[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] PATCH 3/4: AppArmor updates



On Thu, 2010-09-23 at 15:02 -0500, Jamie Strandboge wrote:
> > Hmm, that's a libvirt error rather than a QEMU error. Is the restricted
> > AppArmour policy taking effect *before* the actual QEMU binary is exec()d ?
> 
> This is related to the stacked security driver implementation.
> Specifically, if I strace libvirtd, I see in one of its threads:
> gettid()                                = 20306
> open("/proc/20306/attr/current", O_WRONLY) = 3
> write(3, "changeprofile libvirt-7d781722-6"..., 58) = 58
> close(3)                                = 0
> chown("/tmp/qrt-test-libvirt/libvirt/qatest/qatest.img", 116, 123) = 0
> setregid(123, 123)                      = -1 EPERM (Operation not
> permitted)
> 
> This chown appears to come from qemuSecurityDACSetProcessLabel(). What
> seems to be happening is that in __virExec() we call the security hook
> and the apparmor hook is being called before the DAC one, so we
> aa_change_profile() to the more restricted libvirt-<uuid> profile. It
> seems that it would be preferable to reverse the calling order of the
> hooks, but I am not sure how to do that.

Err.. of course I meant both the 'chown' and the 'setregid' appear to
come from qemuSecurityDACSetProcessLabel() and that it is the setregid
that is causing the error.

-- 
Jamie Strandboge             | http://www.canonical.com

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]