Re: [libvirt PATCH] apparmor: Enable passt support
On Tue, Mar 07, 2023 at 07:04:25PM +0000, Daniel P. Berrangé wrote:
On Tue, Mar 07, 2023 at 08:02:37PM +0100, Andrea Bolognani wrote:
> + # support for passt network back-end
> + /usr/bin/passt Cx -> passt,
> +
> + profile passt {
> + /usr/bin/passt r,
> +
> + signal (receive) set=("term") peer=/usr/sbin/libvirtd,
> + signal (receive) set=("term") peer=libvirtd,
What's the rationale for having both qualified & unqualified
here, but not below ?
Cargo cult. That's what the top-level profile does, so I figured it
would be good enough for the subprofile too.
I've seen stuff like peer=(label=libvirtd) as well, but I haven't
investigated the various notations and how exactly they differ.
There's plenty of room for improvement in the AppArmor profile in
general, but that's a task for another day :)
--
Andrea Bolognani / Red Hat / Virtualization