[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH 7/8] apparmor: allow virt-aa-helper to read openvswitch sockets





On Mon, Aug 3, 2020 at 5:13 PM Jamie Strandboge <jamie canonical com> wrote:
On Mon, 03 Aug 2020, Christian Ehrhardt wrote:

> From: Serge Hallyn <serge hallyn ubuntu com>
>
> Chardevs/sockets configured for openvswitch-dpdk use cases
> might be probed by virt-aa-helper. Allow that access to enable
> virt-aa-helper rendering per-guest rules for the actual qemu
> guest accessing these sockets eventually.
>
> Signed-off-by: Christian Ehrhardt <christian ehrhardt canonical com>
> Signed-off-by: Stefan Bader <stefan bader canonical com>
> Signed-off-by: Serge Hallyn <serge hallyn ubuntu com>
> ---
>  src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> index 3f204799a6..877cb04b1e 100644
> --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> @@ -46,6 +46,9 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
>    @sysconfdir@/apparmor.d/libvirt/* r,
>    @sysconfdir@/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,

> +  # for openvswitch sockets
> +  /{,var/}run/openvswitch/** rw,

A bit unfortunate and unexpected. What kind of probing does
virt-aa-helper do on these?

I'm so glad we do this exercise and you have the "investigative hat on" to challenge the few bits of the series that seem odd.
I have read through virt-aa-helper again with a focus on this and at least today's openvswitch-dpdk+libvirt should not need this anymore.

It seems this was a wild guess many years ago and added for bug 1513367 but eventually (or just noadays) is no longer needed.

I have set up a 20.04 based openvswitch-dpdk system and dropped the rule.
Once with vhostuserclient and once on an older system with the older vhostuser type connection.

Things are still working, so I'm removing this rule from this series as well as from the Ubuntu builds.
 
--
Jamie Strandboge             | http://www.canonical.com


--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]