On Mon, 03 Aug 2020, Christian Ehrhardt wrote:
From: Stefan Bader <stefan.bader@canonical.com>
temporary directories are a common place images are placed by users for any sort of quick evaluation. Allow virt-aa-helper access to tmp via the existing user-tmp apparmor abstraction.
That way if a guest definition has paths in temporary directories virt-aa-helper can properly probe them e.g. for further backing files in the case of qcow2.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 + 1 file changed, 1 insertion(+)
diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in index dfc61e8de4..3f204799a6 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -3,6 +3,7 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper { #include <abstractions/base> #include <abstractions/nameservice> + #include <abstractions/user-tmp>
user-tmp allows write and all other accesses for disks are read. We have these rules: /**.img r, /**.raw r, /**.qcow{,2} r, /**.qed r, /**.vmdk r, /**.vhd r, /**.[iI][sS][oO] r, /**/disk{,.*} r, Why are these not sufficient? What was the denial that triggered the issue? -- Jamie Strandboge | http://www.canonical.com