2020 08:47:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1579942050;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=2JczUhk38SimwNx8/WaDzHKzFi6CqbfwMdvDFwmszEw=;
	b=IBmH7fYk/fKgS4J5cBGKHlR82HPEyu8k5/XIZvSWpcKdfsz70CU0IeJnrsgOcMqgws9EZN
	h57Rgoap+XPCU7q+k7DawdRSIUZ8Qea8xJoyeGqbL81La8cTpd9XDvE3C/9yhODr7Hw9Gl
	8u+H+y+9E83ooAX4aX+88F6SOdCv9Nc=
From: Michal Privoznik <mprivozn@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH 2/6] apparmor: Allow libvirt to spawn virt-aa-helper and
	libvirt_lxc
Date: Sat, 25 Jan 2020 09:46:46 +0100
Message-Id: 
 <3b697138e930db2f9da334cb0e51f4bd8bb75af0.1579941835.git.mprivozn@redhat.com>
In-Reply-To: <cover.1579941835.git.mprivozn@redhat.com>
References: <cover.1579941835.git.mprivozn@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-loop: libvir-list@redhat.com
Cc: christian.ehrhardt@canonical.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-MC-Unique: XnAuVIcaMFybfkHvLEBZFw-1
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
Content-Type: text/plain; charset="utf-8"

Both of these binaries are spawn by libvirt. Add a rule to the
default profile to allow that.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/security/apparmor/usr.sbin.libvirtd | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmo=
r/usr.sbin.libvirtd
index 2089ba1b3e..27314b1512 100644
--- a/src/security/apparmor/usr.sbin.libvirtd
+++ b/src/security/apparmor/usr.sbin.libvirtd
@@ -100,6 +100,8 @@ profile libvirtd /usr/sbin/libvirtd flags=3D(attach_dis=
connected) {
   audit deny /sys/kernel/security/apparmor/.* rwxl,
   /sys/kernel/security/apparmor/profiles r,
   /usr/{lib,lib64}/libvirt/* PUxr,
+  /usr/libexec/virt-aa-helper PUxr,
+  /usr/libexec/libvirt_lxc PUxr,
   /usr/libexec/libvirt_parthelper ix,
   /usr/libexec/libvirt_iohelper ix,
   /etc/libvirt/hooks/** rmix,
--=20
2.24.1

From nobody Sun Apr 28 22:47:24 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 207.211.31.81 as permitted sender) client-ip=207.211.31.81;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-1.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1579942052; cv=none;
	d=zohomail.com; s=zohoarc;
	b=nn7ZXC2V7mk7D4eGClXOtFESsb8dnJp77s1BjZ1BFs5XULnaBdKL5lDvUtAkh9/BB5G0vJaIbAIYbSFRtM9GlLRDFSkgf4FtSi6DCGjZziqtHTTi4pXayNOpRdoxwnD/1Q9otPdnPgaJZv+xqTS1igvHqVFYugyko3IK9ztw9dE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1579942052;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=pVFXawfIV4wv01DOC/st/bZ+7TaObhYwKpkQiFiWNn4=;
	b=cdj6rE6SgG0qOIfyVDuNx66LGw8s/X21KSy8fjJVcPyiCeHstIHdR4JE8i6kPULK0m9Q4Y0mWPkdUT6GNs3HSin55RB+OXIyih8n868krUd5PLHvCBXSwRApmXLaRk/aZeWn+qdvcPqDC7O9NK1EJ91bk2NwmCoQEAtxi0dy3mY=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<mprivozn@redhat.com> (p=none dis=none)
 header.from=<mprivozn@redhat.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com
 [207.211.31.81]) by mx.zohomail.com
	with SMTPS id 1579942052034934.0355098640375;
 Sat, 25 Jan 2020 00:47:32 -0800 (PST)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-211-piNkvYJoPWO9QmhvBITNWg-1; Sat, 25 Jan 2020 03:47:28 -0500
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
 [10.5.11.15])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 1A326107ACC9;
	Sat, 25 Jan 2020 08:47:23 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id D7F198681E;
