On Mon, 03 Aug 2020, Christian Ehrhardt wrote:
> From: Stefan Bader <stefan.bader@xxxxxxxxxxxxx>
>
> temporary directories are a common place images are placed by users
> for any sort of quick evaluation. Allow virt-aa-helper access to tmp
> via the existing user-tmp apparmor abstraction.
>
> That way if a guest definition has paths in temporary directories
> virt-aa-helper can properly probe them e.g. for further backing files in
> the case of qcow2.
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
> ---
> src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> index dfc61e8de4..3f204799a6 100644
> --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> @@ -3,6 +3,7 @@
> profile virt-aa-helper @libexecdir@/virt-aa-helper {
> #include <abstractions/base>
> #include <abstractions/nameservice>
> + #include <abstractions/user-tmp>
user-tmp allows write and all other accesses for disks are read. We have
these rules:
/**.img r,
/**.raw r,
/**.qcow{,2} r,
/**.qed r,
/**.vmdk r,
/**.vhd r,
/**.[iI][sS][oO] r,
/**/disk{,.*} r,
Why are these not sufficient? What was the denial that triggered the
issue?
--
Jamie Strandboge | http://www.canonical.com
