Due to mediation of socket and signal activity currently
qemu:///session
connections calling qemu_bridge_helper fail.
We need the profile for libvirtd itself and the subprofile for
qemu-bridge-helper to be able to talk/notify to each other via unix socket and
signals.
Fixes:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1754871
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
---
examples/apparmor/usr.sbin.libvirtd | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index be4fabf..3102cab 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -65,6 +65,10 @@
signal (read, send) peer=libvirt-*,
signal (send) set=("kill", "term") peer=unconfined,
+ # For communication/control to qemu-bridge-helper
+ unix (send, receive) type=stream addr=none
peer=(label=/usr/sbin/libvirtd//qemu_bridge_helper),
+ signal (send) set=("term") peer=/usr/sbin/libvirtd//qemu_bridge_helper,
+
# Very lenient profile for libvirtd since we want to first focus on confining
# the guests. Guests will have a very restricted profile.
/ r,
@@ -112,6 +116,10 @@
network inet stream,
+ # For communication/control from libvirtd
+ unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
+ signal (receive) set=("term") peer=/usr/sbin/libvirtd,
+
/dev/net/tun rw,
/etc/qemu/** r,
owner @{PROC}/*/status r,