[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 3/4] AppArmor updates



On Thu, 12 Nov 2009, Jamie Strandboge wrote:

> 3_aa_deny_write_to_readonly.patch:
> Suppress confusing and misleading apparmor denied message when kvm/qemu
> tries to open a libvirt specified readonly file (such as a cdrom) with
> write permissions. libvirt uses the readonly attribute for the security
> driver only, and has no way of telling kvm/qemu that the device should
> be opened readonly. This fixes https://launchpad.net/bugs/453335.
> 

-- 
Jamie Strandboge             | http://www.canonical.com
diff -Naurp libvirt.orig/src/security/virt-aa-helper.c libvirt/src/security/virt-aa-helper.c
--- libvirt.orig/src/security/virt-aa-helper.c	2009-11-06 17:05:12.000000000 -0600
+++ libvirt/src/security/virt-aa-helper.c	2009-11-06 17:06:48.000000000 -0600
@@ -755,6 +755,10 @@ vah_add_file(virBufferPtr buf, const cha
     }
 
     virBufferVSprintf(buf, "  \"%s\" %s,\n", tmp, perms);
+    if (readonly) {
+        virBufferVSprintf(buf, "  # don't audit writes to readonly media\n");
+        virBufferVSprintf(buf, "  deny \"%s\" w,\n", tmp);
+    }
 
   clean:
     free(tmp);

Attachment: signature.asc
Description: Digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]