]> git.ipfire.org Git - thirdparty/libvirt.git/commitdiff
projects / thirdparty / libvirt.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c0c1c08)
Apparmor: Allow reading libnl's classid file
authorJim Fehlig <jfehlig@suse.com>
Wed, 16 Jun 2021 21:11:14 +0000 (15:11 -0600)
committerJim Fehlig <jfehlig@suse.com>
Thu, 24 Jun 2021 19:54:42 +0000 (13:54 -0600)
I noticed the following denial messages from apparmor in audit.log when
starting confined VMs via the QEMU driver

type=AVC msg=audit(1623864006.370:837): apparmor="DENIED" operation="open" \
profile="virt-aa-helper" name="/etc/libnl/classid" pid=11265 \
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

type=AVC msg=audit(1623864006.582:849): apparmor="DENIED" operation="open" \
profile="libvirt-0ca2720d-6cff-48bb-86c2-61ab9a79b6e9" \
name="/etc/libnl/classid" pid=11270 comm="qemu-system-x86" \
requested_mask="r" denied_mask="r" fsuid=107 ouid=0

It is possible for site admins to assign names to classids in this file,
which are then used by all libnl tools, possibly those used by libvirt.
To be on the safe side, allow read access to the file in the virt-aa-helper
profile and the libvirt-qemu abstraction.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
src/security/apparmor/libvirt-qemu patch | blob | blame | history
src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in patch | blob | blame | history

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 85c9e61d6c6dbbfffa0f76979090ba7e23e20bbf..6275b6e95b54447a994127f64e1a1f11b27704df 100644 (file)
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -35,6 +35,8 @@
   @{PROC}/sys/vm/overcommit_memory r,
   # detect hardware capabilities via qemu_getauxval
   owner @{PROC}/*/auxv r,
+  # allow reading libnl's classid file
+  /etc/libnl{,-3}/classid r,
 
   # For hostdev access. The actual devices will be added dynamically
   /sys/bus/usb/devices/ r,
diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
index dd18c8ab896183638dac21b251abc811edd6ffb6..8ebb47596a1a0b329c3dec86890b1fe251b27524 100644 (file)
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -19,7 +19,8 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
   # Used when internally running another command (namely apparmor_parser)
   @{PROC}/@{pid}/fd/ r,
 
-  @sysconfdir@/libnl-3/classid r,
+  # allow reading libnl's classid file
+  @sysconfdir@/libnl{,-3}/classid r,
 
   # for gl enabled graphics
   /dev/dri/{,*} r,
Mirror of https://github.com/libvirt/libvirt.git