On Tue, Mar 07, 2023 at 07:04:25PM +0000, Daniel P. Berrangé wrote:
> On Tue, Mar 07, 2023 at 08:02:37PM +0100, Andrea Bolognani wrote:
> > + # support for passt network back-end
> > + /usr/bin/passt Cx -> passt,
> > +
> > + profile passt {
> > + /usr/bin/passt r,
> > +
> > + signal (receive) set=("term") peer=/usr/sbin/libvirtd,
> > + signal (receive) set=("term") peer=libvirtd,
>
> What's the rationale for having both qualified & unqualified
> here, but not below ?
Cargo cult. That's what the top-level profile does, so I figured it
would be good enough for the subprofile too.
I've seen stuff like peer=(label=libvirtd) as well, but I haven't
investigated the various notations and how exactly they differ.
There's plenty of room for improvement in the AppArmor profile in
general, but that's a task for another day :)
--
Andrea Bolognani / Red Hat / Virtualization
