lxd lxd/apparmor: apparmor profile for qemu-img

Hi, this is first step to cover qemu-img calls with apparmor. Only one call is currently covered: rlimit --cpu=2 --as=1000000000 qemu-img info -f qcow2 --output=json /var/lib/lxd/images/zxy.rootfs It is triggered by lxc launch images:ubuntu/20.04 vm1 --vm

I appreciate any comment or reviews.

issue #10253

Jul 24 '22 15:07 Viktor-Yakovchuk

This pull request didn't trigger Jenkins as its author isn't in the allow list.

An organization member must perform one of the following:

To have this branch tested by Jenkins, use the "ok to test" command.
To have a one time test done, use the "test this please" command.

Those commands are simple Github comments of the format: "jenkins: COMMAND"

Jul 24 '22 15:07 lxc-jenkins

I have covered all direct qemu-img calls. But there is the function: DetectCompressionFile that can return qemu-img as a decoder. It`s references can not use qemu-img:

lxc/image.go#L810, lxd/images.go#L3600 and lxd/images.go#L3616 the return value is not used
lxd/storage/drivers/generic_vfs.go#L797 call leads to err = archive.ExtractWithFds("tar", args, allowedCmds, ioutil.NopCloser(r), sysOS, f) so qemu-img is not used
lxd/archive/archive.go#L141 after getting return value there is the check if it is tar or squashfs
lxd/backup/backup_utils.go#L21, lxd/storage/drivers/driver_btrfs_volumes.go#L174 and lxd/storage/drivers/driver_zfs_volumes.go#L383 calls leads to CompressedTarReader handler where final call is covered by archive apparmor profile
lxd/instances_post.go#L685 and lxd/storage_volumes.go#L1815 extraction can be called only if DetectCompressionFile return ".squashfs"

The only call where I have uncertainty is lxd/images.go#L1165 I have triggered it by lxc image import image_file_name remote_name: and it used gzip (not qemu-img) but I am not sure it is the only one possible way of tiggered this code.

Aug 01 '22 17:08 Viktor-Yakovchuk

@stgraber Could you please launch tests and take a review?

Aug 03 '22 10:08 Viktor-Yakovchuk

@Viktor-Yakovchuk I will try and look at this soon. The jenkins tests don't test VMs so apart from catching container regressions they won't be much use I'm afraid.

Aug 03 '22 11:08 tomponline

@tomponline Hi Tom I was wondering if you have some comments regarding this PR

Aug 22 '22 15:08 Viktor-Yakovchuk

Hi, this is still on my todo list but I am busy with roadmap work at the moment.

Aug 22 '22 15:08 tomponline

@tomponline we should try to get this merged next week so we have the entire LXD 5.7 cycle to see if anything breaks

Sep 21 '22 16:09 stgraber

Yep will take a look at this next (and try it out)

Sep 21 '22 17:09 tomponline

Please rebase this into a single logical commit rather than showing your iterations.

Sep 26 '22 16:09 tomponline

jenkins: test this please

Oct 03 '22 10:10 tomponline

Thanks!

Oct 03 '22 10:10 tomponline

Thanks, too!

Oct 04 '22 13:10 Viktor-Yakovchuk

lxd lxd copied to clipboard

lxd/apparmor: apparmor profile for qemu-img

lxd
lxd copied to clipboard