On Mon, 16 Sep 2019, Chris Coulson wrote: > The AppArmor profile generated by virt-aa-helper is too strict for swtpm. > This change contains 2 small fixes: > - Relax append access to swtpm's log file to permit write access instead. > Append access is insufficient because the log is opened with O_CREAT. > - Permit swtpm to acquire a lock on its lock file. > --- > src/security/virt-aa-helper.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c > index 326cfaf52a..3d7cc32459 100644 > --- a/src/security/virt-aa-helper.c > +++ b/src/security/virt-aa-helper.c > @@ -1238,10 +1238,10 @@ get_files(vahControl * ctl) > * directory, log, and PID files. > */ > virBufferAsprintf(&buf, > - " \"%s/lib/libvirt/swtpm/%s/%s/**\" rw,\n", > + " \"%s/lib/libvirt/swtpm/%s/%s/**\" rwk,\n", > LOCALSTATEDIR, uuidstr, tpmpath); > virBufferAsprintf(&buf, > - " \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" a,\n", > + " \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" w,\n", > LOCALSTATEDIR, ctl->def->name); > virBufferAsprintf(&buf, > " \"%s/libvirt/qemu/swtpm/%s-swtpm.pid\" rw,\n", LGTM. +1 to apply -- Jamie Strandboge | http://www.canonical.com
Attachment:
signature.asc
Description: PGP signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
