External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-09-19 14:10:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: AppArmor allow write when os loader readonly=no

Browse Source 
Since libvirt commit 3ef9b51b10,
the pflash storage for the os loader file follows its read-only flag,
and qemu tries to open the file for writing if set so.

This patches virt-aa-helper to generate the VM's AppArmor rules
that allow this, using the same domain definition flag and default.

Signed-off-by: Miroslav Los <mirlos@cisco.com>
Tested-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
This commit is contained in:
Miroslav Los 2024-06-04 11:10:59 +00:00 committed by Andrea Bolognani
parent 65b54e791f
commit c019350a76
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/security/virt-aa-helper.c
View File

@ -1002,9 +1002,14 @@ get_files(vahControl * ctl)
if (vah_add_file(&buf, ctl->def->os.slic_table, "r") != 0) if (vah_add_file(&buf, ctl->def->os.slic_table, "r") != 0)
goto cleanup; goto cleanup;
if (ctl->def->os.loader && ctl->def->os.loader->path) if (ctl->def->os.loader && ctl->def->os.loader->path) {
if (vah_add_file(&buf, ctl->def->os.loader->path, "rk") != 0) bool readonly = false;
virTristateBoolToBool(ctl->def->os.loader->readonly, &readonly);
if (vah_add_file(&buf,
ctl->def->os.loader->path,
readonly ? "rk" : "rwk") != 0)
goto cleanup; goto cleanup;
}
if (ctl->def->os.loader && ctl->def->os.loader->nvram) { if (ctl->def->os.loader && ctl->def->os.loader->nvram) {
if (storage_source_add_files(ctl->def->os.loader->nvram, &buf, 0) < 0) if (storage_source_add_files(ctl->def->os.loader->nvram, &buf, 0) < 0)