Guests should be allowed to create hard links on mounted pathes, since many applications rely on this functionality and would error on guest with current "rw" AppArmor permission with 9pfs. Signed-off-by: Christian Schoenebeck <qemu_oss@xxxxxxxxxxxxx> --- src/security/virt-aa-helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 12429278fb..5a6f4a5f7d 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1142,7 +1142,7 @@ get_files(vahControl * ctl) /* We don't need to add deny rw rules for readonly mounts, * this can only lead to troubles when mounting / readonly. */ - if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rw", true) != 0) + if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rwl", true) != 0) goto cleanup; } } -- 2.20.1