From 4fafa4c0b150c011ae905dfebcb7b42d20d8390b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= Date: Mon, 11 Dec 2017 11:09:31 +0100 Subject: [PATCH] virt-aa-helper: handle more disk images virt-aa-helper needs read access to the disk image to resolve symlinks and add the proper rules to the profile. Its profile whitelists a few common paths, but users can place their images anywhere. This commit helps users allowing access to their images by adding their own rules in apparmor.d/local/usr.lib.libvirt.virt-aa-helper. This commit also adds rules to allow reading files named: - *.raw as this is a rather common disk image extension - /run/libvirt/**[vd]d[a-z] as these are used by virt-sandbox --- examples/Makefile.am | 23 +++++++++++++++++++++-- examples/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++++ 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/examples/Makefile.am b/examples/Makefile.am index ef2f79db3..eca3506b0 100644 --- a/examples/Makefile.am +++ b/examples/Makefile.am @@ -67,6 +67,9 @@ admin_client_info_SOURCES = admin/client_info.c admin_client_close_SOURCES = admin/client_close.c admin_logging_SOURCES = admin/logging.c +INSTALL_DATA_LOCAL = +UNINSTALL_LOCAL = + if WITH_APPARMOR_PROFILES apparmordir = $(sysconfdir)/apparmor.d/ apparmor_DATA = \ @@ -85,20 +88,36 @@ templates_DATA = \ apparmor/TEMPLATE.qemu \ apparmor/TEMPLATE.lxc \ $(NULL) + +APPARMOR_LOCAL_DIR = "$(DESTDIR)$(apparmordir)/local" +install-apparmor-local: + $(MKDIR_P) "$(APPARMOR_LOCAL_DIR)" + echo "# Site-specific additions and overrides for 'usr.lib.libvirt.virt-aa-helper'" \ + >$(APPARMOR_LOCAL_DIR)/usr.lib.libvirt.virt-aa-helper + +INSTALL_DATA_LOCAL += install-apparmor-local +UNINSTALL_LOCAL += uninstall-apparmor-local endif WITH_APPARMOR_PROFILES if WITH_NWFILTER NWFILTER_DIR = "$(DESTDIR)$(sysconfdir)/libvirt/nwfilter" -install-data-local: +install-nwfilter-local: $(MKDIR_P) "$(NWFILTER_DIR)" for f in $(FILTERS); do \ $(INSTALL_DATA) $$f "$(NWFILTER_DIR)"; \ done -uninstall-local:: +uninstall-nwfilter-local:: for f in $(FILTERS); do \ rm -f "$(NWFILTER_DIR)/`basename $$f`"; \ done -test -z "$(shell ls $(NWFILTER_DIR))" || rmdir $(NWFILTER_DIR) + +INSTALL_DATA_LOCAL += install-nwfilter-local +UNINSTALL_LOCAL += uninstall-nwfilter-local endif WITH_NWFILTER + +install-data-local: $(INSTALL_DATA_LOCAL) + +uninstall-local: $(UNINSTALL_LOCAL) diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper index bd6181d00..f3069d369 100644 --- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper +++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper @@ -3,6 +3,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { #include + #include # needed for searching directories capability dac_override, @@ -50,8 +51,11 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { /var/lib/libvirt/images/ r, /var/lib/libvirt/images/** r, /{media,mnt,opt,srv}/** r, + # For virt-sandbox + /run/libvirt/**/[sv]d[a-z] r /**.img r, + /**.raw r, /**.qcow{,2} r, /**.qed r, /**.vmdk r, -- 2.15.1