Created attachment 1131085 [details] Patch to remove read permission on VNC sockets Description of problem: virt-aa-helper allows read access to the VNC socket Version-Release number of selected component (if applicable): 1.2.16 How reproducible: Connect to the VNC socket using the VM's apparmor profile Steps to Reproduce: 1. Identify the apparmor profile (libvirt-<uuid>) used by a running VM (<name>) that has a VNC socket enabled 2. As root, run and then ^C: socat UNIX-CLIENT:/var/lib/libvirt/qemu/<name>.vnc STDIO 3. As root, run and then ^C: aa-exec -p libvirt-<uuid> socat UNIX-CLIENT:/var/lib/libvirt/qemu/<name>.vnc STDIO Actual results: 2. RFB 003.008 3. RFB 003.008 Expected results: 2. RFB 003.008 3. 2016/02/27 13:33:08 socat[1065] E connect(5, AF=1 "/var/lib/libvirt/qemu/<name>.vnc", 35): Permission denied Additional info: The VM does not need read permission for its own VNC socket to create(), bind(), accept() connections or to receive(), send(), etc. on connections.
Thanks for the patch. I don't think anyone who works on virt-aa-helper watches this tracker... please send the patch to libvir-list and CC cbosdonnat and agx , they can review and commit
Also if you do send the patch upstream, and these patches have landed: http://www.redhat.com/archives/libvir-list/2016-March/msg00979.html Please adjust the spice socket permissions as well
CCing guido and cedric who patch virt-aa-helper on occasion
Looks good to me.
I sent the patch upstream, Guido if you ACK I'll push it http://www.redhat.com/archives/libvir-list/2016-April/msg00363.html
Pushed upstream now. Thanks for the patch! commit ab9569e5460d1e4737fe8b625c67687dc2204665 Author: Simon Arlott <bugzilla.redhat.simon> Date: Fri Apr 8 09:01:33 2016 -0400 virt-aa-helper: disallow VNC socket read permissions The VM does not need read permission for its own VNC socket to create(), bind(), accept() connections or to receive(), send(), etc. on connections. https://bugzilla.redhat.com/show_bug.cgi?id=1312573
This got reverted upstream a few weeks later by someone who didn't consider why the permissions omitted reading, which is really frustrating: 2016-04-20: fix committed (ab9569e5460d1e4737fe8b625c67687dc2204665) 2016-06-08: changes to graphics socket handling (6465e1aa49397367a9cd0f27110b9c2280a7385) 2016-06-09: fix reverted (acc83afe333bfadd3f7f79091d38ca3d7da1eeb2)