[PATCH 7/8] apparmor: allow virt-aa-helper to read openvswitch sockets
Christian Ehrhardt
christian.ehrhardt at canonical.com
Mon Aug 3 12:33:45 UTC 2020
From: Serge Hallyn <serge.hallyn at ubuntu.com>
Chardevs/sockets configured for openvswitch-dpdk use cases
might be probed by virt-aa-helper. Allow that access to enable
virt-aa-helper rendering per-guest rules for the actual qemu
guest accessing these sockets eventually.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
index 3f204799a6..877cb04b1e 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -46,6 +46,9 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
@sysconfdir@/apparmor.d/libvirt/* r,
@sysconfdir@/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+ # for openvswitch sockets
+ /{,var/}run/openvswitch/** rw,
+
# for backingstore -- allow access to non-hidden files in @{HOME} as well
# as storage pools
audit deny @{HOME}/.* mrwkl,
--
2.27.0
More information about the libvir-list
mailing list