[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH 6/8] apparmor: allow virt-aa-helper to read from tmp



On Mon, 03 Aug 2020, Christian Ehrhardt wrote:

> From: Stefan Bader <stefan bader canonical com>
> 
> temporary directories are a common place images are placed by users
> for any sort of quick evaluation. Allow virt-aa-helper access to tmp
> via the existing user-tmp apparmor abstraction.
> 
> That way if a guest definition has paths in temporary directories
> virt-aa-helper can properly probe them e.g. for further backing files in
> the case of qcow2.
> 
> Signed-off-by: Christian Ehrhardt <christian ehrhardt canonical com>
> ---
>  src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> index dfc61e8de4..3f204799a6 100644
> --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> @@ -3,6 +3,7 @@
>  profile virt-aa-helper @libexecdir@/virt-aa-helper {
>    #include <abstractions/base>
>    #include <abstractions/nameservice>
> +  #include <abstractions/user-tmp>

user-tmp allows write and all other accesses for disks are read. We have
these rules:

  /**.img r,
  /**.raw r,
  /**.qcow{,2} r,
  /**.qed r,
  /**.vmdk r,
  /**.vhd r,
  /**.[iI][sS][oO] r,
  /**/disk{,.*} r,

Why are these not sufficient? What was the denial that triggered the
issue?

-- 
Jamie Strandboge             | http://www.canonical.com


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]