Comment 5 for bug 1815910

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Use the full list as breakpoints yoou can easily get from source like
$ tail -n 60 src/security/security_apparmor.c | awk '/ = App/ {gsub(",",""); printf("b %s\n", $3);}'

But the only hit we get is the FD call as expected:
Thread 2 "libvirtd" hit Breakpoint 31, AppArmorSetFDLabel (mgr=0x7f6e3c00b0a0, def=0x7f6e3c0bbca0, fd=21) at ../../../src/security/security_apparmor.c:1139

We don't know really that we are getting a vhost-net at this point.
We get the FD that we pass like:
 fd=21
map that to
 /proc/self/fd/21
and finally resolve that to
 /dev/net/tun

That is all we get, afterwards no more labelling calls.
I think the assumption "if one is adding /dev/net/tun he might use vhost so also add /dev/vhost-net" is awkward.

I don't see other good places to catch that dynamic, but then the solution might be quite different. It was added by [1] quite a while back, but I'd like to get in touch with security if /dev/vhost-net is still considered dangerous, maybe things are more mature and we can allow it in general now?

I'll send a request now, but I also will see them next week so I can discuss it there in case there is no reply.

[1]: https://libvirt.org/git/?p=libvirt.git;a=commit;h=c7abe7448c746cf0e3a6b7fab80e083afba5d5ae