From nobody Tue Feb 10 10:01:25 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1505921368299648.0594177264321;
 Wed, 20 Sep 2017 08:29:28 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
 [10.5.11.11])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id A3F17806B2;
	Wed, 20 Sep 2017 15:29:26 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 80A8260472;
	Wed, 20 Sep 2017 15:29:26 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 3C76D410B3;
	Wed, 20 Sep 2017 15:29:26 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com
	[10.5.11.12])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id v8KExKAt027954 for <libvir-list@listman.util.phx.redhat.com>;
	Wed, 20 Sep 2017 10:59:20 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id D6AD918B8E; Wed, 20 Sep 2017 14:59:20 +0000 (UTC)
Received: from mx1.redhat.com (ext-mx10.extmail.prod.ext.phx2.redhat.com
	[10.5.110.39])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id CEE7B60241
	for <libvir-list@redhat.com>; Wed, 20 Sep 2017 14:59:16 +0000 (UTC)
Received: from youngberry.canonical.com (youngberry.canonical.com
	[91.189.89.112]) (using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id B617251165
	for <libvir-list@redhat.com>; Wed, 20 Sep 2017 14:59:15 +0000 (UTC)
Received: from 167-139-067-156.ip-addr.inexio.net ([156.67.139.167]
	helo=lap.fritz.box) by youngberry.canonical.com with esmtpsa
	(TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76)
	(envelope-from <christian.ehrhardt@canonical.com>)
	id 1dugT4-0001Vi-Ht; Wed, 20 Sep 2017 14:59:14 +0000
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com A3F17806B2
Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com;
 dmarc=fail (p=none dis=none) header.from=canonical.com
Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com;
 spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com A3F17806B2
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com B617251165
Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com;
	dmarc=fail (p=none dis=none) header.from=canonical.com
Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=none
	smtp.mailfrom=christian.ehrhardt@canonical.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com B617251165
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
To: Libvirt Devel <libvir-list@redhat.com>
Date: Wed, 20 Sep 2017 16:59:06 +0200
Message-Id: 
 <1505919549-19756-2-git-send-email-christian.ehrhardt@canonical.com>
In-Reply-To: 
 <1505919549-19756-1-git-send-email-christian.ehrhardt@canonical.com>
References: 
 <1505919549-19756-1-git-send-email-christian.ehrhardt@canonical.com>
X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 205
	matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com
	[10.5.110.39]); Wed, 20 Sep 2017 14:59:15 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com
 [10.5.110.39]);
	Wed, 20 Sep 2017 14:59:15 +0000 (UTC) for IP:'91.189.89.112'
	DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com'
	FROM:'christian.ehrhardt@canonical.com' RCPT:''
X-RedHat-Spam-Score: -2.321  (RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H3,
	RCVD_IN_MSPIKE_WL,
	RP_MATCHES_RCVD) 91.189.89.112 youngberry.canonical.com 91.189.89.112
	youngberry.canonical.com <christian.ehrhardt@canonical.com>
X-Scanned-By: MIMEDefang 2.78 on 10.5.110.39
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-loop: libvir-list@redhat.com
Cc: Jamie Strandboge <jamie.strandboge@canonical.com>,
	Guido Guenther <agx@sigxcpu.org>,
	Christian Ehrhardt <christian.ehrhardt@canonical.com>
Subject: [libvirt] [PATCH 1/4] virt-aa-helper: fix paths for usb hostdevs
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]);
 Wed, 20 Sep 2017 15:29:27 +0000 (UTC)
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

If users only specified vendor&product (the common case) then parsing
the xml via virDomainHostdevSubsysUSBDefParseXML would only set these.
Bus and Device would much later be added when the devices are prepared
to be added.

Due to that a hot-add of a usb hostdev works as the device is prepared
and virt-aa-helper processes the new internal xml. But on an initial
guest start at the time virt-aa-helper renders the apparmor rules the
bus/device id's are not set yet:

p ctl->def->hostdevs[0]->source.subsys.u.usb
$12 =3D {autoAddress =3D false, bus =3D 0, device =3D 0, vendor =3D 1921, p=
roduct
=3D 21888}

That causes rules to be wrong:
  "/dev/bus/usb/000/000" rw,

The fix calls virHostdevFindUSBDevice after reading the XML from
irt-aa-helper to only add apparmor rules for devices that could be found
and now are fully known to be able to write the rule correctly.

It uncondtionally sets virHostdevFindUSBDevice mandatory attribute as
adding an apparmor rule for a device not found makes no sense no matter
what startup policy it has set.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
 src/security/virt-aa-helper.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 7944dc1..d1518ea 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -55,6 +55,7 @@
 #include "virrandom.h"
 #include "virstring.h"
 #include "virgettext.h"
+#include "virhostdev.h"
=20
 #include "storage/storage_source.h"
=20
@@ -1069,6 +1070,9 @@ get_files(vahControl * ctl)
                 if (usb =3D=3D NULL)
                     continue;
=20
+                if (virHostdevFindUSBDevice(dev, true, &usb) < 0)
+                    continue;
+
                 rc =3D virUSBDeviceFileIterate(usb, file_iterate_hostdev_c=
b, &buf);
                 virUSBDeviceFree(usb);
                 if (rc !=3D 0)
--=20
2.7.4

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list