20 Aug
2019
20 Aug
'19
1:09 p.m.
On Tue, 20 Aug 2019, Andrea Bolognani wrote:
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper @@ -18,8 +18,8 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { @{PROC}/filesystems r,
# Used when internally running another command (namely apparmor_parser) - @{PROC}/self/fd r, - @{PROC}/@{pid}/fd r, + @{PROC}/self/fd/ r,
/proc/self is a 'magic symlink' and apparmor will resolve symlinks before performing checks. As such, @{PROC}/self/fd/ is redundant with the next rule.
+ @{PROC}/@{pid}/fd/ r,
This access LGTM. +1 to apply. -- Jamie Strandboge | http://www.canonical.com