[ubuntu-hardened] opengl backed graphics in virtualization needs more rules

Christian Ehrhardt christian.ehrhardt at canonical.com
Mon Feb 11 16:14:23 UTC 2019 

Hi,
some of you already worked with me on bug 1804766 which lead to [1].
But we knew back then this will only gonna be the start e.g. I
discussed with alex about using abstractions/X (got a nack thou).

I now got a testbed that I could use to do further tests and I have
identified quite a bunch of rules that I'll need. I attached them
below for your consideration.

My questions to you are the following:
1. still not abstractions/X but replicating much of those inside
libvirt (I expect yes)?
2. Of all of those in the list below except "things behind the
rendernode device"
    - are those rules looking ok if I add those to a qemu guest using
GL enabled graphics
    - I'd only add those to the guest when using gl is detected via
[1] or would you want them in the static libvirt-qemu abstractions?
3. Of all of those in the list below except "things behind the
rendernode device"
   - I don't want to add /sys/devices/*/*/... but I see no good way to
reliable detect/map those
   - do you know smart wildcard rules or have any prior art for
rendernodes to make this any easier?

I also need a trivial rule [3] for virt-aa-helper which should be fine IMHO

The bug I track this work is [2],
looking forward to your guidance on this - thanks in advance,
Christian

[1]: https://libvirt.org/git/?p=libvirt.git;a=commit;h=fb01e1a44daea773cd53f275cad6f031506c20db
[2]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1815452
[3]: https://launchpadlibrarian.net/410889754/usr.lib.libvirt.virt-aa-helper


 # DRI device should be added by libvirt
 /dev/dri/                           r,
 /dev/dri/**                         rw,

 # DRI config
 /usr/share/drirc.d/                 r,
 /usr/share/drirc.d/**               r,
 /etc/drirc                          r,
 owner @{HOME}/.drirc                r,

#  EGL (seems not needed atm)
#  /usr/lib/@{multiarch}/egl/*.so* mr,

 # DRI mapping (parts of from abstractions/X)
 /usr/lib/@{multiarch}/dri/**        mr,
 /usr/lib{,32,64}/dri/**             mr,
 /usr/lib/fglrx/dri/**               mr,

 # glvnd
 /etc/glvnd/egl_vendor.d/{,*}        r,
 /usr/share/glvnd/egl_vendor.d/{,*}  r,

 # it needs things "behind" the rendernode device
 # e.g. /sys/devices/pci0000:00/0000:00:02.0/uevent
 # could maybe be reverse mapped via
/dev/dri/by-path/pci-0000:00:02.0-render -> ../renderD128 (or other
data source that we don't know yet)
 /sys/devices/pci0000:00/0000:00:02.0/{uevent,vendor,device,subsystem_vendor,subsystem_device}
r,
 /sys/devices/pci0000:00/0000:00:02.0/drm/renderD128/{uevent,vendor,device,subsystem_vendor,subsystem_device}
r,

 # only occurs with gl enabled, maybe some libs ?
 /var/lib/libvirt/.cache/ rw,


-- 
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd

More information about the ubuntu-hardened mailing list