[PATCH] apparmor: avoid denials on libpmem initialization
Jamie Strandboge
jamie at canonical.com
Wed Apr 8 16:40:50 UTC 2020
On Wed, 08 Apr 2020, Christian Ehrhardt wrote:
> With libpmem support compiled into qemu it will trigger the following
> denials on every startup.
> apparmor="DENIED" operation="open" name="/"
> apparmor="DENIED" operation="open" name="/sys/bus/nd/devices/"
>
> This is due to [1] that tries to auto-detect if the platform supports
> auto flush for all region.
>
> Once we know all the paths that are potentially needed if this feature
> is really used we can add them conditionally in virt-aa-helper and labelling
> calls in case </pmem> is enabled.
>
> But until then the change here silences the denial warnings seen above.
>
> [1]: https://github.com/pmem/pmdk/blob/master/src/libpmem2/auto_flush_linux.c#L131
>
> Bug: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1871354
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> ---
> src/security/apparmor/libvirt-qemu | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
> index 80986aec61..602f5eb587 100644
> --- a/src/security/apparmor/libvirt-qemu
> +++ b/src/security/apparmor/libvirt-qemu
> @@ -227,3 +227,8 @@
> # required for sasl GSSAPI plugin
> /etc/gss/mech.d/ r,
> /etc/gss/mech.d/* r,
> +
> + # scanned on libpmem init, but harmless on any lsb compliant system
> + / r,
I suggest adjusting the comment for clarity. Eg:
# required by libpmem init
/ r, # harmless on any lsb compliant system
/sys/bus/nd/devices/ r,
...
The '/' read is indeed fine.
> + /sys/bus/nd/devices/ r,
This also is fine.
> + /sys/bus/nd/devices/* r,
Can you list what files libpem init is looking at? I'm a bit
uncomfortable with the glob here and would rather not guess that today's
and all future files in /sys/bus/nd/devices are safe for all qemu
processes to read.
--
Jamie Strandboge | http://www.canonical.com
More information about the libvir-list
mailing list