git.ipfire.org Git - thirdparty/libvirt.git/commit

author	Jim Fehlig <jfehlig@suse.com>
	Wed, 16 Jun 2021 21:11:14 +0000 (15:11 -0600)
committer	Jim Fehlig <jfehlig@suse.com>
	Thu, 24 Jun 2021 19:54:42 +0000 (13:54 -0600)
commit	f552e68d9f0288037d2372e863837749cedd1c27
tree	f12fce125d5c94d4b298cdd640b94353b1ff87f0	tree
parent	c0c1c08b6397bd91aa0b2a7fe53c1707847d199d	commit \| diff

Apparmor: Allow reading libnl's classid file

I noticed the following denial messages from apparmor in audit.log when
starting confined VMs via the QEMU driver

type=AVC msg=audit(1623864006.370:837): apparmor="DENIED" operation="open" \
profile="virt-aa-helper" name="/etc/libnl/classid" pid=11265 \
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

type=AVC msg=audit(1623864006.582:849): apparmor="DENIED" operation="open" \
profile="libvirt-0ca2720d-6cff-48bb-86c2-61ab9a79b6e9" \
name="/etc/libnl/classid" pid=11270 comm="qemu-system-x86" \
requested_mask="r" denied_mask="r" fsuid=107 ouid=0

It is possible for site admins to assign names to classids in this file,
which are then used by all libnl tools, possibly those used by libvirt.
To be on the safe side, allow read access to the file in the virt-aa-helper
profile and the libvirt-qemu abstraction.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>

src/security/apparmor/libvirt-qemu		diff \| blob \| blame \| history
src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in		diff \| blob \| blame \| history