[libvirt] [PATCH 3/4] apparmor: allow expected /tmp access patterns

Several cases were found needing /tmp, for example ceph will try to list /tmp and the samba feature of qemu will place things in /tmp/qemu-smb.*. This is sort of safe because: - While /tmp could contain anything it is not recommended to put critical data there anyway - We restrict general access to only dir listing and reading of files owned (intentionally not the full power of user-tmp abstraction) - While it would be hard to predict the PID as part of the string for the qemu smb feature (this is not exposed through XML so virt-aa-helper can't help) it is guarded by the "owner" statement and a pretty clear qemu-smb infix in the path. Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com&gt; --- examples/apparmor/libvirt-qemu | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 5caf14e418..c4f231b328 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -180,6 +180,16 @@ # for rbd /etc/ceph/ceph.conf r, + # various functions will need /tmp (e.g. ceph), allow the base dir and a + # few known functions. + # we want to avoid to give blanket read or even write to everything under /tmp + # so users are expected to add site specific addons for more uncommon cases. + # allow only dir listing and owner based file read + /{,var/}tmp/ r, + owner /{,var/}tmp/**/ r, + # allow qemu smb feature specific path with write access + owner /tmp/qemu-smb.*/{,**} rw, + # for file-posix getting limits since 9103f1ce /sys/devices/**/block/*/queue/max_segments r, -- 2.17.1