On Thu, 12 Nov 2009, Jamie Strandboge wrote: > 3_aa_deny_write_to_readonly.patch: > Suppress confusing and misleading apparmor denied message when kvm/qemu > tries to open a libvirt specified readonly file (such as a cdrom) with > write permissions. libvirt uses the readonly attribute for the security > driver only, and has no way of telling kvm/qemu that the device should > be opened readonly. This fixes https://launchpad.net/bugs/453335. > -- Jamie Strandboge | http://www.canonical.com
diff -Naurp libvirt.orig/src/security/virt-aa-helper.c libvirt/src/security/virt-aa-helper.c
--- libvirt.orig/src/security/virt-aa-helper.c 2009-11-06 17:05:12.000000000 -0600
+++ libvirt/src/security/virt-aa-helper.c 2009-11-06 17:06:48.000000000 -0600
@@ -755,6 +755,10 @@ vah_add_file(virBufferPtr buf, const cha
}
virBufferVSprintf(buf, " \"%s\" %s,\n", tmp, perms);
+ if (readonly) {
+ virBufferVSprintf(buf, " # don't audit writes to readonly media\n");
+ virBufferVSprintf(buf, " deny \"%s\" w,\n", tmp);
+ }
clean:
free(tmp);
Attachment:
signature.asc
Description: Digital signature
-- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list