QEMU working in vhost-user mode communicates with the other end (i.e. some virtual router application) via unix domain sockets. This requires that permissions for the socket files are correctly written into /etc/apparmor.d/libvirt/libvirt-UUID.files. Signed-off-by: Michal Dubiel <md(a)semihalf.com&gt; --- src/security/virt-aa-helper.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 35423b5..a097aa6 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -592,19 +592,9 @@ valid_path(const char *path, const bool readonly) if (!virFileExists(path)) { vah_warning(_("path does not exist, skipping file type checks")); - } else { - if (stat(path, &sb) == -1) + } else if (stat(path, &sb) == -1) return -1; - switch (sb.st_mode & S_IFMT) { - case S_IFSOCK: - return 1; - break; - default: - break; - } - } - opaths = sizeof(override)/sizeof(*(override)); npaths = sizeof(restricted)/sizeof(*(restricted)); @@ -1101,6 +1091,18 @@ get_files(vahControl * ctl) } } + for (i = 0; i < ctl->def->nnets; i++) { + if (ctl->def->nets[i] && + ctl->def->nets[i]->type == VIR_DOMAIN_NET_TYPE_VHOSTUSER && + ctl->def->nets[i]->data.vhostuser) { + virDomainChrSourceDefPtr vhu = ctl->def->nets[i]->data.vhostuser; + + if (vah_add_file_chardev(&buf, vhu->data.nix.path, "rw", + vhu->type) != 0) + goto cleanup; + } + } + if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) { for (i = 0; i < ctl->def->nnets; i++) { virDomainNetDefPtr net = ctl->def->nets[i]; -- 1.9.1