Use the full list as breakpoints yoou can easily get from source like
$ tail -n 60 src/security/security_apparmor.c | awk '/ = App/ {gsub(",","");
printf("b %s\n", $3);}'
But the only hit we get is the FD call as expected:
Thread 2 "libvirtd" hit Breakpoint 31, AppArmorSetFDLabel (mgr=0x7f6e3c00b0a0,
def=0x7f6e3c0bbca0, fd=21) at ../../../src/security/security_apparmor.c:1139
We don't know really that we are getting a vhost-net at this point.
We get the FD that we pass like:
fd=21
map that to
/proc/self/fd/21
and finally resolve that to
/dev/net/tun
That is all we get, afterwards no more labelling calls.
I think the assumption "if one is adding /dev/net/tun he might use vhost so
also add /dev/vhost-net" is awkward.
I don't see other good places to catch that dynamic, but then the
solution might be quite different. It was added by [1] quite a while
back, but I'd like to get in touch with security if /dev/vhost-net is
still considered dangerous, maybe things are more mature and we can
allow it in general now?
I'll send a request now, but I also will see them next week so I can
discuss it there in case there is no reply.
[1]:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=c7abe7448c746cf0e3a6b7fab80e083afba5d5ae
** Changed in: libvirt (Ubuntu)
Status: Confirmed => Triaged
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1815910
Title:
Apparmor blocks access to /dev/vhost-net
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1815910/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