	Sat, 25 Jan 2020 08:47:22 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 6953118089CF;
	Sat, 25 Jan 2020 08:47:22 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com
	[10.5.11.23])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 00P8l2L3001429 for <libvir-list@listman.util.phx.redhat.com>;
	Sat, 25 Jan 2020 03:47:02 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 4046B28D11; Sat, 25 Jan 2020 08:47:02 +0000 (UTC)
Received: from localhost.localdomain (ovpn-204-46.brq.redhat.com
	[10.40.204.46])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 88514289BC;
	Sat, 25 Jan 2020 08:47:01 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1579942050;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=pVFXawfIV4wv01DOC/st/bZ+7TaObhYwKpkQiFiWNn4=;
	b=dzVpc46TUJQyEdAiCgWZso1J0qX7rm88pAu0VYqLc/1KvN6t/dU2FQNNwyUX5SrNLGh9a8
	GHtbMK8psfFLLpiAN8erRDtKkCEgY8H+KQZOqVkwcwhIkH7Otny2RHFMM/FQ2iG9RhQnH3
	Q+wQJqYqrz5t5CfVZefdH+ubWVW6u1w=
From: Michal Privoznik <mprivozn@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH 3/6] docs: Fix virt-aa-helper location
Date: Sat, 25 Jan 2020 09:46:47 +0100
Message-Id: 
 <a027035eb9ab9984b1d68a056762c0cf0b1b6135.1579941835.git.mprivozn@redhat.com>
In-Reply-To: <cover.1579941835.git.mprivozn@redhat.com>
References: <cover.1579941835.git.mprivozn@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-loop: libvir-list@redhat.com
Cc: christian.ehrhardt@canonical.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-MC-Unique: piNkvYJoPWO9QmhvBITNWg-1
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
Content-Type: text/plain; charset="utf-8"

The location of virt-aa-helper shown in the docs is incorrect.
The helper binary is installed under libexec dir.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 docs/drvqemu.html.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/drvqemu.html.in b/docs/drvqemu.html.in
index 8beb28655c..60d4352556 100644
--- a/docs/drvqemu.html.in
+++ b/docs/drvqemu.html.in
@@ -340,7 +340,7 @@ chmod o+x /path/to/directory
     <p>
       While users can define their own AppArmor profile scheme, a typical
       configuration will include a profile for <code>/usr/sbin/libvirtd</c=
ode>,
-      <code>/usr/lib/libvirt/virt-aa-helper</code> (a helper program which=
 the
+      <code>/usr/libexec/virt-aa-helper</code> (a helper program which the
       libvirtd daemon uses instead of manipulating AppArmor directly), and
       an abstraction to be included by <code>/etc/apparmor.d/libvirt/TEMPL=
ATE</code>
       (typically <code>/etc/apparmor.d/abstractions/libvirt-qemu</code>).
--=20
2.24.1

From nobody Sun Apr 28 22:47:24 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 207.211.31.120 as permitted sender) client-ip=207.211.31.120;
 envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1579942056; cv=none;
	d=zohomail.com; s=zohoarc;
	b=GJnulPVqNl5UzBxkwq1YPfxf5rVi5ISPWKTcYGd1mBoTUaRlDDlzHA6WYwsVzG1KW0hr/rR07PqeTcYoBRphWhK5RkkHVLIQ7dZwcOzpbMki0HzdltKaCcrwBxqIlUln1x/Ll28fsPteM/T4b26DZkppuploj9fkzrsuVD0CQKw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1579942056;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=kTeed8qTZsgQZO3G1B85NQzLEqnn9XofTN1yqMhH4xU=;
	b=MczQIfBTN5Qsvf7hSfeqFiMx9hLpLrh5/TLerLr+/jRSa9ToWyhzVnnVEZCuL9LM/SAHejHNWTG3TiYE41hvZdSfr8tRohUOE+UgdenH7y6oVlIVwDTMkdr7yrmlDej491SCmL98/CB0nRTtu3UmKl2K35lK6L/mU1YWiPCi3EA=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<mprivozn@redhat.com> (p=none dis=none)
