On Mon, 03 Aug 2020, Christian Ehrhardt wrote: > Since [1] qemu can after upgrade fall back to pre-upgrade modules > to still be able to dynamically load qmeu-module based features. > > The paths for these modules are pre-defined by the code and should > be allowed to be mapped and loaded from which will allow packagers > avoiding the inability of late feature load [2] after package upgrades. > > [1]: https://github.com/qemu/qemu/commit/bd83c861 > [2]: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1847361 > > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> > --- > src/security/apparmor/libvirt-qemu | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu > index 25eff20b82..c6f7149799 100644 > --- a/src/security/apparmor/libvirt-qemu > +++ b/src/security/apparmor/libvirt-qemu > @@ -168,6 +168,11 @@ > /usr/{lib,lib64}/qemu/*.so mr, > /usr/lib/@{multiarch}/qemu/*.so mr, > > + # let qemu load old shared objects after upgrades (LP: #1847361) > + /{var/,}run/qemu/*/*.so mr, > + # but explicitly deny writing to these files > + audit deny /{var/,}run/qemu/*/*.so w, > + +1 to apply -- Jamie Strandboge | http://www.canonical.com
