Add security exceptions for qemu KVM driver

By configuring apparmor libvirt-qemu configurations. Related-Bug: #1550937 Change-Id: I03d20abe54e447ed1ccbfefed1dd3ab31e9443c4
2016-03-01 20:40:46 +02:00 · 2016-03-01 20:40:46 +02:00 · 469bf6959a
commit 469bf6959a
parent 36f48f5803
3 changed files with 51 additions and 28 deletions
--- a/deployment_scripts/set_apparmor.sh
+++ b/deployment_scripts/set_apparmor.sh
@ -0,0 +1,40 @@
+#!/bin/bash
+# Copyright 2016 Mellanox Technologies, Ltd
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+set -u
+set -x
+
+readonly SCRIPT_DIR=$(dirname "$0")
+source $SCRIPT_DIR/common
+
+if [ $SRIOV == true ]; then
+  SRIOV_EXTRA_LINES='  # Those rules are required for SR-IOV to function properly'\
+'\n  \/sys\/devices\/system\/** r,\n  \/sys\/bus\/pci\/devices\/ r,'\
+'\n  \/sys\/bus\/pci\/devices\/** r,\n  \/sys\/devices\/pci*\/** rw,'\
+'\n  \/{,var\/}run\/openvswitch\/vhu* rw,'
+  APPARMOR_D_LIBVIRT=/etc/apparmor.d/abstractions/libvirt-qemu
+
+  if ! grep -q '# Those rules are required for SR-IOV' $APPARMOR_D_LIBVIRT; then
+    sed -i "s/^.*signal.*receive.*peer.*libvirtd.*$/$SRIOV_EXTRA_LINES\n\n&/" \
+      /etc/apparmor.d/abstractions/libvirt-qemu
+    sudo service apparmor reload
+    sudo service libvirtd restart
+    sudo service nova-compute restart
+  fi
+fi
+
+exit $?
--- a/deployment_scripts/vfio.sh
+++ b/deployment_scripts/vfio.sh
@ -1,26 +0,0 @@
-#!/bin/bash -x
-# Copyright 2015 Mellanox Technologies, Ltd
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#    http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-# implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-readonly SCRIPT_DIR=$(dirname "$0")
-source $SCRIPT_DIR/common
-
-if [ $SRIOV == true ]; then
-  lsmod | grep -q vfio || (modprobe vfio && modprobe vfio_pci)
-  grep -q vfio /etc/rc.local || echo "modprobe vfio" >> /etc/rc.local &&
-  grep -q vfio_pci /etc/rc.local || echo "modprobe vfio_pci" >> /etc/rc.local
-fi
-
-exit $?
--- a/deployment_tasks.yaml
+++ b/deployment_tasks.yaml
@ -174,19 +174,28 @@
 # if exists
 - id: configure_mlnx_iser_ib
  role: '*'
-  required_for: [move_ib_interfaces_to_persistent]
+  required_for: [set_apparmor]
  requires: [post_deployment_start]
  type: puppet
  parameters:
    puppet_manifest: puppet/manifests/configure_iser_child.pp
    puppet_modules: puppet/modules:/etc/puppet/modules
    timeout: 200
+# Add required exceptions for SR-IOV
+- id: set_apparmor
+  role: ['compute']
+  required_for: [move_ib_interfaces_to_persistent]
+  requires: [configure_mlnx_iser_ib]
+  type: shell
+  parameters:
+    cmd: ./set_apparmor.sh
+    timeout: 200
 # Move Ubuntu iSER conigurations to /etc/network/interfaces
 # For MLNX_OFED drivers
 - id: move_ib_interfaces_to_persistent
  role: '*'
  required_for: [configure_mellanox_neo]
-  requires: [configure_mlnx_iser_ib]
+  requires: [set_apparmor]
  type: shell
  parameters:
    cmd: ./move_ubuntu_ib_interfaces_conf.sh