Test notes:
test file:
<domain type='kvm'>
<name>symlink-test</name>
<uuid>deadbeef-dead-beef-dead-beefdeadbeef</uuid>
<memory unit='KiB'>1048576</memory>
<vcpu>1</vcpu>
<os>
<type arch='x86_64'>hvm</type>
<boot dev='hd'/>
</os>
<devices>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/var/run/symlinkdisk'/>
<target dev='hda' bus='ide'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
<interface type='vhostuser'>
<model type='virtio'/>
<source type='unix' path='/var/run/symlinknet' mode='server'/>
</interface>
<channel type='unix'>
<source mode='bind' path='/var/run/symlinksocket'/>
<target type='virtio' name='org.qemu.guest_agent.0'/>
</channel>
</devices>
</domain>
And /var/run being a symlink to /run (as it is by default in Ubuntu)
$ readlink /var/run
/run
Without fix that creates:
$ ./src/virt-aa-helper -u libvirt-deadbeef-dead-beef-dead-beefdeadbeef -r
--dryrun < /tmp/symlink-test.xml
/etc/apparmor.d/libvirt/libvirt-deadbeef-dead-beef-dead-beefdeadbeef.files
[...]
"/var/run/symlinkdisk" rwk,
"/var/run/symlinksocket" rw,
"/var/run/symlinknet" rw,
[...]
None of the rules have any effect due to apparmor checking is vs
/run/... (the resolved symlink).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752361
Title:
virt-aa-helper should resolve symlinks and use only resolved paths
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1752361/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
