virt-aa-helper: Drop unnecessary AppArmor rule

[libvirt] [PATCH] virt-aa-helper: Drop unnecessary AppArmor rule

Posted by Andrea Bolognani 6 years, 5 months ago

Apparently /proc/self is automatically converted to /proc/@{pid}
before checking rules, which makes spelling it out explicitly
redundant.

Suggested-by: Jamie Strandboge <jamie@canonical.com>
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
---
 src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
index 64772f0756..11e9c039ca 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -18,7 +18,6 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
   @{PROC}/filesystems r,
 
   # Used when internally running another command (namely apparmor_parser)
-  @{PROC}/self/fd/ r,
   @{PROC}/@{pid}/fd/ r,
 
   /etc/libnl-3/classid r,
-- 
2.21.0

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] virt-aa-helper: Drop unnecessary AppArmor rule

Posted by Martin Kletzander 6 years, 5 months ago

On Wed, Aug 21, 2019 at 09:45:01AM +0200, Andrea Bolognani wrote:
>Apparently /proc/self is automatically converted to /proc/@{pid}
>before checking rules, which makes spelling it out explicitly
>redundant.
>

Because it is usually a symlink.

Reviewed-by: Martin Kletzander <mkletzan@redhat.com>

>Suggested-by: Jamie Strandboge <jamie@canonical.com>
>Signed-off-by: Andrea Bolognani <abologna@redhat.com>
>---
> src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 1 -
> 1 file changed, 1 deletion(-)
>
>diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
>index 64772f0756..11e9c039ca 100644
>--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
>+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
>@@ -18,7 +18,6 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
>   @{PROC}/filesystems r,
>
>   # Used when internally running another command (namely apparmor_parser)
>-  @{PROC}/self/fd/ r,
>   @{PROC}/@{pid}/fd/ r,
>
>   /etc/libnl-3/classid r,
>-- 
>2.21.0
>
>--
>libvir-list mailing list
>libvir-list@redhat.com
>https://www.redhat.com/mailman/listinfo/libvir-list
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list