1. Patchew
  2. Libvirt
  3. View series

[libvirt] [PATCH] apparmor: add ro rule for sasl GSSAPI plugin on /etc/gss/mech.d/

Christian Ehrhardt posted 1 patch 7 years, 2 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/1520417812-8730-1-git-send-email-christian.ehrhardt@canonical.com
Test syntax-check passed
examples/apparmor/libvirt-qemu | 4 ++++
1 file changed, 4 insertions(+)
[libvirt] [PATCH] apparmor: add ro rule for sasl GSSAPI plugin on /etc/gss/mech.d/
Posted by Christian Ehrhardt 7 years, 2 months ago 
If a system has sasl GSSAPI plugin available qemu with sasl support will
try to read /etc/gss/mech.d/.

It is required to allow that to let the modules fully work and it should
be safe to do so as it only registers/configures plugins but has no secrets.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
 examples/apparmor/libvirt-qemu | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 950b042..2c47652 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -192,3 +192,7 @@
   # silence refusals to open lttng files (see LP: #1432644)
   deny /dev/shm/lttng-ust-wait-* r,
   deny /run/shm/lttng-ust-wait-* r,
+
+  # required for sasl GSSAPI plugin
+  /etc/gss/mech.d/ r,
+  /etc/gss/mech.d/* r,
-- 
2.7.4

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] apparmor: add ro rule for sasl GSSAPI plugin on /etc/gss/mech.d/
Posted by Daniel P. Berrangé 7 years, 2 months ago 
On Wed, Mar 07, 2018 at 11:16:52AM +0100, Christian Ehrhardt wrote:
> If a system has sasl GSSAPI plugin available qemu with sasl support will
> try to read /etc/gss/mech.d/.
> 
> It is required to allow that to let the modules fully work and it should
> be safe to do so as it only registers/configures plugins but has no secrets.
> 
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> ---
>  examples/apparmor/libvirt-qemu | 4 ++++
>  1 file changed, 4 insertions(+)

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>


> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index 950b042..2c47652 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -192,3 +192,7 @@
>    # silence refusals to open lttng files (see LP: #1432644)
>    deny /dev/shm/lttng-ust-wait-* r,
>    deny /run/shm/lttng-ust-wait-* r,
> +
> +  # required for sasl GSSAPI plugin
> +  /etc/gss/mech.d/ r,
> +  /etc/gss/mech.d/* r,
> -- 
> 2.7.4
> 
> --
> libvir-list mailing list
> libvir-list@redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] apparmor: add ro rule for sasl GSSAPI plugin on /etc/gss/mech.d/
Posted by Jamie Strandboge 7 years, 2 months ago 
On Wed, 2018-03-07 at 11:16 +0100, Christian Ehrhardt wrote:
> If a system has sasl GSSAPI plugin available qemu with sasl support
> will
> try to read /etc/gss/mech.d/.
> 
> It is required to allow that to let the modules fully work and it
> should
> be safe to do so as it only registers/configures plugins but has no
> secrets.
> 
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> ---
>  examples/apparmor/libvirt-qemu | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/examples/apparmor/libvirt-qemu
> b/examples/apparmor/libvirt-qemu
> index 950b042..2c47652 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -192,3 +192,7 @@
>    # silence refusals to open lttng files (see LP: #1432644)
>    deny /dev/shm/lttng-ust-wait-* r,
>    deny /run/shm/lttng-ust-wait-* r,
> +
> +  # required for sasl GSSAPI plugin
> +  /etc/gss/mech.d/ r,
> +  /etc/gss/mech.d/* r,

LGTM. +1

Thanks!
-- 
Jamie Strandboge             | http://www.canonical.com--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] apparmor: add ro rule for sasl GSSAPI plugin on /etc/gss/mech.d/
Posted by Christian Ehrhardt 7 years, 2 months ago 
Thanks for the reviews, pushed with Ack/Review tags.

On Thu, Mar 8, 2018 at 9:12 AM, Jamie Strandboge <jamie@canonical.com>
wrote:

> On Wed, 2018-03-07 at 11:16 +0100, Christian Ehrhardt wrote:
> > If a system has sasl GSSAPI plugin available qemu with sasl support
> > will
> > try to read /etc/gss/mech.d/.
> >
> > It is required to allow that to let the modules fully work and it
> > should
> > be safe to do so as it only registers/configures plugins but has no
> > secrets.
> >
> > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> > ---
> >  examples/apparmor/libvirt-qemu | 4 ++++
> >  1 file changed, 4 insertions(+)
> >
> > diff --git a/examples/apparmor/libvirt-qemu
> > b/examples/apparmor/libvirt-qemu
> > index 950b042..2c47652 100644
> > --- a/examples/apparmor/libvirt-qemu
> > +++ b/examples/apparmor/libvirt-qemu
> > @@ -192,3 +192,7 @@
> >    # silence refusals to open lttng files (see LP: #1432644)
> >    deny /dev/shm/lttng-ust-wait-* r,
> >    deny /run/shm/lttng-ust-wait-* r,
> > +
> > +  # required for sasl GSSAPI plugin
> > +  /etc/gss/mech.d/ r,
> > +  /etc/gss/mech.d/* r,
>
> LGTM. +1
>
> Thanks!
> --
> Jamie Strandboge             | http://www.canonical.com




-- 
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Patchew 2.1-devel-8c64711

© 2016 - 2025 Red Hat, Inc.