On Tue, Mar 07, 2023 at 08:02:37PM +0100, Andrea Bolognani wrote:
passt provides an AppArmor abstraction that covers all the inner details of its operation, so we can simply import that and add the libvirt-specific parts on top: namely, passt needs to be able to create a socket and pid file, while the libvirt daemon needs to be able to kill passt.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> --- src/security/apparmor/libvirt-qemu | 15 +++++++++++++++ 1 file changed, 15 insertions(+)
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu index 9af1333b22..44056b5f14 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -185,6 +185,21 @@ /usr/{lib,lib64}/libswtpm_libtpms.so mr, /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
+ # support for passt network back-end + /usr/bin/passt Cx -> passt, + + profile passt { + /usr/bin/passt r, + + signal (receive) set=("term") peer=/usr/sbin/libvirtd, + signal (receive) set=("term") peer=libvirtd,
What's the rationale for having both qualified & unqualified here, but not below ?
+ signal (receive) set=("term") peer=virtqemud, + + owner /{,var/}run/libvirt/qemu/passt/* rw, + + include if exists <abstractions/passt> + }
With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|