[libvirt PATCH] apparmor: Enable passt support
passt provides an AppArmor abstraction that covers all the
inner details of its operation, so we can simply import that
and add the libvirt-specific parts on top: namely, passt
needs to be able to create a socket and pid file, while
the libvirt daemon needs to be able to kill passt.
Signed-off-by: Andrea Bolognani <abologna(a)redhat.com>
Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com>
---
src/security/apparmor/libvirt-qemu | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 9af1333b22..44056b5f14 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -185,6 +185,21 @@
/usr/{lib,lib64}/libswtpm_libtpms.so mr,
/usr/lib/(a){multiarch}/libswtpm_libtpms.so mr,
+ # support for passt network back-end
+ /usr/bin/passt Cx -> passt,
+
+ profile passt {
+ /usr/bin/passt r,
+
+ signal (receive) set=("term") peer=/usr/sbin/libvirtd,
+ signal (receive) set=("term") peer=libvirtd,
+ signal (receive) set=("term") peer=virtqemud,
+
+ owner /{,var/}run/libvirt/qemu/passt/* rw,
+
+ include if exists <abstractions/passt>
+ }
+
# for save and resume
/{usr/,}bin/dash rmix,
/{usr/,}bin/dd rmix,
--
2.39.2