Tried previously in
commit b1eb8b3e8fd1d4cb1da8e5e2b16f2c10837fd823
Author: Andrea Bolognani <abologna@redhat.com>
Date: Mon Aug 19 10:23:42 2019 +0200
virt-aa-helper: Fix AppArmor profile
v5.6.0-243-gb1eb8b3e8f
with somewhat disappointing results.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
---
src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
index d81dddef30..64772f0756 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -18,8 +18,8 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
@{PROC}/filesystems r,
# Used when internally running another command (namely apparmor_parser)
- @{PROC}/self/fd r,
- @{PROC}/@{pid}/fd r,
+ @{PROC}/self/fd/ r,
+ @{PROC}/@{pid}/fd/ r,
/etc/libnl-3/classid r,
--
2.21.0
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Tue, Aug 20, 2019 at 09:56:26AM +0200, Andrea Bolognani wrote: >Tried previously in > > commit b1eb8b3e8fd1d4cb1da8e5e2b16f2c10837fd823 > Author: Andrea Bolognani <abologna@redhat.com> > Date: Mon Aug 19 10:23:42 2019 +0200 > > virt-aa-helper: Fix AppArmor profile > > v5.6.0-243-gb1eb8b3e8f > >with somewhat disappointing results. > Third time's the charm! >Signed-off-by: Andrea Bolognani <abologna@redhat.com> >--- > src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > Reviewed-by: Ján Tomko <jtomko@redhat.com> Jano -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On Tue, 20 Aug 2019, Andrea Bolognani wrote:
> --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
> +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
> @@ -18,8 +18,8 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
> @{PROC}/filesystems r,
>
> # Used when internally running another command (namely apparmor_parser)
> - @{PROC}/self/fd r,
> - @{PROC}/@{pid}/fd r,
> + @{PROC}/self/fd/ r,
/proc/self is a 'magic symlink' and apparmor will resolve symlinks
before performing checks. As such, @{PROC}/self/fd/ is redundant with
the next rule.
> + @{PROC}/@{pid}/fd/ r,
This access LGTM. +1 to apply.
--
Jamie Strandboge | http://www.canonical.com
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Tue, 2019-08-20 at 12:09 -0500, Jamie Strandboge wrote:
> On Tue, 20 Aug 2019, Andrea Bolognani wrote:
> > # Used when internally running another command (namely apparmor_parser)
> > + @{PROC}/self/fd/ r,
>
> /proc/self is a 'magic symlink' and apparmor will resolve symlinks
> before performing checks. As such, @{PROC}/self/fd/ is redundant with
> the next rule.
>
> > + @{PROC}/@{pid}/fd/ r,
>
> This access LGTM. +1 to apply.
Well, it's already been merged:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=9c2446ed4a81450f6482f259f9a0cf720cb0e423
I'll post a patch removing the unnecessary rule.
--
Andrea Bolognani / Red Hat / Virtualization
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
© 2016 - 2024 Red Hat, Inc.