Re: Re: [PATCH] apparmor: Add user session path for PID and socket files used by passt

On Tue, Jan 30, 2024 at 07:15:51PM +0100, Stefano Brivio wrote: > Commit 7a39b04d683f ("apparmor: Enable passt support") grants > passt(1) read-write access to /{,var/}run/libvirt/qemu/passt/* if > started by the libvirt daemon. That's the path where passt creates > PID and socket files only if the guest is started by the root user. > > If the guest is started by another user, though, the path is more > commonly /var/run/user/$UID/libvirt/qemu/run/passt: add it as > read-write location. Otherwise, passt won't be able to start, as > reported by Andreas. > > While at it, replace /{,var/}run/ in the existing rule by its > corresponding tunable variable, @{run}. > > Reported-by: Andreas B. Mundt <andi(a)debian.org&gt; > Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061678 > Fixes: 7a39b04d683f ("apparmor: Enable passt support") > Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com&gt; > --- > src/security/apparmor/libvirt-qemu.in | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/libvirt-qemu.in > index f40f471891..8b92915281 100644 > --- a/src/security/apparmor/libvirt-qemu.in > +++ b/src/security/apparmor/libvirt-qemu.in > @@ -196,7 +196,8 @@ > signal (receive) set=("term") peer=libvirtd, > signal (receive) set=("term") peer=virtqemud, > > - owner /{,var/}run/libvirt/qemu/passt/* rw, > + owner @{run}/user/[0-9]*/libvirt/qemu/run/passt/* rw, > + owner @{run}/libvirt/qemu/passt/* rw, Makes sense to me, so Reviewed-by: Andrea Bolognani <abologna(a)redhat.com&gt; I'll give Jim and others a chance to take a look before pushing.