[libvirt] [PATCH 2/3] virt-aa-helper: don't deny writes to readonly mounts
Guido Günther
agx at sigxcpu.org
Thu Nov 26 17:25:54 UTC 2015
On Thu, Nov 26, 2015 at 04:02:03PM +0100, Cedric Bosdonnat wrote:
> On Thu, 2015-11-26 at 15:42 +0100, Guido Günther wrote:
> > Hi,
> > On Tue, Nov 17, 2015 at 03:14:51PM +0100, Cédric Bosdonnat wrote:
> > > There is no need to deny writes on a readonly mount: write still
> > > won't be accepted, even if the user remounts the folder as RW in
> > > the guest as qemu sets the 9p mount as ro.
> >
> > Wouldn't a security whole in qemu possibly allow to circumvent this and
> > isn't this type of exploit the thing we want to guard against in the
> > apparmor proiles?
> >
> > > This deny rule was leading to problems for example with readonly /:
> > > The qemu process had to write to a bunch of files in / like logs,
> > > sockets, etc. This deny rule was also preventing auditing of these
> > > denials, making it harder to debug.
> >
> > So you're mapping a host directory as '/' into the guest or what was the
> > exact setup?
>
> Yes, `virt-sandbox /bin/sh` will readonly mount the host / as / in the
> guest. This will result in a 'deny /** w' rule that prevents writing to
> several files. As the deny rules have precedence over the allow ones,
> this rule will be the one applied for the logs and other files we need
> to write to.
I see. Since I don't see any other nice solution mild "ACK" since I'm
not a apparmor expert.
Cheers,
-- Guido
More information about the libvir-list
mailing list