app-armor: add 'rw' for appropriate devices

Description: Check for VIR_DOMAIN_CHR_TYPE in serial ports and add 'rw' for defined serial ports, parallel ports and channels Bug-Ubuntu: LP: #578527, LP: #609055
2025-01-31 17:05:16 +00:00 · 2010-09-23 11:22:44 -06:00 · 2010-09-23 11:22:44 -06:00 · 2e5e614e6b
commit 2e5e614e6b
parent 874ad5f94a
2 changed files with 45 additions and 3 deletions
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@ -862,15 +862,44 @@ get_files(vahControl * ctl)
    }

    for (i = 0; i < ctl->def->nserials; i++)
-        if (ctl->def->serials[i] && ctl->def->serials[i]->data.file.path)
+        if (ctl->def->serials[i] &&
+            (ctl->def->serials[i]->type == VIR_DOMAIN_CHR_TYPE_PTY ||
+             ctl->def->serials[i]->type == VIR_DOMAIN_CHR_TYPE_DEV ||
+             ctl->def->serials[i]->type == VIR_DOMAIN_CHR_TYPE_FILE ||
+             ctl->def->serials[i]->type == VIR_DOMAIN_CHR_TYPE_PIPE) &&
+            ctl->def->serials[i]->data.file.path)
            if (vah_add_file(&buf,
-                             ctl->def->serials[i]->data.file.path, "w") != 0)
+                             ctl->def->serials[i]->data.file.path, "rw") != 0)
                goto clean;

    if (ctl->def->console && ctl->def->console->data.file.path)
-        if (vah_add_file(&buf, ctl->def->console->data.file.path, "w") != 0)
+        if (vah_add_file(&buf, ctl->def->console->data.file.path, "rw") != 0)
            goto clean;

+    for (i = 0 ; i < ctl->def->nparallels; i++)
+        if (ctl->def->parallels[i] &&
+            (ctl->def->parallels[i]->type == VIR_DOMAIN_CHR_TYPE_PTY ||
+             ctl->def->parallels[i]->type == VIR_DOMAIN_CHR_TYPE_DEV ||
+             ctl->def->parallels[i]->type == VIR_DOMAIN_CHR_TYPE_FILE ||
+             ctl->def->parallels[i]->type == VIR_DOMAIN_CHR_TYPE_PIPE) &&
+            ctl->def->parallels[i]->data.file.path)
+            if (vah_add_file(&buf,
+                             ctl->def->parallels[i]->data.file.path,
+                             "rw") != 0)
+                goto clean;
+
+    for (i = 0 ; i < ctl->def->nchannels; i++)
+        if (ctl->def->channels[i] &&
+            (ctl->def->channels[i]->type == VIR_DOMAIN_CHR_TYPE_PTY ||
+             ctl->def->channels[i]->type == VIR_DOMAIN_CHR_TYPE_DEV ||
+             ctl->def->channels[i]->type == VIR_DOMAIN_CHR_TYPE_FILE ||
+             ctl->def->channels[i]->type == VIR_DOMAIN_CHR_TYPE_PIPE) &&
+            ctl->def->channels[i]->data.file.path)
+            if (vah_add_file(&buf,
+                             ctl->def->channels[i]->data.file.path,
+                             "rw") != 0)
+                goto clean;
+
    if (ctl->def->os.kernel)
        if (vah_add_file(&buf, ctl->def->os.kernel, "r") != 0)
            goto clean;
--- a/tests/virt-aa-helper-test
+++ b/tests/virt-aa-helper-test
@ -246,6 +246,9 @@ testme "0" "serial" "-r -u $valid_uuid" "$test_xml"
 cat "$template_xml" | sed "s,###UUID###,$uuid,g" | sed "s,###DISK###,$disk1,g" | sed "s,</devices>,<serial type='pty'><target port='0'/></serial></devices>,g" > "$test_xml"
 testme "0" "serial (pty)" "-r -u $valid_uuid" "$test_xml"

+cat "$template_xml" | sed "s,###UUID###,$uuid,g" | sed "s,###DISK###,$disk1,g" | sed "s,</devices>,<serial type='dev'><source path='/dev/ttyS0'/><target port='0'/></serial></devices>,g" > "$test_xml"
+testme "0" "serial (dev)" "-r -u $valid_uuid" "$test_xml"
+
 cat "$template_xml" | sed "s,###UUID###,$uuid,g" | sed "s,###DISK###,$disk1,g" | sed "s,</devices>,<console type='file'><source path='$tmpdir/console.log'/><target port='0'/></console></devices>,g" > "$test_xml"
 touch "$tmpdir/console.log"
 testme "0" "console" "-r -u $valid_uuid" "$test_xml"
@ -253,6 +256,16 @@ testme "0" "console" "-r -u $valid_uuid" "$test_xml"
 cat "$template_xml" | sed "s,###UUID###,$uuid,g" | sed "s,###DISK###,$disk1,g" | sed "s,</devices>,<console type='pty'><target port='0'/></console></devices>,g" > "$test_xml"
 testme "0" "console (pty)" "-r -u $valid_uuid" "$test_xml"

+cat "$template_xml" | sed "s,###UUID###,$uuid,g" | sed "s,###DISK###,$disk1,g" | sed "s,</devices>,<parallel type='pty'><source path='/dev/pts/0'/><target port='0'/></parallel></devices>,g" > "$test_xml"
+testme "0" "parallel (pty)" "-r -u $valid_uuid" "$test_xml"
+
+cat "$template_xml" | sed "s,###UUID###,$uuid,g" | sed "s,###DISK###,$disk1,g" | sed "s,</devices>,<channel type='unix'><source mode='bind' path='$tmpdir/guestfwd'/><target type='guestfwd' address='10.0.2.1' port='4600'/></channel></devices>,g" > "$test_xml"
+touch "$tmpdir/guestfwd"
+testme "0" "channel (unix)" "-r -u $valid_uuid" "$test_xml"
+
+cat "$template_xml" | sed "s,###UUID###,$uuid,g" | sed "s,###DISK###,$disk1,g" | sed "s,</devices>,<channel type='pty'><target type='virtio'/></channel></devices>,g" > "$test_xml"
+testme "0" "channel (pty)" "-r -u $valid_uuid" "$test_xml"
+
 cat "$template_xml" | sed "s,###UUID###,$uuid,g" | sed "s,###DISK###,$disk1,g" | sed "s,</os>,<kernel>$tmpdir/kernel</kernel></os>,g" > "$test_xml"
 touch "$tmpdir/kernel"
 testme "0" "kernel" "-r -u $valid_uuid" "$test_xml"