 header.from=<mprivozn@redhat.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
 [207.211.31.120]) by mx.zohomail.com
	with SMTPS id 1579942056312359.1299699191542;
 Sat, 25 Jan 2020 00:47:36 -0800 (PST)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-69-SB8oQW6_P5mYQVtIwniJUw-1; Sat, 25 Jan 2020 03:47:32 -0500
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com
 [10.5.11.23])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 70743800D53;
	Sat, 25 Jan 2020 08:47:26 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 486A628D12;
	Sat, 25 Jan 2020 08:47:26 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 0543518089D0;
	Sat, 25 Jan 2020 08:47:26 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com
	[10.5.11.23])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 00P8l3AM001437 for <libvir-list@listman.util.phx.redhat.com>;
	Sat, 25 Jan 2020 03:47:03 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 4A0FB289BC; Sat, 25 Jan 2020 08:47:03 +0000 (UTC)
Received: from localhost.localdomain (ovpn-204-46.brq.redhat.com
	[10.40.204.46])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 92B9A28D13;
	Sat, 25 Jan 2020 08:47:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1579942055;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=kTeed8qTZsgQZO3G1B85NQzLEqnn9XofTN1yqMhH4xU=;
	b=YbrQuazvS9Ety4Q6WSpPXs2AuEhOEusjsl7iuwPH7Qg25DY4txzy3Upb1bx2H/3Aq3hLdD
	A2Fpjg9PN5AJ06NZQZKktDHnzfZzAzYLqBofXpsI/d4cMNo4q/xMi+WM1xVjvJq3P7cgVt
	ViK8YKwFmqsGX8tvEf5Gosk5HDhpyJE=
From: Michal Privoznik <mprivozn@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH 4/6] apparmor: Rename virt-aa-helper profile
Date: Sat, 25 Jan 2020 09:46:48 +0100
Message-Id: 
 <5062f3e7f5911c28191a0978a2bce5453dca606d.1579941835.git.mprivozn@redhat.com>
In-Reply-To: <cover.1579941835.git.mprivozn@redhat.com>
References: <cover.1579941835.git.mprivozn@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-loop: libvir-list@redhat.com
Cc: christian.ehrhardt@canonical.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-MC-Unique: SB8oQW6_P5mYQVtIwniJUw-1
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
Content-Type: text/plain; charset="utf-8"

The profile name should reflect the path under which the binary
it describes is installed.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/security/Makefile.inc.am                           | 10 +++++-----
 ...bvirt.virt-aa-helper =3D> usr.libexec.virt-aa-helper} |  4 ++--
 2 files changed, 7 insertions(+), 7 deletions(-)
 rename src/security/apparmor/{usr.lib.libvirt.virt-aa-helper =3D> usr.libe=
xec.virt-aa-helper} (93%)

diff --git a/src/security/Makefile.inc.am b/src/security/Makefile.inc.am
index 6fe9d50f29..02efefd6d6 100644
--- a/src/security/Makefile.inc.am
+++ b/src/security/Makefile.inc.am
@@ -38,7 +38,7 @@ EXTRA_DIST +=3D \
 	security/apparmor/TEMPLATE.lxc \
 	security/apparmor/libvirt-qemu \
 	security/apparmor/libvirt-lxc \
-	security/apparmor/usr.lib.libvirt.virt-aa-helper \
+	security/apparmor/usr.libexec.virt-aa-helper \
 	security/apparmor/usr.sbin.libvirtd \
 	$(NULL)
=20
@@ -91,7 +91,7 @@ endif WITH_SECDRIVER_APPARMOR
 if WITH_APPARMOR_PROFILES
 apparmordir =3D $(sysconfdir)/apparmor.d/
 apparmor_DATA =3D \
