On Tue, 20 Aug 2019, Andrea Bolognani wrote:
> --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
> +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
> @@ -18,8 +18,8 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
> @{PROC}/filesystems r,
>
> # Used when internally running another command (namely apparmor_parser)
> - @{PROC}/self/fd r,
> - @{PROC}/@{pid}/fd r,
> + @{PROC}/self/fd/ r,
/proc/self is a 'magic symlink' and apparmor will resolve symlinks
before performing checks. As such, @{PROC}/self/fd/ is redundant with
the next rule.
> + @{PROC}/@{pid}/fd/ r,
This access LGTM. +1 to apply.
--
Jamie Strandboge | http://www.canonical.com
Attachment:
signature.asc
Description: PGP signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
