Re: [libvirt] [PATCH 11/12] apparmor, virt-aa-helper: Allow access to ecryptfs files
Jamie Strandboge:
On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote:
> + # Alow access to ecryptfs files (LP: #591769)
> + @{HOME}/.Private/** mrwlk,
> + @{HOMEDIRS}/.ecryptfs/*/.Private/** mrwlk,
Hrmm, these rules were never meant to last as long as they have.
That
said, they are already a part of the AppArmor base abstraction (using
owner match though) and virt-aa-helper uses '#include
<abstractions/base>'. Are these rules still needed considering the base
abstraction? I imagine at worst virt-aa-helper would only need 'r' for
some of these...
I concur with Jamie: I'd rather can avoid spreading copies of these
rules around if we can.
Cheers,
--
intrigeri