Re: [PATCH v3 2/3] apparmor: Allow libvirt to spawn virt-aa-helper and libvirt_lxc

On 2/3/20 5:50 PM, Daniel P. Berrangé wrote: > On Thu, Jan 30, 2020 at 03:12:31PM +0100, Michal Privoznik wrote: > > Both of these binaries are spawn by libvirt. Add a rule to the > > default profile to allow that. > > > > Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt; > > --- > > src/security/apparmor/usr.sbin.libvirtd.in | 2 ++ > > 1 file changed, 2 insertions(+) > > > > > diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in > > index f4fc51d705..c950a83db8 100644 > > --- a/src/security/apparmor/usr.sbin.libvirtd.in > > +++ b/src/security/apparmor/usr.sbin.libvirtd.in > > @@ -99,6 +99,8 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { > > audit deny /sys/kernel/security/apparmor/.* rwxl, > > /sys/kernel/security/apparmor/profiles r, > > @libexecdir@/* puxr, > > + @libexecdir@/virt-aa-helper PUxr, > > I'm really puzzelled about this one. If this was required, then surely > apparmor has been broken since day 1 this was introduced to libvirt ? > > Can anyone explain why we've been able todo with this rule forever ? > > > + @libexecdir@/libvirt_lxc PUxr, > > I can understand a little more why this might be missing, as it is > not so common as QEMU usage. Frankly, I don't understand that too. I just copied what was in the gentoo patch. But I can drop this one. The @libexecdir@/* rule should allow what is needed anyway.