[libvirt] [PATCH] fix AppArmor security driver when libvirt is compiled with libcap-ng

Daniel P. Berrange berrange at redhat.com
Wed Feb 10 09:20:33 UTC 2010


On Mon, Feb 08, 2010 at 11:05:50AM -0600, Jamie Strandboge wrote:
> The calls to virExec() in security_apparmor.c when invoking
> virt-aa-helper use VIR_EXEC_CLEAR_CAPS. When compiled without libcap-ng,
> this is not a problem (it's effectively a no-op) but with libcap-ng this
> causes MAC_ADMIN to be cleared. MAC_ADMIN is needed by virt-aa-helper to
> manipulate apparmor profiles and without it VMs will not start[1]. This
> patch calls virExec with the default VIR_EXEC_NONE instead.
> 
> [1] https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/517714
> 
> -- 
> Jamie Strandboge             | http://www.canonical.com

> Author: Jamie Strandboge <jamie at ubuntu.com>
> Description: Don't clear capabilities when calling virt-aa-helper. When built
>  with libcap-ng, clearing caps makes virt-aa-helper lose MAC_ADMIN, which is
>  (obviously) needed by apparmor_parser. This restores libcap-ng behavior to
>  what it was when not built with libcap-ng.
> diff -Nur libvirt-0.7.5/src/security/security_apparmor.c libvirt-0.7.5.new/src/security/security_apparmor.c
> --- libvirt-0.7.5/src/security/security_apparmor.c	2009-12-22 03:37:57.000000000 -0600
> +++ libvirt-0.7.5.new/src/security/security_apparmor.c	2010-02-05 16:32:53.588796032 -0600
> @@ -174,19 +174,19 @@
>              VIRT_AA_HELPER, "-c", "-u", profile, NULL
>          };
>          ret = virExec(conn, argv, NULL, NULL, &child,
> -                      pipefd[0], NULL, NULL, VIR_EXEC_CLEAR_CAPS);
> +                      pipefd[0], NULL, NULL, VIR_EXEC_NONE);
>      } else if (disk && disk->src) {
>          const char *const argv[] = {
>              VIRT_AA_HELPER, "-r", "-u", profile, "-f", disk->src, NULL
>          };
>          ret = virExec(conn, argv, NULL, NULL, &child,
> -                      pipefd[0], NULL, NULL, VIR_EXEC_CLEAR_CAPS);
> +                      pipefd[0], NULL, NULL, VIR_EXEC_NONE);
>      } else {
>          const char *const argv[] = {
>              VIRT_AA_HELPER, "-r", "-u", profile, NULL
>          };
>          ret = virExec(conn, argv, NULL, NULL, &child,
> -                      pipefd[0], NULL, NULL, VIR_EXEC_CLEAR_CAPS);
> +                      pipefd[0], NULL, NULL, VIR_EXEC_NONE);
>      }
>      if (ret < 0)
>          goto clean;

ACK,

though it'd be nice to make this use virExecHook and provide a hook that
drops all the capabilities it does not need. eg everything except for
MAC_ADMIN ? If it needs CAP_SYS_ADMIN though it wouldn't be worthwhile


Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|




More information about the libvir-list mailing list