GET

Patch Detail

get:
Show a patch.

patch:
Update a patch.

put:
Update a patch.

GET /api/patches/2217005/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2217005,
    "url": "http://patchwork.ozlabs.org/api/patches/2217005/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260327102515.502822-5-cathy.hu@suse.com/",
    "project": {
        "id": 14,
        "url": "http://patchwork.ozlabs.org/api/projects/14/?format=api",
        "name": "QEMU Development",
        "link_name": "qemu-devel",
        "list_id": "qemu-devel.nongnu.org",
        "list_email": "qemu-devel@nongnu.org",
        "web_url": "",
        "scm_url": "",
        "webscm_url": "",
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<20260327102515.502822-5-cathy.hu@suse.com>",
    "list_archive_url": null,
    "date": "2026-03-27T10:25:19",
    "name": "[RFC] qga: Add selinux-helper for guest-exec subcommand (bsc#1237450)",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "21b4ebe92ae3c9c7e7d6b27652383bf792d4d944",
    "submitter": {
        "id": 92988,
        "url": "http://patchwork.ozlabs.org/api/people/92988/?format=api",
        "name": "Cathy Hu",
        "email": "cathy.hu@suse.com"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260327102515.502822-5-cathy.hu@suse.com/mbox/",
    "series": [
        {
            "id": 497772,
            "url": "http://patchwork.ozlabs.org/api/series/497772/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=497772",
            "date": "2026-03-27T10:25:19",
            "name": "[RFC] qga: Add selinux-helper for guest-exec subcommand (bsc#1237450)",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/497772/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2217005/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2217005/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>",
        "X-Original-To": "incoming@patchwork.ozlabs.org",
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=suse.com header.i=@suse.com header.a=rsa-sha256\n header.s=susede1 header.b=LkveOLzq;\n\tdkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com\n header.a=rsa-sha256 header.s=susede1 header.b=LkveOLzq;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)",
            "smtp-out2.suse.de;\n\tnone"
        ],
        "Received": [
            "from lists.gnu.org (lists.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fj2L061q0z1xy1\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 28 Mar 2026 00:58:32 +1100 (AEDT)",
            "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1w67hg-0003jC-J2; Fri, 27 Mar 2026 09:58:24 -0400",
            "from eggs.gnu.org ([2001:470:142:3::10])\n by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <cathy.hu@suse.com>) id 1w64Rn-0000GF-4N\n for qemu-devel@nongnu.org; Fri, 27 Mar 2026 06:29:48 -0400",
            "from smtp-out2.suse.de ([195.135.223.131])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from <cathy.hu@suse.com>) id 1w64Rk-0004Cp-OZ\n for qemu-devel@nongnu.org; Fri, 27 Mar 2026 06:29:46 -0400",
            "from imap1.dmz-prg2.suse.org (unknown [10.150.64.97])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-out2.suse.de (Postfix) with ESMTPS id A7F2D5BD8A;\n Fri, 27 Mar 2026 10:29:39 +0000 (UTC)",
            "from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n (No client certificate requested)\n by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 82CBE4A0A2;\n Fri, 27 Mar 2026 10:29:39 +0000 (UTC)",
            "from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])\n by imap1.dmz-prg2.suse.org with ESMTPSA id B3GlHhNcxmkwXAAAD6G6ig\n (envelope-from <cathy.hu@suse.com>); Fri, 27 Mar 2026 10:29:39 +0000"
        ],
        "DKIM-Signature": [
            "v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;\n t=1774607379;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n mime-version:mime-version:\n content-transfer-encoding:content-transfer-encoding;\n bh=H5zkz6jkP14jMftfP/gifRHwfT26GdKn69dqy76cSVg=;\n b=LkveOLzqPJqxbbrQUeixYZSJShbueOMFOVucrXpBG2huzA9u0H95ZY2NGRwTP1CVkSSZ3j\n 6O7rciLrSe3yV5JXjHraH/ukOqV3SoBFIKuLc1oROHM7JrBR1OOL3yuPkkbUhhmFS2jx/G\n 9a2jy1/35X4QHjmw4mw7T7I+A5v2nnE=",
