On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote:
From: Jamie Strandboge <jamie@ubuntu.com>
Bug-Ubuntu: https://bugs.launchpad.net/bugs/591769
Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- examples/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper index bd6181d..d63c844 100644 --- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper +++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper @@ -47,6 +47,10 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { audit deny @{HOME}/bin/** mrwkl, @{HOME}/ r, @{HOME}/** r, + # Alow access to ecryptfs files (LP: #591769) + @{HOME}/.Private/** mrwlk, + @{HOMEDIRS}/.ecryptfs/*/.Private/** mrwlk, +
Hrmm, these rules were never meant to last as long as they have. That said, they are already a part of the AppArmor base abstraction (using owner match though) and virt-aa-helper uses '#include <abstractions/base>'. Are these rules still needed considering the base abstraction? I imagine at worst virt-aa-helper would only need 'r' for some of these... -- Jamie Strandboge | http://www.canonical.com