[libvirt] [PATCH 1/2] security: aa-helper: nvidia rules for gl devices
Christian Ehrhardt
christian.ehrhardt at canonical.com
Wed Mar 6 10:33:53 UTC 2019
On Tue, Mar 5, 2019 at 5:45 PM Jamie Strandboge <jamie at canonical.com> wrote:
>
> On Tue, 05 Mar 2019, Christian Ehrhardt wrote:
>
> > Further testing with different devices showed that we need more rules
> > to drive gl backends with nvidia cards. Related denies look like:
> >
> > apparmor="DENIED" operation="open"
> > name="/usr/share/egl/egl_external_platform.d/"
> > requested_mask="r"
> > apparmor="DENIED" operation="open"
> > name="/proc/modules"
> > requested_mask="r"
> > apparmor="DENIED" operation="open"
> > name="/proc/driver/nvidia/params"
> > requested_mask="r"
> > apparmor="DENIED" operation="mknod"
> > name="/dev/nvidiactl"
> > requested_mask="c"
> >
> > Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1817943
> >
> > Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> > ---
> > src/security/virt-aa-helper.c | 5 +++++
> > 1 file changed, 5 insertions(+)
> >
> > diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> > index e9120213ff..13b507ff69 100644
> > --- a/src/security/virt-aa-helper.c
> > +++ b/src/security/virt-aa-helper.c
> > @@ -1279,6 +1279,11 @@ get_files(vahControl * ctl)
> > virBufferAddLit(&buf, " \"/usr/share/drirc.d/{,*.conf}\" r,\n");
> > virBufferAddLit(&buf, " \"/etc/glvnd/egl_vendor.d/{,*}\" r,\n");
> > virBufferAddLit(&buf, " \"/usr/share/glvnd/egl_vendor.d/{,*}\" r,\n");
> > + virBufferAddLit(&buf, " \"/usr/share/egl/egl_external_platform.d/\" r,\n");
> > + virBufferAddLit(&buf, " \"/usr/share/egl/egl_external_platform.d/*\" r,\n");
> > + virBufferAddLit(&buf, " \"/proc/modules\" r,\n");
> > + virBufferAddLit(&buf, " \"/proc/driver/nvidia/params\" r,\n");
> > + virBufferAddLit(&buf, " \"/dev/nvidiactl\" rw,\n");
>
> All the reads are fine. The 'rw' for nvidiactl is unfortunate but there isn't
> anything we can do about the need for it. At least the policy doesn't have
> 'capability mknod' and DAC will protect against creating/removing the device
> where the VMs run as non-root.
>
> +1 to apply
Thanks, pushed with your ack
> --
> Jamie Strandboge | http://www.canonical.com
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
More information about the libvir-list
mailing list