On Mon, 14 Jan 2019, Jim Fehlig wrote:
> Upstream apparmor is switching to named profiles. In short,
>
> /usr/sbin/dnsmasq {
>
> becomes
>
> profile dnsmasq /usr/sbin/dnsmasq {
>
> Consequently, any profiles that reference profiles in a peer= condition
> need to be updated if the referenced profile switches to a named profile.
> Apparmor commit 9ab45d81 switched dnsmasq to a named profile. ATM it is
> the only named profile switch that has affected libvirt. Add rules to the
> libvirtd profile to reference dnsmasq in peer= conditions by profile name.
>
> Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx>
> ---
> src/security/apparmor/usr.sbin.libvirtd | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd
> index f0ffc53008..0db52c524c 100644
> --- a/src/security/apparmor/usr.sbin.libvirtd
> +++ b/src/security/apparmor/usr.sbin.libvirtd
> @@ -52,9 +52,11 @@
>
> ptrace (read,trace) peer=unconfined,
> ptrace (read,trace) peer=/usr/sbin/libvirtd,
> + ptrace (read,trace) peer=dnsmasq,
> ptrace (read,trace) peer=/usr/sbin/dnsmasq,
> ptrace (read,trace) peer=libvirt-*,
>
> + signal (send) peer=dnsmasq,
> signal (send) peer=/usr/sbin/dnsmasq,
> signal (read, send) peer=libvirt-*,
> signal (send) set=("kill", "term") peer=unconfined,
This LGTM.
--
Jamie Strandboge | http://www.canonical.com
Attachment:
signature.asc
Description: PGP signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
