Public bug reported:
I happened to run into issues with virt-aa-helper.
The behavior is the same since essentially forever, but we could improve on it.
TL;DR
if you use a path like
<interface type='vhostuser'>
<source type='unix' path='/var/run/vhostuserclient/vhost-user-client-1'
mode='server'/
Then virt-aa-helper will be kind and generate a rule for it to allow
access.
But in some cases like in this this isn't sufficient, as there can be symlinks
/var/run -> /run
But to avoid attacks via symlinks apparmor resolves them before
matching.
That way the above will be checked against:
/run/vhostuserclient/vhost-user-client-1
And due to that fail.
virt-aa-helper should on adding a path resolve all symlinks in said path
and use the final path for the rules.
Can be tested with symlinks for the image files as well, which should be
easier.
** Affects: libvirt (Ubuntu)
Importance: Undecided
Status: New
** Tags: virt-aa-helper
** Tags added: virt-aa-helper
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752361
Title:
virt-aa-helper should resolve symlinks and use only resolved paths
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1752361/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
