On Mon, 14 Jan 2019, Jim Fehlig wrote:
> Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx>
> ---
>
> Optional patch that may need a bit of coorindation with upstream apparmor
> since the dnsmasq profile currently has 'peer=/usr/sbin/libvirtd'.
>
> src/security/apparmor/usr.sbin.libvirtd | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd
> index 0db52c524c..29f9936ad9 100644
> --- a/src/security/apparmor/usr.sbin.libvirtd
> +++ b/src/security/apparmor/usr.sbin.libvirtd
> @@ -2,7 +2,7 @@
> #include <tunables/global>
> @{LIBVIRT}="libvirt"
>
> -/usr/sbin/libvirtd flags=(attach_disconnected) {
> +profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
> #include <abstractions/base>
> #include <abstractions/dbus>
>
> @@ -51,7 +51,7 @@
> unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
>
> ptrace (read,trace) peer=unconfined,
> - ptrace (read,trace) peer=/usr/sbin/libvirtd,
> + ptrace (read,trace) peer=@{profile_name},
> ptrace (read,trace) peer=dnsmasq,
> ptrace (read,trace) peer=/usr/sbin/dnsmasq,
> ptrace (read,trace) peer=libvirt-*,
> @@ -123,6 +123,7 @@
> # For communication/control from libvirtd
> unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
> signal (receive) set=("term") peer=/usr/sbin/libvirtd,
> + signal (receive) set=("term") peer=libvirtd,
>
> /dev/net/tun rw,
> /etc/qemu/** r,
This also LGTM. It'd be nice if there was a mechanism to specify the parent
profile like we can the current profile, but we can't now and this is fine.
--
Jamie Strandboge | http://www.canonical.com
Attachment:
signature.asc
Description: PGP signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
