openkylin
/
libvirt
mirror of https://gitee.com/openkylin/libvirt.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

apparmor: add rules to use qemu_bridge_helper 

Due to mediation of socket and signal activity currently qemu:///session
connections calling qemu_bridge_helper fail.

We need the profile for libvirtd itself and the subprofile for
qemu-bridge-helper to be able to talk/notify to each other via unix socket and
signals.

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1754871

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Acked-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
Christian Ehrhardt 2018-04-09 08:24:19 +02:00
parent 0d7c9fa679
commit 6a9bdf3f25
No known key found for this signature in database
GPG Key ID: BA3E29338280B242
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
examples/apparmor/usr.sbin.libvirtd
View File

@ -65,6 +65,10 @@
signal (read, send) peer=libvirt-*,
signal (send) set=("kill", "term") peer=unconfined,
# For communication/control to qemu-bridge-helper
unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd//qemu_bridge_helper),
signal (send) set=("term") peer=/usr/sbin/libvirtd//qemu_bridge_helper,
# Very lenient profile for libvirtd since we want to first focus on confining
# the guests. Guests will have a very restricted profile.
/ r,
@ -112,6 +116,10 @@
network inet stream,
# For communication/control from libvirtd
unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
signal (receive) set=("term") peer=/usr/sbin/libvirtd,
/dev/net/tun rw,
/etc/qemu/** r,
owner @{PROC}/*/status r,