[libvirt] [PATCH v2 2/2] security: aa-helper: generate more rules for gl devices
Christian Ehrhardt
christian.ehrhardt at canonical.com
Mon Feb 25 07:59:22 UTC 2019
On Fri, Feb 22, 2019 at 2:42 PM Jamie Strandboge <jamie at canonical.com> wrote:
>
> On Mon, 18 Feb 2019, Christian Ehrhardt wrote:
> > + virBufferAddLit(&buf, " \"/usr/lib{,32,64}/dri/**.so\" mr,\n");
> > + virBufferAddLit(&buf, " \"/usr/lib/@{multiarch}/dri/**.so\" mr,\n");
> > + virBufferAddLit(&buf, " \"/usr/lib/fglrx/dri/**.so\" mr,\n");
>
> I'm sorry I think I wasn't clear on how to add in the .so files. I suggest:
At least I didn't make it up - I asked on apparmor channels and this
is what I got :-)
> virBufferAddLit(&buf, " \"/usr/lib{,32,64}/dri/*.so*\" mr,\n");
> virBufferAddLit(&buf, " \"/usr/lib/@{multiarch}/dri/*.so*\" mr,\n");
> virBufferAddLit(&buf, " \"/usr/lib/fglrx/dri/*.so*\" mr,\n");
> This is slightly futureproofed with the trailing '*'. On my system, the '**'
> wasn't needed, but if you observe systems where it is, feel free to keep it.
I checked through all of Debian/Ubuntu with apt-file and found no
cases that really need the **.
Thereby I'll take your suggestion and push it (after another round of
safety builds) with your ack (as all else was already fine).
> The other parts of this patch looked fine.
>
> --
> Jamie Strandboge | http://www.canonical.com
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
More information about the libvir-list
mailing list