Re: [PATCH 6/8] apparmor: allow virt-aa-helper to read from tmp
On Mon, 03 Aug 2020, Christian Ehrhardt wrote:
From: Stefan Bader <stefan.bader(a)canonical.com>
temporary directories are a common place images are placed by users
for any sort of quick evaluation. Allow virt-aa-helper access to tmp
via the existing user-tmp apparmor abstraction.
That way if a guest definition has paths in temporary directories
virt-aa-helper can properly probe them e.g. for further backing files in
the case of qcow2.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
---
src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
index dfc61e8de4..3f204799a6 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -3,6 +3,7 @@
profile virt-aa-helper @libexecdir@/virt-aa-helper {
#include <abstractions/base>
#include <abstractions/nameservice>
+ #include <abstractions/user-tmp>
user-tmp allows write and all other accesses for disks are read. We have
these rules:
/**.img r,
/**.raw r,
/**.qcow{,2} r,
/**.qed r,
/**.vmdk r,
/**.vhd r,
/**.[iI][sS][oO] r,
/**/disk{,.*} r,
Why are these not sufficient? What was the denial that triggered the
issue?
--
Jamie Strandboge | http://www.canonical.com