Re: [libvirt] [PATCH v2 2/2] security: aa-helper: generate more rules for gl devices
On Fri, Feb 22, 2019 at 2:42 PM Jamie Strandboge <jamie(a)canonical.com> wrote:
On Mon, 18 Feb 2019, Christian Ehrhardt wrote:
> + virBufferAddLit(&buf, " \"/usr/lib{,32,64}/dri/**.so\"
mr,\n");
> + virBufferAddLit(&buf, "
\"/usr/lib/(a){multiarch}/dri/**.so\" mr,\n");
> + virBufferAddLit(&buf, " \"/usr/lib/fglrx/dri/**.so\"
mr,\n");
I'm sorry I think I wasn't clear on how to add in the .so files. I suggest:
At least I didn't make it up - I asked on apparmor channels and this
is what I got :-)
virBufferAddLit(&buf, "
\"/usr/lib{,32,64}/dri/*.so*\" mr,\n");
virBufferAddLit(&buf, " \"/usr/lib/(a){multiarch}/dri/*.so*\"
mr,\n");
virBufferAddLit(&buf, " \"/usr/lib/fglrx/dri/*.so*\" mr,\n");
This is slightly futureproofed with the trailing '*'. On my
system, the '**'
wasn't needed, but if you observe systems where it is, feel free to keep it.
I checked through all of Debian/Ubuntu with apt-file and found no
cases that really need the **.
Thereby I'll take your suggestion and push it (after another round of
safety builds) with your ack (as all else was already fine).
The other parts of this patch looked fine.
--
Jamie Strandboge | http://www.canonical.com
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd