[PATCH] apparmor: Allow more paths for qemu-bridge-helper

Andrea Bolognani posted 1 patch 1 month, 1 week ago
src/security/apparmor/usr.sbin.libvirtd.in  | 4 ++--
src/security/apparmor/usr.sbin.virtqemud.in | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
[PATCH] apparmor: Allow more paths for qemu-bridge-helper
Posted by Andrea Bolognani 1 month, 1 week ago
The QEMU package in Debian has recently moved the
qemu-bridge-helper binary under /usr/libexec/qemu. Update the
AppArmor profile accordingly.

https://bugs.debian.org/1077915

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
---
 src/security/apparmor/usr.sbin.libvirtd.in  | 4 ++--
 src/security/apparmor/usr.sbin.virtqemud.in | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
index 1601d73d47..5fa5c7842c 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -116,7 +116,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
   # allow changing to our UUID-based named profiles
   change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
 
-  /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
+  /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper Cx -> qemu_bridge_helper,
   # child profile for bridge helper process
   profile qemu_bridge_helper {
    #include <abstractions/base>
@@ -137,7 +137,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
    /etc/qemu/** r,
    owner @{PROC}/*/status r,
 
-   /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
+   /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper rmix,
   }
 
 @BEGIN_APPARMOR_3@
diff --git a/src/security/apparmor/usr.sbin.virtqemud.in b/src/security/apparmor/usr.sbin.virtqemud.in
index 6b9c5d32d9..ff2967c6eb 100644
--- a/src/security/apparmor/usr.sbin.virtqemud.in
+++ b/src/security/apparmor/usr.sbin.virtqemud.in
@@ -110,7 +110,7 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) {
   # allow changing to our UUID-based named profiles
   change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
 
-  /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
+  /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper Cx -> qemu_bridge_helper,
   # child profile for bridge helper process
   profile qemu_bridge_helper {
    #include <abstractions/base>
@@ -130,7 +130,7 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) {
    /etc/qemu/** r,
    owner @{PROC}/*/status r,
 
-   /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
+   /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper rmix,
   }
 
 @BEGIN_APPARMOR_3@
-- 
2.45.2
Re: [PATCH] apparmor: Allow more paths for qemu-bridge-helper
Posted by Jim Fehlig via Devel 1 month, 1 week ago
On 8/5/24 08:25, Andrea Bolognani wrote:
> The QEMU package in Debian has recently moved the
> qemu-bridge-helper binary under /usr/libexec/qemu. Update the
> AppArmor profile accordingly.
> 
> https://bugs.debian.org/1077915
> 
> Signed-off-by: Andrea Bolognani <abologna@redhat.com>
> ---
>   src/security/apparmor/usr.sbin.libvirtd.in  | 4 ++--
>   src/security/apparmor/usr.sbin.virtqemud.in | 4 ++--
>   2 files changed, 4 insertions(+), 4 deletions(-)

Reviewed-by: Jim Fehlig <jfehlig@suse.com>

Regards,
Jim

> 
> diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
> index 1601d73d47..5fa5c7842c 100644
> --- a/src/security/apparmor/usr.sbin.libvirtd.in
> +++ b/src/security/apparmor/usr.sbin.libvirtd.in
> @@ -116,7 +116,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
>     # allow changing to our UUID-based named profiles
>     change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
>   
> -  /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
> +  /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper Cx -> qemu_bridge_helper,
>     # child profile for bridge helper process
>     profile qemu_bridge_helper {
>      #include <abstractions/base>
> @@ -137,7 +137,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
>      /etc/qemu/** r,
>      owner @{PROC}/*/status r,
>   
> -   /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
> +   /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper rmix,
>     }
>   
>   @BEGIN_APPARMOR_3@
> diff --git a/src/security/apparmor/usr.sbin.virtqemud.in b/src/security/apparmor/usr.sbin.virtqemud.in
> index 6b9c5d32d9..ff2967c6eb 100644
> --- a/src/security/apparmor/usr.sbin.virtqemud.in
> +++ b/src/security/apparmor/usr.sbin.virtqemud.in
> @@ -110,7 +110,7 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) {
>     # allow changing to our UUID-based named profiles
>     change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
>   
> -  /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
> +  /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper Cx -> qemu_bridge_helper,
>     # child profile for bridge helper process
>     profile qemu_bridge_helper {
>      #include <abstractions/base>
> @@ -130,7 +130,7 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) {
>      /etc/qemu/** r,
>      owner @{PROC}/*/status r,
>   
> -   /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
> +   /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper rmix,
>     }
>   
>   @BEGIN_APPARMOR_3@