On Mon, 03 Aug 2020, Christian Ehrhardt wrote:
> From: Serge Hallyn <serge.hallyn@xxxxxxxxxx>
>
> Chardevs/sockets configured for openvswitch-dpdk use cases
> might be probed by virt-aa-helper. Allow that access to enable
> virt-aa-helper rendering per-guest rules for the actual qemu
> guest accessing these sockets eventually.
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
> Signed-off-by: Stefan Bader <stefan.bader@xxxxxxxxxxxxx>
> Signed-off-by: Serge Hallyn <serge.hallyn@xxxxxxxxxx>
> ---
> src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> index 3f204799a6..877cb04b1e 100644
> --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> @@ -46,6 +46,9 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
> @sysconfdir@/apparmor.d/libvirt/* r,
> @sysconfdir@/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
>
> + # for openvswitch sockets
> + /{,var/}run/openvswitch/** rw,
A bit unfortunate and unexpected. What kind of probing does
virt-aa-helper do on these?
--
Jamie Strandboge | http://www.canonical.com
