Re: [libvirt] [PATCH 11/12] apparmor, virt-aa-helper: Allow access to ecryptfs files

Jamie Strandboge: > On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote: >> + # Alow access to ecryptfs files (LP: #591769) >> + @{HOME}/.Private/** mrwlk, >> + @{HOMEDIRS}/.ecryptfs/*/.Private/** mrwlk, > Hrmm, these rules were never meant to last as long as they have. That > said, they are already a part of the AppArmor base abstraction (using > owner match though) and virt-aa-helper uses '#include > <abstractions/base>'. Are these rules still needed considering the base > abstraction? I imagine at worst virt-aa-helper would only need 'r' for > some of these... I concur with Jamie: I'd rather can avoid spreading copies of these rules around if we can.