Re: [PATCH V2 3/4] Apparmor: Allow reading libnl's classid file

On Wed, Jun 23, 2021 at 1:28 AM Jim Fehlig <jfehlig(a)suse.com&gt; wrote: > > I noticed the following denial messages from apparmor in audit.log when > starting confined VMs via the QEMU driver > > type=AVC msg=audit(1623864006.370:837): apparmor="DENIED" operation="open" \ > profile="virt-aa-helper" name="/etc/libnl/classid" pid=11265 \ > comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > > type=AVC msg=audit(1623864006.582:849): apparmor="DENIED" operation="open" \ > profile="libvirt-0ca2720d-6cff-48bb-86c2-61ab9a79b6e9" \ > name="/etc/libnl/classid" pid=11270 comm="qemu-system-x86" \ > requested_mask="r" denied_mask="r" fsuid=107 ouid=0 > > It is possible for site admins to assign names to classids in this file, > which are then used by all libnl tools, possibly those used by libvirt. > To be on the safe side, allow read access to the file in the virt-aa-helper > profile and the libvirt-qemu abstraction. > > Signed-off-by: Jim Fehlig <jfehlig(a)suse.com&gt; While this particular rule would be covered in abstractions/nameservice that would allow much more.

I agree if we really only need libnl and nothing else then adapting/adding the existing rule should be better. Reviewed-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com&gt;