Several cases were found needing /tmp, for example ceph will try to list /tmp
and the samba feature of qemu will place things in /tmp/qemu-smb.*.
This is sort of safe because:
- While /tmp could contain anything it is not recommended to put critical
data there anyway
- We restrict general access to only dir listing and reading of files owned
(intentionally not the full power of user-tmp abstraction)
- While it would be hard to predict the PID as part of the string for the
qemu smb feature (this is not exposed through XML so virt-aa-helper
can't help) it is guarded by the "owner" statement and a pretty clear
qemu-smb infix in the path.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
---
examples/apparmor/libvirt-qemu | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 5caf14e418..c4f231b328 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -180,6 +180,16 @@
# for rbd
/etc/ceph/ceph.conf r,
+ # various functions will need /tmp (e.g. ceph), allow the base dir and a
+ # few known functions.
+ # we want to avoid to give blanket read or even write to everything under /tmp
+ # so users are expected to add site specific addons for more uncommon cases.
+ # allow only dir listing and owner based file read
+ /{,var/}tmp/ r,
+ owner /{,var/}tmp/**/ r,
+ # allow qemu smb feature specific path with write access
+ owner /tmp/qemu-smb.*/{,**} rw,
+
# for file-posix getting limits since 9103f1ce
/sys/devices/**/block/*/queue/max_segments r,
--
2.17.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
