1. Patchew
  2. Libvirt
  3. [libvirt] [PATCH 0/4] Extend apparmor rules for libvirt 4.6
  4. View patch

[libvirt] [PATCH 1/4] apparmor: allow openGraphicsFD for virt manager >1.4

Christian Ehrhardt posted 4 patches 6 years, 9 months ago
There is a newer version of this series
[libvirt] [PATCH 1/4] apparmor: allow openGraphicsFD for virt manager >1.4
Posted by Christian Ehrhardt 6 years, 9 months ago 
virt-manager's UI connection will need socket access for openGraphicsFD
to work - otherwise users will face a failed connection error when
opening the UI view.

Depending on the exact versions of libvirt and qemu involved this needs
either a rule from qemu to libvirt or vice versa.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
 examples/apparmor/libvirt-qemu      | 3 +++
 examples/apparmor/usr.sbin.libvirtd | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index df5f512487..5caf14e418 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -188,6 +188,9 @@
   @{PROC}/device-tree/** r,
   /sys/firmware/devicetree/** r,
 
+  # allow connect with openGraphicsFD to work
+  unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
+
   # for gathering information about available host resources
   /sys/devices/system/cpu/ r,
   /sys/devices/system/node/ r,
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index 3102cab382..dd37866c2a 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -69,6 +69,11 @@
   unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd//qemu_bridge_helper),
   signal (send) set=("term") peer=/usr/sbin/libvirtd//qemu_bridge_helper,
 
+  # allow connect with openGraphicsFD, direction reversed in newer versions
+  unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
+  # unconfined also required if guests run without security module
+  unix (send, receive) type=stream addr=none peer=(label=unconfined),
+
   # Very lenient profile for libvirtd since we want to first focus on confining
   # the guests. Guests will have a very restricted profile.
   / r,
-- 
2.17.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 1/4] apparmor: allow openGraphicsFD for virt manager >1.4
Posted by Jamie Strandboge 6 years, 9 months ago 
On Mon, 2018-08-13 at 16:39 +0200, Christian Ehrhardt wrote:
> virt-manager's UI connection will need socket access for
> openGraphicsFD
> to work - otherwise users will face a failed connection error when
> opening the UI view.
> 
> Depending on the exact versions of libvirt and qemu involved this
> needs
> either a rule from qemu to libvirt or vice versa.
> 
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> ---
>  examples/apparmor/libvirt-qemu      | 3 +++
>  examples/apparmor/usr.sbin.libvirtd | 5 +++++
>  2 files changed, 8 insertions(+)
> 
> diff --git a/examples/apparmor/libvirt-qemu
> b/examples/apparmor/libvirt-qemu
> index df5f512487..5caf14e418 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -188,6 +188,9 @@
>    @{PROC}/device-tree/** r,
>    /sys/firmware/devicetree/** r,
>  
> +  # allow connect with openGraphicsFD to work
> +  unix (send, receive) type=stream addr=none
> peer=(label=/usr/sbin/libvirtd),

+1 to apply

> diff --git a/examples/apparmor/usr.sbin.libvirtd
> b/examples/apparmor/usr.sbin.libvirtd
> index 3102cab382..dd37866c2a 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -69,6 +69,11 @@
>    unix (send, receive) type=stream addr=none
> peer=(label=/usr/sbin/libvirtd//qemu_bridge_helper),
>    signal (send) set=("term")
> peer=/usr/sbin/libvirtd//qemu_bridge_helper,
>  
> +  # allow connect with openGraphicsFD, direction reversed in newer
> versions
> +  unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-
> 9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
> +  # unconfined also required if guests run without security module
> +  unix (send, receive) type=stream addr=none
> peer=(label=unconfined),

Makes sense. This libvirtd policy is meant to be super restrictive, so
+1 to apply.


-- 
Jamie Strandboge             | http://www.canonical.com--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 1/4] apparmor: allow openGraphicsFD for virt manager >1.4
Posted by Christian Ehrhardt 6 years, 9 months ago 
On Mon, Aug 13, 2018 at 6:53 PM Jamie Strandboge <jamie@canonical.com>
wrote:

> On Mon, 2018-08-13 at 16:39 +0200, Christian Ehrhardt wrote:
> > virt-manager's UI connection will need socket access for
> > openGraphicsFD
> > to work - otherwise users will face a failed connection error when
> > opening the UI view.
> >
> > Depending on the exact versions of libvirt and qemu involved this
> > needs
> > either a rule from qemu to libvirt or vice versa.
> >
> > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> > ---
> >  examples/apparmor/libvirt-qemu      | 3 +++
> >  examples/apparmor/usr.sbin.libvirtd | 5 +++++
> >  2 files changed, 8 insertions(+)
> >
> > diff --git a/examples/apparmor/libvirt-qemu
> > b/examples/apparmor/libvirt-qemu
> > index df5f512487..5caf14e418 100644
> > --- a/examples/apparmor/libvirt-qemu
> > +++ b/examples/apparmor/libvirt-qemu
> > @@ -188,6 +188,9 @@
> >    @{PROC}/device-tree/** r,
> >    /sys/firmware/devicetree/** r,
> >
> > +  # allow connect with openGraphicsFD to work
> > +  unix (send, receive) type=stream addr=none
> > peer=(label=/usr/sbin/libvirtd),
>
> +1 to apply
>
> > diff --git a/examples/apparmor/usr.sbin.libvirtd
> > b/examples/apparmor/usr.sbin.libvirtd
> > index 3102cab382..dd37866c2a 100644
> > --- a/examples/apparmor/usr.sbin.libvirtd
> > +++ b/examples/apparmor/usr.sbin.libvirtd
> > @@ -69,6 +69,11 @@
> >    unix (send, receive) type=stream addr=none
> > peer=(label=/usr/sbin/libvirtd//qemu_bridge_helper),
> >    signal (send) set=("term")
> > peer=/usr/sbin/libvirtd//qemu_bridge_helper,
> >
> > +  # allow connect with openGraphicsFD, direction reversed in newer
> > versions
> > +  unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-
> > 9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
> > +  # unconfined also required if guests run without security module
> > +  unix (send, receive) type=stream addr=none
> > peer=(label=unconfined),
>
> Makes sense. This libvirtd policy is meant to be super restrictive, so
> +1 to apply.
>

Thanks, added your Ack in the v2 submission due to rewriting the latter
patches of this series.

-- 
> Jamie Strandboge             | http://www.canonical.com



-- 
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Patchew 2.1-devel-8c64711

© 2016 - 2025 Red Hat, Inc.