Re: [PATCH v2 2/7] apparmor: Allow libvirt to spawn virt-aa-helper and libvirt_lxc

Christian Ehrhardt Wed, 29 Jan 2020 23:49:14 -0800

On Thu, Jan 30, 2020 at 8:05 AM Michal Privoznik <[email protected]>
wrote:


> Both of these binaries are spawn by libvirt. Add a rule to the
> default profile to allow that.
>
> Signed-off-by: Michal Privoznik <[email protected]>
> ---
>  src/security/apparmor/usr.sbin.libvirtd | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/src/security/apparmor/usr.sbin.libvirtd
> b/src/security/apparmor/usr.sbin.libvirtd
> index 2089ba1b3e..27314b1512 100644
> --- a/src/security/apparmor/usr.sbin.libvirtd
> +++ b/src/security/apparmor/usr.sbin.libvirtd
> @@ -100,6 +100,8 @@ profile libvirtd /usr/sbin/libvirtd
> flags=(attach_disconnected) {
>    audit deny /sys/kernel/security/apparmor/.* rwxl,
>    /sys/kernel/security/apparmor/profiles r,
>    /usr/{lib,lib64}/libvirt/* PUxr,
> +  /usr/libexec/virt-aa-helper PUxr,
> +  /usr/libexec/libvirt_lxc PUxr,
>

Again - I'd appreciate if we could here use generated paths based
on --libexecdir configure option.


>    /usr/libexec/libvirt_parthelper ix,
>    /usr/libexec/libvirt_iohelper ix,
>    /etc/libvirt/hooks/** rmix,
> --
> 2.24.1
>
>

-- 
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd

Re: [PATCH v2 2/7] apparmor: Allow libvirt to spawn virt-aa-helper and libvirt_lxc

Reply via email to