[PATCH V3 1/2] Apparmor: Add profile for virtqemud

Jim Fehlig jfehlig at suse.com
Fri Jun 25 17:17:03 UTC 2021 

On 6/25/21 5:19 AM, Christian Boltz wrote:
> Hello,
> 
> [please CC me in replies]
> 
> Your updated patches still look good, I just noticed something that is
> probably minor nitpicking:
> 
> Am Donnerstag, 24. Juni 2021, 22:48:58 CEST schrieb Jim Fehlig:
> [...]
>> +  signal (send) set=("kill", "term") peer=unconfined,
> [...]
>> +  signal (send) set=("term") peer=libvirtd//qemu_bridge_helper,
> 
> The quotes around the signal names are superfluous. You can simply use
>      set=(kill, term)
>      set=(term)
> 
> Actually the parenthesis are optional if there's only a single signal
> mentioned, so you could also use
>      set=term
> (keeping the parenthesis for consistency with other rules is also fine)
> 
> 
> There are several signal rules with superfluous quotes in this patch,
> and also one in the 2/2 patch.
> 
> (There's no need to re-send the patch for such a minor change IMHO.)

Thanks. I've squashed the below diff into my local branch (along with a similar 
change to the one instance in 2/2).

Regards,
Jim

diff --git a/src/security/apparmor/usr.sbin.virtqemud.in 
b/src/security/apparmor/usr.sbin.virtqemud.in
index 2d16ea821d..3de03d49fc 100644
--- a/src/security/apparmor/usr.sbin.virtqemud.in
+++ b/src/security/apparmor/usr.sbin.virtqemud.in
@@ -62,11 +62,11 @@ profile virtqemud @sbindir@/virtqemud 
flags=(attach_disconnected) {
    signal (send) peer=dnsmasq,
    signal (send) peer=/usr/sbin/dnsmasq,
    signal (read, send) peer=libvirt-*,
-  signal (send) set=("kill", "term") peer=unconfined,
+  signal (send) set=(kill, term) peer=unconfined,

    # For communication/control to qemu-bridge-helper
    unix (send, receive) type=stream addr=none 
peer=(label=libvirtd//qemu_bridge_helper),
-  signal (send) set=("term") peer=libvirtd//qemu_bridge_helper,
+  signal (send) set=(term) peer=libvirtd//qemu_bridge_helper,

    # allow connect with openGraphicsFD, direction reversed in newer versions
    unix (send, receive) type=stream addr=none 
peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
@@ -123,7 +123,7 @@ profile virtqemud @sbindir@/virtqemud 
flags=(attach_disconnected) {

     # For communication/control from virtqemud
     unix (send, receive) type=stream addr=none peer=(label=virtqemud),
-   signal (receive) set=("term") peer=virtqemud,
+   signal (receive) set=(term) peer=virtqemud,

     /dev/net/tun rw,
     /etc/qemu/** r,

More information about the libvir-list mailing list