On a Wednesday in 2025, Michal Privoznik wrote:
On some systems /run is mounted as:
tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,relatime,size=348508k,mode=755,inode64)
and /var/run is then just a symlink:
# ls -ld /var/run lrwxrwxrwx 1 root root 4 Apr 23 2024 /var/run -> /run
But because we still think it's 2004 and FHS 2.3 is active we have a rule in our meson.build which constructs RUNSTATEDIR as the following:
runstatedir = get_option('runstatedir') if runstatedir == '' runstatedir = localstatedir / 'run' endif
which (if unspecified on meson setup line) results in "/var/run".
This in turn means, when when we're generating an AppArmor profile for a domain with allowed paths it contains stuff like:
/var/run/libvirt/qemu/swtpm/2-guest-swtpm.sock
But because of the aforementioned symlink the real path is:
/run/libvirt/qemu/swtpm/2-guest-swtpm.sock
and thus AppArmor denies access:
audit: type=1400 audit(1740480419.348:415): apparmor="DENIED" operation="connect" class="file" profile="libvirt-126f2720-6f8e-45ab-a886-ec9277079a67" name="/run/libvirt/qemu/swtpm/2-guest-swtpm.sock" pid=8080 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=64055 ouid=64055
Fortunately, there's a nice trick: AppArmor profile variables. We already use some of them (@{PROC}, @{HOME}, @{multiarch}) and instead of RUNSTATEDIR we can use @{run} which is declared as:
# cat /etc/apparmor.d/tunables/run @{run}=/run/ /var/run/
Added in 2020: https://gitlab.com/apparmor/apparmor/-/commit/452b5b8735e449cba29a1fb25c9bff...
and thus covers both scenarios.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/security/virt-aa-helper.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-)
Reviewed-by: Ján Tomko <jtomko@redhat.com> Jano