On Wed, Aug 12, 2015 at 11:19:54AM -0500, Jamie Strandboge wrote:
On 08/12/2015 10:59 AM, [email protected] wrote:Hi,[please Cc me any reply, I'm not subscribed to libvir-list.] it was reported [1] to Ubuntu that virt-aa-helper blocks access to the OVMF files needed to boot UEFI virtual machines in QEMU. After I've confirmed that on Debian sid, Jamie Strandboge suggested a fix. I've successfully tested in my environment (applied on top of 1.2.18) so I'm forwarding it here. [1] https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1483071diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 4ce1e7a..357dde4 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -572,8 +572,9 @@ valid_path(const char *path, const bool readonly) }; /* override the above with these */ const char * const override[] = { - "/sys/devices/pci", /* for hostdev pci devices */ - "/etc/libvirt-sandbox/services/" /* for virt-sandbox service config */ + "/sys/devices/pci", /* for hostdev pci devices */ + "/etc/libvirt-sandbox/services/", /* for virt-sandbox service config */ + "/usr/share/ovmf/" /* for OVMF images */ };
Disclaimer: I know nearly nothing about the apparmor insides, so please excuse any inappropriate ideas. Good catch, this makes sense, but to be strictly precise about this, I would say this makes the directory accessible for R/W, but readonly would be enough, wouldn't it? There could be a small code adjustment, I'd even dare calling it a clean-up, that would make it possible for this direcotry to be put in the 'restricted_rw'. It would change the semantic a bit, but since there is no path that could start with string from both 'restricted' and 'restricted_rw' currently, I don't see a problem there.
if (path == NULL) {
Unsurprisingly, this looks good to me.
ACK
Consider my idea of moving the line (and maybe some others from
'override') to 'restricted_rw' after applying the following patch.
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 4ce1e7a20590..2eae3eebdecf 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -595,18 +595,19 @@ valid_path(const char *path, const bool readonly)
vah_warning(_("path does not exist, skipping file type checks"));
opaths = sizeof(override)/sizeof(*(override));
-
- npaths = sizeof(restricted)/sizeof(*(restricted));
- if (array_starts_with(path, restricted, npaths) == 0 &&
- array_starts_with(path, override, opaths) != 0)
- return 1;
+ if (array_starts_with(path, override, opaths) == 0)
+ return 0;
npaths = sizeof(restricted_rw)/sizeof(*(restricted_rw));
- if (!readonly) {
+ if (readonly) {
if (array_starts_with(path, restricted_rw, npaths) == 0)
- return 1;
+ return 0;
}
+ npaths = sizeof(restricted)/sizeof(*(restricted));
+ if (array_starts_with(path, restricted, npaths) != 0)
+ return 1;
+
return 0;
}
--
Martin
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