            "v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;\n t=1774607379;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n mime-version:mime-version:\n content-transfer-encoding:content-transfer-encoding;\n bh=H5zkz6jkP14jMftfP/gifRHwfT26GdKn69dqy76cSVg=;\n b=LkveOLzqPJqxbbrQUeixYZSJShbueOMFOVucrXpBG2huzA9u0H95ZY2NGRwTP1CVkSSZ3j\n 6O7rciLrSe3yV5JXjHraH/ukOqV3SoBFIKuLc1oROHM7JrBR1OOL3yuPkkbUhhmFS2jx/G\n 9a2jy1/35X4QHjmw4mw7T7I+A5v2nnE="
        ],
        "From": "Cathy Hu <cathy.hu@suse.com>",
        "To": "qemu-devel@nongnu.org",
        "Cc": "Cathy Hu <cahu@suse.de>, Fabiano Rosas <fabiano.rosas@suse.com>,\n KVM Bugs <kvm-bugs@suse.de>",
        "Subject": "[PATCH RFC] qga: Add selinux-helper for guest-exec subcommand\n (bsc#1237450)",
        "Date": "Fri, 27 Mar 2026 11:25:19 +0100",
        "Message-ID": "<20260327102515.502822-5-cathy.hu@suse.com>",
        "X-Mailer": "git-send-email 2.53.0",
        "MIME-Version": "1.0",
        "Content-Transfer-Encoding": "8bit",
        "X-Spam-Score": "-2.80",
        "X-Spamd-Result": "default: False [-2.80 / 50.00]; BAYES_HAM(-3.00)[100.00%];\n NEURAL_HAM_LONG(-1.00)[-1.000]; MID_CONTAINS_FROM(1.00)[];\n R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-1.000];\n MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+];\n TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[];\n DKIM_SIGNED(0.00)[suse.com:s=susede1];\n TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[];\n RCPT_COUNT_THREE(0.00)[4]; FROM_EQ_ENVFROM(0.00)[];\n DBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:email,suse.com:url,suse.com:mid,imap1.dmz-prg2.suse.org:helo];\n RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]",
        "Received-SPF": "pass client-ip=195.135.223.131; envelope-from=cathy.hu@suse.com;\n helo=smtp-out2.suse.de",
        "X-Spam_score_int": "-43",
        "X-Spam_score": "-4.4",
        "X-Spam_bar": "----",
        "X-Spam_report": "(-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,\n RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no",
        "X-Spam_action": "no action",
        "X-Mailman-Approved-At": "Fri, 27 Mar 2026 09:58:17 -0400",
        "X-BeenThere": "qemu-devel@nongnu.org",
        "X-Mailman-Version": "2.1.29",
        "Precedence": "list",
        "List-Id": "qemu development <qemu-devel.nongnu.org>",
        "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>",
        "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>",
        "List-Post": "<mailto:qemu-devel@nongnu.org>",
        "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>",
        "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>",
        "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org",
        "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"
    },
    "content": "From: Cathy Hu <cahu@suse.de>\n\nProblem:\n\nATM the QEMU Guest Agent and SELinux are not working together properly.\nThe fedora (and therefor also the openSUSE) policy confine the qemu-guest-agent\nservice in the domain `qemu_ga_t`. That means, qemu-guest-agent\nis only allowed to do what the policy says.\n\nHowever, the `guest-exec` command allows arbitrary execution\nof code from a privileged service, which conflicts with the\nnotion of SELinux confinement.\n\nATM, the policy allows only some accesses that are used\nby other qemu-guest-agent commands.\nThat means, the qemu-guest-agent fails sporadically, depending\non what is allowed for other commands.\nHowever, `guest-exec` would need to allow everything.\n\nsee https://bugzilla.suse.com/show_bug.cgi?id=1237450\n\nSolution:\n\nThis is not an great solution, but it works like this:\nWe add a \"wrapper\" which is executed instead of the program\nthat is called via `guest-exec`. The \"wrapper\" just\nre-executes the command given by `guest-exec`.