On Tue, Mar 07, 2023 at 08:02:37PM +0100, Andrea Bolognani wrote:
> passt provides an AppArmor abstraction that covers all the
> inner details of its operation, so we can simply import that
> and add the libvirt-specific parts on top: namely, passt
> needs to be able to create a socket and pid file, while
> the libvirt daemon needs to be able to kill passt.
>
> Signed-off-by: Andrea Bolognani <abologna@xxxxxxxxxx>
> Signed-off-by: Stefano Brivio <sbrivio@xxxxxxxxxx>
> ---
> src/security/apparmor/libvirt-qemu | 15 +++++++++++++++
> 1 file changed, 15 insertions(+)
>
> diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
> index 9af1333b22..44056b5f14 100644
> --- a/src/security/apparmor/libvirt-qemu
> +++ b/src/security/apparmor/libvirt-qemu
> @@ -185,6 +185,21 @@
> /usr/{lib,lib64}/libswtpm_libtpms.so mr,
> /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
>
> + # support for passt network back-end
> + /usr/bin/passt Cx -> passt,
> +
> + profile passt {
> + /usr/bin/passt r,
> +
> + signal (receive) set=("term") peer=/usr/sbin/libvirtd,
> + signal (receive) set=("term") peer=libvirtd,
What's the rationale for having both qualified & unqualified
here, but not below ?
> + signal (receive) set=("term") peer=virtqemud,
> +
> + owner /{,var/}run/libvirt/qemu/passt/* rw,
> +
> + include if exists <abstractions/passt>
> + }
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