-	security/apparmor/usr.lib.libvirt.virt-aa-helper \
+	security/apparmor/usr.libexec.virt-aa-helper \
 	security/apparmor/usr.sbin.libvirtd \
 	$(NULL)
=20
@@ -111,11 +111,11 @@ APPARMOR_LOCAL_DIR =3D "$(DESTDIR)$(apparmordir)/loca=
l"
 install-apparmor-local:
 	$(MKDIR_P) "$(APPARMOR_LOCAL_DIR)"
 	echo "# Site-specific additions and overrides for \
-		'usr.lib.libvirt.virt-aa-helper'" \
-		>"$(APPARMOR_LOCAL_DIR)/usr.lib.libvirt.virt-aa-helper"
+		'usr.libexec.virt-aa-helper'" \
+		>"$(APPARMOR_LOCAL_DIR)/usr.libexec.virt-aa-helper"
=20
 uninstall-apparmor-local:
-	rm -f "$(APPARMOR_LOCAL_DIR)/usr.lib.libvirt.virt-aa-helper"
+	rm -f "$(APPARMOR_LOCAL_DIR)/usr.libexec.virt-aa-helper"
 	rmdir "$(APPARMOR_LOCAL_DIR)" || :
=20
 INSTALL_DATA_LOCAL +=3D install-apparmor-local
diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/sec=
urity/apparmor/usr.libexec.virt-aa-helper
similarity index 93%
rename from src/security/apparmor/usr.lib.libvirt.virt-aa-helper
rename to src/security/apparmor/usr.libexec.virt-aa-helper
index 504c70e0ce..25754037e1 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/src/security/apparmor/usr.libexec.virt-aa-helper
@@ -1,7 +1,7 @@
 # Last Modified: Mon Apr  5 15:10:27 2010
 #include <tunables/global>
=20
-profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
+profile virt-aa-helper /usr/libexec/virt-aa-helper {
   #include <abstractions/base>
=20
   # needed for searching directories
@@ -70,5 +70,5 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-h=
elper {
   /**.[iI][sS][oO] r,
   /**/disk{,.*} r,
=20
-  #include <local/usr.lib.libvirt.virt-aa-helper>
+  #include <local/usr.libexec.virt-aa-helper>
 }
--=20
2.24.1

From nobody Sun Apr 28 22:47:24 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 205.139.110.120 as permitted sender) client-ip=205.139.110.120;
 envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1579942074; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Ogeq5c1v9b97MquYtl+Pz4kJYqaMr74FfbrF7n2gFmlUrfKqXNfL667k7VAonLizf9YtEgjHJmv3sPwVwxxT/JUM8ggf9Z7aKXe9ThQ2GultZa5lqvVw8dPFYxuN5cX0oFfVxp8dbUiuir2GqMNnLCYD0K23SemMmDc66E33q4o=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1579942074;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=I7aqSeSozAkG42JRPmPktY5hcmzL2DsLxLJUW2rTTg8=;
	b=LK+MUThtNqOflHcIe578nl36hc8rzrIH6+SZs1uxn1cVq7qb0Ft25gaGYw8BcdOTr+PlpjgRylnioOA++L8TyfQu6608Dt4VGlkHaw4IkMoubnOjDIZjIaGQ6Ck5Zvca0p6sX/+Mkn0oqKJrwazt9R0mDaT1+unYEUptqJ97oNQ=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<mprivozn@redhat.com> (p=none dis=none)
 header.from=<mprivozn@redhat.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
 [205.139.110.120]) by mx.zohomail.com
	with SMTPS id 157994207464966.79773187225373;
 Sat, 25 Jan 2020 00:47:54 -0800 (PST)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-26-vF6Fb5euPiGY1WaRJ2kMAw-1; Sat, 25 Jan 2020 03:47:51 -0500
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com
 [10.5.11.12])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 1BB4B107ACC4;
	Sat, 25 Jan 2020 08:47:43 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id EC38160BE2;
	Sat, 25 Jan 2020 08:47:42 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id AA43A18089CE;
	Sat, 25 Jan 2020 08:47:42 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com