\nThis way, on the SELinux policy side we can give that\nwrapper executable a label on the file system.\nWith that label, we can transition into a more broader\nunconfined domain _and_ toggle that transition with a\nSELinux boolean. That would make `guest-exec`\nconsistently allowed to execute or not by policy.\n\nThis needs a change on the SELinux policy side to\naccompany this with:\nhttps://github.com/fedora-selinux/selinux-policy/pull/3122\n\nWhat other options have been tried unsuccessfully:\n\n- Fixing via SELinux policy: It is not possible for\n  one domain to have different permissions depending on\n  code path. It is also not possible to toggle the permissive\n  state via a SELinux boolean, so users would need\n  to add it via semanage.\n- Setting the domain of the executed commands directly\n  to a broader domain with setcon/setexeccon.\n  The SELinux kernel does not allow to spawn a process\n  directly with those that has broader privileges than the parent.\n\nWhat other options are there to solve this issue:\n\n- Making the qemu-guest-agent unconfined by default\n- Document the workaround to use semanage to make the domain permissive\n  if `exec-guest` is needed as works as intended and ignore the problem\n\nSigned-off-by: Cathy Hu <cahu@suse.de>\n---\n qga/commands.c               | 13 +++++++++++++\n qga/meson.build              |  7 +++++++\n qga/qemu-ga-selinux-helper.c | 17 +++++++++++++++++\n 3 files changed, 37 insertions(+)\n create mode 100644 qga/qemu-ga-selinux-helper.c",
    "diff": "diff --git a/qga/commands.c b/qga/commands.c\nindex 5f20af25d3..29c092630b 100644\n--- a/qga/commands.c\n+++ b/qga/commands.c\n@@ -30,6 +30,10 @@\n  */\n #define GUEST_FILE_READ_COUNT_MAX (48 * MiB)\n \n+#ifdef CONFIG_SELINUX\n+#define GUEST_EXEC_SELINUX_HELPER CONFIG_QEMU_HELPERDIR \"/qemu-ga-selinux-helper\"\n+#endif\n+\n /* Note: in some situations, like with the fsfreeze, logging may be\n  * temporarily disabled. if it is necessary that a command be able\n  * to log for accounting purposes, check ga_logging_enabled() beforehand.\n@@ -418,6 +422,9 @@ GuestExec *qmp_guest_exec(const char *path,\n     GuestExecInfo *gei;\n     char **argv, **envp;\n     strList arglist;\n+#ifdef CONFIG_SELINUX\n+    strList helper_arg;\n+#endif\n     gboolean ret;\n     GError *gerr = NULL;\n     gint in_fd, out_fd, err_fd;\n@@ -439,7 +446,13 @@ GuestExec *qmp_guest_exec(const char *path,\n         }\n     }\n \n+#ifdef CONFIG_SELINUX\n+    helper_arg.value = get_relocated_path(GUEST_EXEC_SELINUX_HELPER);\n+    helper_arg.next = &arglist;\n+    argv = guest_exec_get_args(&helper_arg, true);\n+#else\n     argv = guest_exec_get_args(&arglist, true);\n+#endif\n     envp = has_env ? guest_exec_get_args(env, false) : NULL;\n \n     flags = G_SPAWN_SEARCH_PATH | G_SPAWN_DO_NOT_REAP_CHILD |\ndiff --git a/qga/meson.build b/qga/meson.build\nindex 89a4a8f713..61f60fba26 100644\n--- a/qga/meson.build\n+++ b/qga/meson.build\n@@ -125,6 +125,13 @@ qga = executable('qemu-ga', qga_ss.sources() + qga_objs,\n                  install: true)\n all_qga += qga\n \n+if selinux.found()\n+  qga_selinux_helper = executable('qemu-ga-selinux-helper', files('qemu-ga-selinux-helper.c'),\n+             install: true,\n+             install_dir: get_option('libexecdir'))\n+  all_qga += qga_selinux_helper\n+endif\n+\n if host_os == 'windows'\n   qemu_ga_msi_arch = {\n     'x86': ['-D', 'Arch=32'],\ndiff --git a/qga/qemu-ga-selinux-helper.c b/qga/qemu-ga-selinux-helper.c\nnew file mode 100644\nindex 0000000000..a184e74ede\n--- /dev/null\n+++ b/qga/qemu-ga-selinux-helper.c\n@@ -0,0 +1,17 @@\n+/* SPDX-License-Identifier: GPL-2.0-or-later */\n+#include <stdio.h>\n+#include <glib.h>\n+\n+int main(int argc, char **argv)\n+{\n+    if (argc < 2) {\n+        return EXIT_FAILURE;\n+    }\n+\n+    execvp(argv[1], argv + 1);\n+\n+    int err = errno;\n+    fprintf(stderr, \"%s: %s\\n\", argv[1], strerror(err));\n+\n+    exit(EXIT_FAILURE);\n+}\n",
    "prefixes": [
        "RFC"
    ]
}