subject:"\[PATCH\] apparmor\: Allow \/usr\/libexec for libxl\-save\-helper and pygrub"

Re: [PATCH] apparmor: Allow /usr/libexec for libxl-save-helper and pygrub

2020-09-24 Thread Christian Ehrhardt

On Wed, Sep 23, 2020 at 6:45 PM Jim Fehlig  wrote:
>
> On 9/23/20 7:51 AM, Jim Fehlig wrote:
> > On 9/23/20 7:26 AM, Christian Ehrhardt wrote:
> >> On Wed, Sep 23, 2020 at 12:35 AM Jim Fehlig  wrote:
> >>>
> >>> Like other distros, openSUSE Tumbleweed recently changed libexecdir from
> >>> /usr/lib to /usr/libexec. Add it as an allowed path for libxl-save-helper
> >>> and pygrub.
> >>
> >> Hi Jim,
> >> ack to the intention, but I think since this should use @libexecdir@ I 
> >> think.
> >> Or did anything change that this doesn't apply anymore ... in that
> >> case I beg your pardon.
> >>
> >> [1]:
> >> https://libvirt.org/git/?p=libvirt.git;a=commit;h=5c8bd31c881e99261ac098e867a79b300440731a
> >>
> >
> > Heh, I see that skipped over the xen stuff :-). I'll send a V2 later.
>
> Thinking about it more, perhaps it is best to go with this V1 patch since 
> these
> are not files provided by libvirt but xen, where conceivably libvirt and xen
> could be built with different libexecdir? IMO it would be best to explicitly
> list the known paths distros have used for libxl-save-helper and pygrub.

You are right, and in >99% of the cases it will be one of the two
paths you have in your rule anyway.
Sorry for the detour Jim

Reviewed-by: Christian Ehrhardt 


> Regards,
> Jim
>


-- 
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd

Re: [PATCH] apparmor: Allow /usr/libexec for libxl-save-helper and pygrub

2020-09-23 Thread Neal Gompa

On Tue, Sep 22, 2020 at 6:35 PM Jim Fehlig  wrote:
>
> Like other distros, openSUSE Tumbleweed recently changed libexecdir from
> /usr/lib to /usr/libexec. Add it as an allowed path for libxl-save-helper
> and pygrub.
>
> Signed-off-by: Jim Fehlig 
> ---
>
> I considered including /usr/lib64, but I don't think any distros are
> installing xen libexecdir targets to /usr/lib64. Happy to include it
> if I'm wrong :-).
>
>  src/security/apparmor/usr.sbin.libvirtd.in | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/src/security/apparmor/usr.sbin.libvirtd.in 
> b/src/security/apparmor/usr.sbin.libvirtd.in
> index f2030764cd..bf4563e1e8 100644
> --- a/src/security/apparmor/usr.sbin.libvirtd.in
> +++ b/src/security/apparmor/usr.sbin.libvirtd.in
> @@ -86,8 +86,8 @@ profile libvirtd @sbindir@/libvirtd 
> flags=(attach_disconnected) {
>/{usr/,}lib/udev/scsi_id PUx,
>/usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
>/usr/{lib,lib64}/xen/bin/* Ux,
> -  /usr/lib/xen-*/bin/libxl-save-helper PUx,
> -  /usr/lib/xen-*/bin/pygrub PUx,
> +  /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx,
> +  /usr/{lib,libexec}/xen-*/bin/pygrub PUx,
>/usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
>/usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
>
> --
> 2.28.0
>

Yay! Looks great to me!

Reviewed-by: Neal Gompa 


-- 
真実はいつも一つ！/ Always, there's only one truth!

Re: [PATCH] apparmor: Allow /usr/libexec for libxl-save-helper and pygrub

2020-09-23 Thread Neal Gompa

On Wed, Sep 23, 2020 at 12:46 PM Jim Fehlig  wrote:
>
> On 9/23/20 7:51 AM, Jim Fehlig wrote:
> > On 9/23/20 7:26 AM, Christian Ehrhardt wrote:
> >> On Wed, Sep 23, 2020 at 12:35 AM Jim Fehlig  wrote:
> >>>
> >>> Like other distros, openSUSE Tumbleweed recently changed libexecdir from
> >>> /usr/lib to /usr/libexec. Add it as an allowed path for libxl-save-helper
> >>> and pygrub.
> >>
> >> Hi Jim,
> >> ack to the intention, but I think since this should use @libexecdir@ I 
> >> think.
> >> Or did anything change that this doesn't apply anymore ... in that
> >> case I beg your pardon.
> >>
> >> [1]:
> >> https://libvirt.org/git/?p=libvirt.git;a=commit;h=5c8bd31c881e99261ac098e867a79b300440731a
> >>
> >
> > Heh, I see that skipped over the xen stuff :-). I'll send a V2 later.
>
> Thinking about it more, perhaps it is best to go with this V1 patch since 
> these
> are not files provided by libvirt but xen, where conceivably libvirt and xen
> could be built with different libexecdir? IMO it would be best to explicitly
> list the known paths distros have used for libxl-save-helper and pygrub.
>

It is entirely possible that one has not been updated yet, or someone
is mixing packages, so this patch makes sense over having it assume a
specific path.


-- 
真実はいつも一つ！/ Always, there's only one truth!

Re: [PATCH] apparmor: Allow /usr/libexec for libxl-save-helper and pygrub

2020-09-23 Thread Jim Fehlig


On 9/23/20 7:51 AM, Jim Fehlig wrote:

On 9/23/20 7:26 AM, Christian Ehrhardt wrote:

On Wed, Sep 23, 2020 at 12:35 AM Jim Fehlig  wrote:


Like other distros, openSUSE Tumbleweed recently changed libexecdir from
/usr/lib to /usr/libexec. Add it as an allowed path for libxl-save-helper
and pygrub.


