[PATCH] apparmor: avoid denials on libpmem initialization

Jamie Strandboge jamie at canonical.com
Wed Apr 8 16:40:50 UTC 2020


On Wed, 08 Apr 2020, Christian Ehrhardt wrote:

> With libpmem support compiled into qemu it will trigger the following
> denials on every startup.
>   apparmor="DENIED" operation="open" name="/"
>   apparmor="DENIED" operation="open" name="/sys/bus/nd/devices/"
> 
> This is due to [1] that tries to auto-detect if the platform supports
> auto flush for all region.
> 
> Once we know all the paths that are potentially needed if this feature
> is really used we can add them conditionally in virt-aa-helper and labelling
> calls in case </pmem> is enabled.
> 
> But until then the change here silences the denial warnings seen above.
> 
> [1]: https://github.com/pmem/pmdk/blob/master/src/libpmem2/auto_flush_linux.c#L131
> 
> Bug: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1871354
> 
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> ---
>  src/security/apparmor/libvirt-qemu | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
> index 80986aec61..602f5eb587 100644
> --- a/src/security/apparmor/libvirt-qemu
> +++ b/src/security/apparmor/libvirt-qemu
> @@ -227,3 +227,8 @@
>    # required for sasl GSSAPI plugin
>    /etc/gss/mech.d/ r,
>    /etc/gss/mech.d/* r,
> +
> +  # scanned on libpmem init, but harmless on any lsb compliant system
> +  / r,

I suggest adjusting the comment for clarity. Eg:

  # required by libpmem init
  / r, # harmless on any lsb compliant system
  /sys/bus/nd/devices/ r,
  ...

The '/' read is indeed fine.

> +  /sys/bus/nd/devices/ r,

This also is fine.

> +  /sys/bus/nd/devices/* r,

Can you list what files libpem init is looking at? I'm a bit
uncomfortable with the glob here and would rather not guess that today's
and all future files in /sys/bus/nd/devices are safe for all qemu
processes to read.

-- 
Jamie Strandboge             | http://www.canonical.com





More information about the libvir-list mailing list