[libvirt] [PATCH 01/10] virt-aa-helper: Ask for no deny rule for readonly disk elements
Cedric Bosdonnat
cbosdonnat at suse.com
Fri May 19 09:45:30 UTC 2017
Hi Christian,
On Fri, 2017-05-19 at 11:18 +0200, Christian Ehrhardt wrote:
>
> On Fri, May 19, 2017 at 10:03 AM, Guido Günther <agx at sigxcpu.org> wrote:
> > But if we aim for a profile replace on blockcommit [1] the would't matter
> > since the whole profile would get replaced, wouldn't it?
> >
>
> Since this is based on [1][2] looping in Cédric here to share some old explaiantions.
> See especially [1] for some reasoning for 'R' in general.
>
> [1]: http://libvirt.org/git/?p=libvirt.git;a=commit;h=c726af2d5a2248f0dad01201b2fc5231fbd4c20f
> [2]: http://libvirt.org/git/?p=libvirt.git;a=commit;h=cedd2ab28262db62976b351dbf2a0f8d9f88ca9e
Sadly the bug report isn't public since it has been reported again SLES. But here is the
description of the bug that motivated that fix:
------------------ %< ------------------
Steps to reproduce:
* run virt-sandbox /bin/sh as root
Expected result: Run a shell in a qemu domain, apparmor enforced
Actual result: Domain fails to start
After some more debugging it happens that the problem is caused by
<filesystem type='mount' accessmode='passthrough'>
<source dir='/'/>
<target dir='host_root'/>
<readonly/>
</filesystem>
Since commit http://libvirt.org/git/?p=libvirt.git;a=commit;h=d0d4b8ad76d3e8a859ee90701a21a3f003a22c1f, virt-aa-helper
generates a "deny /** w" rule in such cases that takes precedence over the allow rules.
This has several effects:
* It hides the DENIED/ALLOWED apparmor log entries
* It prevents qemu to write to the log file, /dev/ptmx and other important files to run the domain.
To see the rules, add the audit flag to /etc/apparmor.d/libvirt/TEMPLATE.qemu file and rerun virt-sandbox.
------------------ %< ------------------
Hi hope this will answer your questions
--
Cedric
More information about the libvir-list
mailing list