[PATCH 3/8] apparmor: allow virt-aa-helper nameservices

Christian Ehrhardt christian.ehrhardt at canonical.com
Mon Aug 3 12:33:41 UTC 2020


Since quite a while libvirt-aa-helper triggers nss related apparmor
denials like:
 operation="open" profile="virt-aa-helper" name="/etc/nsswitch.conf"
 operation="open" profile="virt-aa-helper" name="/etc/host.conf"
 operation="open" profile="virt-aa-helper" name="/etc/resolv.conf"
 operation="open" profile="virt-aa-helper" name="/etc/hosts"

Rules to allow these are in Debian [1] / Ubuntu [2] since quite a
while but do not seem to be specific to those distributions.

There can be much more reasons than one would think to inadvertently
use/trigger nameservices as can be seen in the comments in
profiles/apparmor.d/abstractions/nameservice at [3].
The nameservices abstraction provides a nice and upgrade safe
way to cover all of them.

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882979
[2]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674
[3]: https://gitlab.com/apparmor/apparmor

Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
---
 src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
index dd18c8ab89..dfc61e8de4 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -2,6 +2,7 @@
 
 profile virt-aa-helper @libexecdir@/virt-aa-helper {
   #include <abstractions/base>
+  #include <abstractions/nameservice>
 
   # needed for searching directories
   capability dac_override,
-- 
2.27.0




More information about the libvir-list mailing list