	[10.5.11.23])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 00P8l4EP001451 for <libvir-list@listman.util.phx.redhat.com>;
	Sat, 25 Jan 2020 03:47:04 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 51CF1289BC; Sat, 25 Jan 2020 08:47:04 +0000 (UTC)
Received: from localhost.localdomain (ovpn-204-46.brq.redhat.com
	[10.40.204.46])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 9DD7328D0F;
	Sat, 25 Jan 2020 08:47:03 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1579942073;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=I7aqSeSozAkG42JRPmPktY5hcmzL2DsLxLJUW2rTTg8=;
	b=PvVYGLLrx08XJwMuU2ajn74eMvwoipY2snrtJA2oeBYVv7LloRSWOpFClIKl9KD9jvaiwb
	Kagzgw6LL+pYGo94/fHFsPAluZb+/bgvwo3I1sgv3q5h7ep0GTgF6m6WbkNRzvQhknRcpU
	Ppc3CpczZI1M8D4jIRtwYl7ANm57MiI=
From: Michal Privoznik <mprivozn@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH 5/6] apparmor: Sort paths in blocks in libvirt-qemu profile
Date: Sat, 25 Jan 2020 09:46:49 +0100
Message-Id: 
 <6804a07b31101aa6b11cdd5d3044e87910d62f17.1579941835.git.mprivozn@redhat.com>
In-Reply-To: <cover.1579941835.git.mprivozn@redhat.com>
References: <cover.1579941835.git.mprivozn@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-loop: libvir-list@redhat.com
Cc: christian.ehrhardt@canonical.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-MC-Unique: vF6Fb5euPiGY1WaRJ2kMAw-1
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
Content-Type: text/plain; charset="utf-8"

Even though we construct a domain specific profile for each
domain we start (which should cover domain specific paths), there
is also another file that is included from the profile and which
contains domain agnostic paths (e.g. to cover libraries that qemu
links with). The paths in the file are split into blocks divided
by comments. Sort the paths in each block individually (ignoring
case sensitivity).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/security/apparmor/libvirt-qemu | 76 +++++++++++++++---------------
 1 file changed, 38 insertions(+), 38 deletions(-)

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/lib=
virt-qemu
index d33348aa05..2291829270 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -22,8 +22,8 @@
   signal (receive) peer=3Dlibvirtd,
   signal (receive) peer=3D/usr/sbin/libvirtd,
=20
-  /dev/net/tun rw,
   /dev/kvm rw,
+  /dev/net/tun rw,
   /dev/ptmx rw,
   @{PROC}/*/status r,
   # When qemu is signaled to terminate, it will read cmdline of signaling
@@ -39,19 +39,19 @@
   /sys/bus/usb/devices/ r,
   /sys/devices/**/usb[0-9]*/** r,
   # libusb needs udev data about usb devices (~equal to content of lsusb -=
v)
+  /run/udev/data/+usb* r,
   /run/udev/data/c16[6,7]* r,
   /run/udev/data/c18[0,8,9]* r,
-  /run/udev/data/+usb* r,
=20
   # WARNING: this gives the guest direct access to host hardware and speci=
fic
   # portions of shared memory. This is required for sound using ALSA with =
kvm,
   # but may constitute a security risk. If your environment does not requi=
re
   # the use of sound in your VMs, feel free to comment out or prepend 'den=
y' to
   # the rules for files in /dev.
+  /dev/snd/* rw,
   /{dev,run}/shm r,
   /{dev,run}/shmpulse-shm* r,
   /{dev,run}/shmpulse-shm* rwk,
-  /dev/snd/* rw,
   capability ipc_lock,
   # spice
   owner /{dev,run}/shm/spice.* rw,
@@ -73,21 +73,21 @@
   /var/lib/dbus/machine-id r,
=20