Hi Jim,
ack to the intention, but I think since this should use @libexecdir@ I think.
Or did anything change that this doesn't apply anymore ... in that
case I beg your pardon.

[1]: 
https://libvirt.org/git/?p=libvirt.git;a=commit;h=5c8bd31c881e99261ac098e867a79b300440731a 



Heh, I see that skipped over the xen stuff :-). I'll send a V2 later.


Thinking about it more, perhaps it is best to go with this V1 patch since these 
are not files provided by libvirt but xen, where conceivably libvirt and xen 
could be built with different libexecdir? IMO it would be best to explicitly 
list the known paths distros have used for libxl-save-helper and pygrub.


Regards,
Jim

Re: [PATCH] apparmor: Allow /usr/libexec for libxl-save-helper and pygrub

2020-09-23 Thread Jim Fehlig


On 9/23/20 7:26 AM, Christian Ehrhardt wrote:

On Wed, Sep 23, 2020 at 12:35 AM Jim Fehlig  wrote:


Like other distros, openSUSE Tumbleweed recently changed libexecdir from
/usr/lib to /usr/libexec. Add it as an allowed path for libxl-save-helper
and pygrub.


Hi Jim,
ack to the intention, but I think since this should use @libexecdir@ I think.
Or did anything change that this doesn't apply anymore ... in that
case I beg your pardon.

[1]: 
https://libvirt.org/git/?p=libvirt.git;a=commit;h=5c8bd31c881e99261ac098e867a79b300440731a


Heh, I see that skipped over the xen stuff :-). I'll send a V2 later.

Regards,
Jim

Re: [PATCH] apparmor: Allow /usr/libexec for libxl-save-helper and pygrub

2020-09-23 Thread Christian Ehrhardt

On Wed, Sep 23, 2020 at 12:35 AM Jim Fehlig  wrote:
>
> Like other distros, openSUSE Tumbleweed recently changed libexecdir from
> /usr/lib to /usr/libexec. Add it as an allowed path for libxl-save-helper
> and pygrub.

Hi Jim,
ack to the intention, but I think since this should use @libexecdir@ I think.
Or did anything change that this doesn't apply anymore ... in that
case I beg your pardon.

[1]: 
https://libvirt.org/git/?p=libvirt.git;a=commit;h=5c8bd31c881e99261ac098e867a79b300440731a

> Signed-off-by: Jim Fehlig 
> ---
>
> I considered including /usr/lib64, but I don't think any distros are
> installing xen libexecdir targets to /usr/lib64. Happy to include it
> if I'm wrong :-).
>
>  src/security/apparmor/usr.sbin.libvirtd.in | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/src/security/apparmor/usr.sbin.libvirtd.in 
> b/src/security/apparmor/usr.sbin.libvirtd.in
> index f2030764cd..bf4563e1e8 100644
> --- a/src/security/apparmor/usr.sbin.libvirtd.in
> +++ b/src/security/apparmor/usr.sbin.libvirtd.in
> @@ -86,8 +86,8 @@ profile libvirtd @sbindir@/libvirtd 
> flags=(attach_disconnected) {
>/{usr/,}lib/udev/scsi_id PUx,
>/usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
>/usr/{lib,lib64}/xen/bin/* Ux,
> -  /usr/lib/xen-*/bin/libxl-save-helper PUx,
> -  /usr/lib/xen-*/bin/pygrub PUx,
> +  /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx,
> +  /usr/{lib,libexec}/xen-*/bin/pygrub PUx,
>/usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
>/usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
>
> --
> 2.28.0
>
>


-- 
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd

[PATCH] apparmor: Allow /usr/libexec for libxl-save-helper and pygrub

2020-09-22 Thread Jim Fehlig

Like other distros, openSUSE Tumbleweed recently changed libexecdir from
/usr/lib to /usr/libexec. Add it as an allowed path for libxl-save-helper
and pygrub.

Signed-off-by: Jim Fehlig 
---

I considered including /usr/lib64, but I don't think any distros are
installing xen libexecdir targets to /usr/lib64. Happy to include it
if I'm wrong :-).

 src/security/apparmor/usr.sbin.libvirtd.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/security/apparmor/usr.sbin.libvirtd.in 
b/src/security/apparmor/usr.sbin.libvirtd.in
index f2030764cd..bf4563e1e8 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -86,8 +86,8 @@ profile libvirtd @sbindir@/libvirtd 
flags=(attach_disconnected) {
   /{usr/,}lib/udev/scsi_id PUx,
   /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
   /usr/{lib,lib64}/xen/bin/* Ux,
-  /usr/lib/xen-*/bin/libxl-save-helper PUx,
-  /usr/lib/xen-*/bin/pygrub PUx,
+  /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx,
+  /usr/{lib,libexec}/xen-*/bin/pygrub PUx,
   /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
   /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
 
-- 
2.28.0

Re: [PATCH] apparmor: Allow /usr/libexec for libxl-save-helper and pygrub

Re: [PATCH] apparmor: Allow /usr/libexec for libxl-save-helper and pygrub

Re: [PATCH] apparmor: Allow /usr/libexec for libxl-save-helper and pygrub

Re: [PATCH] apparmor: Allow /usr/libexec for libxl-save-helper and pygrub

Re: [PATCH] apparmor: Allow /usr/libexec for libxl-save-helper and pygrub

Re: [PATCH] apparmor: Allow /usr/libexec for libxl-save-helper and pygrub

[PATCH] apparmor: Allow /usr/libexec for libxl-save-helper and pygrub

7 matches

Site Navigation

Mail list logo

Footer information