Re: [PATCH 7/8] apparmor: allow virt-aa-helper to read openvswitch sockets

On Mon, 03 Aug 2020, Christian Ehrhardt wrote: > From: Serge Hallyn <serge.hallyn(a)ubuntu.com&gt; > > Chardevs/sockets configured for openvswitch-dpdk use cases > might be probed by virt-aa-helper. Allow that access to enable > virt-aa-helper rendering per-guest rules for the actual qemu > guest accessing these sockets eventually. > > Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com&gt; > Signed-off-by: Stefan Bader <stefan.bader(a)canonical.com&gt; > Signed-off-by: Serge Hallyn <serge.hallyn(a)ubuntu.com&gt; > --- > src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in > index 3f204799a6..877cb04b1e 100644 > --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in > +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in > @@ -46,6 +46,9 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper { > @sysconfdir(a)/apparmor.d/libvirt/* r, > @sysconfdir@/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, > > + # for openvswitch sockets > + /{,var/}run/openvswitch/** rw, A bit unfortunate and unexpected. What kind of probing does virt-aa-helper do on these?

-- Jamie Strandboge | http://www.canonical.com