   # access to firmware's etc
-  /usr/share/kvm/** r,
-  /usr/share/qemu/** r,
-  /usr/share/qemu-kvm/** r,
+  /usr/share/AAVMF/** r,
   /usr/share/bochs/** r,
+  /usr/share/kvm/** r,
+  /usr/share/misc/sgabios.bin r,
   /usr/share/openbios/** r,
   /usr/share/openhackware/** r,
-  /usr/share/proll/** r,
-  /usr/share/vgabios/** r,
-  /usr/share/seabios/** r,
-  /usr/share/misc/sgabios.bin r,
-  /usr/share/ovmf/** r,
   /usr/share/OVMF/** r,
-  /usr/share/AAVMF/** r,
+  /usr/share/ovmf/** r,
+  /usr/share/proll/** r,
   /usr/share/qemu-efi/** r,
+  /usr/share/qemu-kvm/** r,
+  /usr/share/qemu/** r,
+  /usr/share/seabios/** r,
   /usr/share/slof/** r,
+  /usr/share/vgabios/** r,
=20
   # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140)
   /etc/pki/CA/ r,
@@ -98,7 +98,33 @@
   # the various binaries
   /usr/bin/kvm rmix,
   /usr/bin/qemu rmix,
+  /usr/bin/qemu-aarch64 rmix,
+  /usr/bin/qemu-alpha rmix,
+  /usr/bin/qemu-arm rmix,
+  /usr/bin/qemu-armeb rmix,
+  /usr/bin/qemu-cris rmix,
+  /usr/bin/qemu-i386 rmix,
   /usr/bin/qemu-kvm rmix,
+  /usr/bin/qemu-m68k rmix,
+  /usr/bin/qemu-microblaze rmix,
+  /usr/bin/qemu-microblazeel rmix,
+  /usr/bin/qemu-mips rmix,
+  /usr/bin/qemu-mips64 rmix,
+  /usr/bin/qemu-mips64el rmix,
+  /usr/bin/qemu-mipsel rmix,
+  /usr/bin/qemu-mipsn32 rmix,
+  /usr/bin/qemu-mipsn32el rmix,
+  /usr/bin/qemu-or32 rmix,
+  /usr/bin/qemu-ppc rmix,
+  /usr/bin/qemu-ppc64 rmix,
+  /usr/bin/qemu-ppc64abi32 rmix,
+  /usr/bin/qemu-ppc64le rmix,
+  /usr/bin/qemu-s390x rmix,
+  /usr/bin/qemu-sh4 rmix,
+  /usr/bin/qemu-sh4eb rmix,
+  /usr/bin/qemu-sparc rmix,
+  /usr/bin/qemu-sparc32plus rmix,
+  /usr/bin/qemu-sparc64 rmix,
   /usr/bin/qemu-system-aarch64 rmix,
   /usr/bin/qemu-system-alpha rmix,
   /usr/bin/qemu-system-arm rmix,
@@ -132,32 +158,6 @@
   /usr/bin/qemu-system-x86_64 rmix,
   /usr/bin/qemu-system-xtensa rmix,
   /usr/bin/qemu-system-xtensaeb rmix,
-  /usr/bin/qemu-aarch64 rmix,
-  /usr/bin/qemu-alpha rmix,
-  /usr/bin/qemu-arm rmix,
-  /usr/bin/qemu-armeb rmix,
-  /usr/bin/qemu-cris rmix,
-  /usr/bin/qemu-i386 rmix,
-  /usr/bin/qemu-m68k rmix,
-  /usr/bin/qemu-microblaze rmix,
-  /usr/bin/qemu-microblazeel rmix,
-  /usr/bin/qemu-mips rmix,
-  /usr/bin/qemu-mips64 rmix,
-  /usr/bin/qemu-mips64el rmix,
-  /usr/bin/qemu-mipsel rmix,
-  /usr/bin/qemu-mipsn32 rmix,
-  /usr/bin/qemu-mipsn32el rmix,
-  /usr/bin/qemu-or32 rmix,
-  /usr/bin/qemu-ppc rmix,
-  /usr/bin/qemu-ppc64 rmix,
-  /usr/bin/qemu-ppc64abi32 rmix,
-  /usr/bin/qemu-ppc64le rmix,
-  /usr/bin/qemu-s390x rmix,
-  /usr/bin/qemu-sh4 rmix,
-  /usr/bin/qemu-sh4eb rmix,
-  /usr/bin/qemu-sparc rmix,
-  /usr/bin/qemu-sparc32plus rmix,
-  /usr/bin/qemu-sparc64 rmix,
   /usr/bin/qemu-unicore32 rmix,
   /usr/bin/qemu-x86_64 rmix,
   # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761)
--=20
2.24.1

From nobody Sun Apr 28 22:47:24 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 207.211.31.120 as permitted sender) client-ip=207.211.31.120;
 envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1579942075; cv=none;
	d=zohomail.com; s=zohoarc;
	b=l1HIbnmUPXXOIQuEkG7IJ5QEJQzA3MsNlCKVldHwgMKDt09r4DGXtvaMkjkykg6AYgNVml013pba6ljRIOB4enSTXyKR9Yuc2aZHltd2lrsvUOf55VBnd+qVamcSvvon+Am10KXMQaG3QupyaL5DLr+bSWfoYhtsQUKecUALcL8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1579942075;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=pjQHfSQic7gK9KHnpS7SLtl04HNbm07F7q73zxESaHE=;
