This is sort of safe because: - while /tmp could contain anything it is not recommended to put critical data there anyway - while it would be hard to predict the PID as part of the string (this is not exposed through https://libvirt.org/formatdomain.html) so that virt-aa-helper could generate it it is guarded by the "owner" statement
In fact there already is an abstraction meant for this apparmor.d/abstractions/user-tmp # per-user tmp directories owner @{HOME}/tmp/** rwkl, owner @{HOME}/tmp/ rw, # global tmp directories owner /var/tmp/** rwkl, /var/tmp/ rw, owner /tmp/** rwkl, /tmp/ rw, This should be perfectly fine to be added I'd think. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786159 Title: qemu smb feature blocked by apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1786159/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs