Re: [libvirt PATCH] apparmor: Enable passt support
On Tue, Mar 07, 2023 at 08:02:37PM +0100, Andrea Bolognani wrote:
passt provides an AppArmor abstraction that covers all the
inner details of its operation, so we can simply import that
and add the libvirt-specific parts on top: namely, passt
needs to be able to create a socket and pid file, while
the libvirt daemon needs to be able to kill passt.
Signed-off-by: Andrea Bolognani <abologna(a)redhat.com>
Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com>
---
src/security/apparmor/libvirt-qemu | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 9af1333b22..44056b5f14 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -185,6 +185,21 @@
/usr/{lib,lib64}/libswtpm_libtpms.so mr,
/usr/lib/(a){multiarch}/libswtpm_libtpms.so mr,
+ # support for passt network back-end
+ /usr/bin/passt Cx -> passt,
+
+ profile passt {
+ /usr/bin/passt r,
+
+ signal (receive) set=("term") peer=/usr/sbin/libvirtd,
+ signal (receive) set=("term") peer=libvirtd,
What's the rationale for having both qualified & unqualified
here, but not below ?
+ signal (receive) set=("term") peer=virtqemud,
+
+ owner /{,var/}run/libvirt/qemu/passt/* rw,
+
+ include if exists <abstractions/passt>
+ }
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|