libvirt/virt-aa-helper-rw-mounts.patch

From 9abe699b0b91fd2c8a2870b36342a37fa97f7e36 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Tue, 17 Nov 2015 10:11:30 +0100
Subject: [PATCH] virt-aa-helper: don't deny writes to readonly mounts

There is no need to deny writes on a readonly mount: write still
won't be accepted, even if the user remounts the folder as RW in
the guest as qemu sets the 9p mount as ro.

This deny rule was leading to problems for example with readonly /:
The qemu process had to write to a bunch of files in / like logs,
sockets, etc. This deny rule was also preventing auditing of these
denials, making it harder to debug.
---
 src/security/virt-aa-helper.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Index: libvirt-1.3.0/src/security/virt-aa-helper.c
===================================================================
--- libvirt-1.3.0.orig/src/security/virt-aa-helper.c
+++ libvirt-1.3.0/src/security/virt-aa-helper.c
@@ -1127,7 +1127,10 @@ get_files(vahControl * ctl)
                 ctl->def->fss[i]->src) {
             virDomainFSDefPtr fs = ctl->def->fss[i];
 
-            if (vah_add_path(&buf, fs->src, fs->readonly ? "r" : "rw", true) != 0)
+            /* We don't need to add deny rw rules for readonly mounts,
+             * this can only lead to troubles when mounting / readonly.
+             */
+            if (vah_add_path(&buf, fs->src, "rw", true) != 0)
                 goto cleanup;
         }
     }