Re: [libvirt] [PATCH 11/12] apparmor, virt-aa-helper: Allow access to ecryptfs files
On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote:
From: Jamie Strandboge <jamie(a)ubuntu.com>
Bug-Ubuntu: https://bugs.launchpad.net/bugs/591769
Signed-off-by: Stefan Bader <stefan.bader(a)canonical.com>
---
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
index bd6181d..d63c844 100644
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -47,6 +47,10 @@ profile virt-aa-helper
/usr/{lib,lib64}/libvirt/virt-aa-helper {
audit deny @{HOME}/bin/** mrwkl,
@{HOME}/ r,
@{HOME}/** r,
+ # Alow access to ecryptfs files (LP: #591769)
+ @{HOME}/.Private/** mrwlk,
+ @{HOMEDIRS}/.ecryptfs/*/.Private/** mrwlk,
+
Hrmm, these rules were never meant to last as long as they have. That
said, they are already a part of the AppArmor base abstraction (using
owner match though) and virt-aa-helper uses '#include
<abstractions/base>'. Are these rules still needed considering the base
abstraction? I imagine at worst virt-aa-helper would only need 'r' for
some of these...
--
Jamie Strandboge | http://www.canonical.com
Attachments:
- signature.asc (application/pgp-signature — 801 bytes)