	b=Zlv74BRAA6lP66v4tBw+Ui6rXoQ1SE5iAH16YL6AoAaTRD4D4cKEJYyM8pOoqxWty22amNbjRCuXPQOgrvA82fRfnqLCDTgvTDaUubUQHfdYVpBKBiwtPkXNAltlkxWKTYtEuZLVy9d78EmNxKI9Pt8+7nalT04pRyXMpOmS4u8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<mprivozn@redhat.com> (p=none dis=none)
 header.from=<mprivozn@redhat.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
 [207.211.31.120]) by mx.zohomail.com
	with SMTPS id 1579942075022103.92942069950402;
 Sat, 25 Jan 2020 00:47:55 -0800 (PST)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-153-20hL5WtDOcKSt5FHMRaoiQ-1; Sat, 25 Jan 2020 03:47:51 -0500
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
 [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 9B3C913E7;
	Sat, 25 Jan 2020 08:47:46 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 78E295DA75;
	Sat, 25 Jan 2020 08:47:46 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 2D1EE18089D6;
	Sat, 25 Jan 2020 08:47:46 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com
	[10.5.11.23])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 00P8l5d7001460 for <libvir-list@listman.util.phx.redhat.com>;
	Sat, 25 Jan 2020 03:47:05 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 5B28C28D0F; Sat, 25 Jan 2020 08:47:05 +0000 (UTC)
Received: from localhost.localdomain (ovpn-204-46.brq.redhat.com
	[10.40.204.46])
	by smtp.corp.redhat.com (Postfix) with ESMTP id A6FBD289BC;
	Sat, 25 Jan 2020 08:47:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1579942073;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=pjQHfSQic7gK9KHnpS7SLtl04HNbm07F7q73zxESaHE=;
	b=i4iwGpK9pHMedEm9Ci6k1ukJmavsvsg8Lw/lxjgOnmMRPeM3woq+llNNRbzOWNDhkYpDnU
	4ruI85eY6Emx/BYq2eS3UpXoDqXCP55HUbY0Vg+PaWiX5qVCSlSYUvv8yVSDKyhdt9qI2S
	9rT2+cZ5qGaf35UFajjO3AeuhZbqDtM=
From: Michal Privoznik <mprivozn@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH 6/6] apparmor: Allow some more BIOS/UEFI paths
Date: Sat, 25 Jan 2020 09:46:50 +0100
Message-Id: 
 <7061a99eafbc6ededbd66873539764608368057e.1579941835.git.mprivozn@redhat.com>
In-Reply-To: <cover.1579941835.git.mprivozn@redhat.com>
References: <cover.1579941835.git.mprivozn@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-loop: libvir-list@redhat.com
Cc: christian.ehrhardt@canonical.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-MC-Unique: 20hL5WtDOcKSt5FHMRaoiQ-1
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
Content-Type: text/plain; charset="utf-8"

There are two more paths that we are missing in the default
domain profile: /usr/share/edk2-ovmf/ and /usr/share/sgabios/.
These exist on my Gentoo box and contain UEFI and BIOS images
respectively.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/security/apparmor/libvirt-qemu | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/lib=
virt-qemu
index 2291829270..6942b83969 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -75,6 +75,7 @@
   # access to firmware's etc
   /usr/share/AAVMF/** r,
   /usr/share/bochs/** r,
+  /usr/share/edk2-ovmf/** r,
   /usr/share/kvm/** r,
   /usr/share/misc/sgabios.bin r,
   /usr/share/openbios/** r,
@@ -86,6 +87,7 @@
   /usr/share/qemu-kvm/** r,
   /usr/share/qemu/** r,
   /usr/share/seabios/** r,
+  /usr/share/sgabios/** r,
   /usr/share/slof/** r,
   /usr/share/vgabios/** r,
=20
--=20
2.24.1