[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH 7/8] apparmor: allow virt-aa-helper to read openvswitch sockets



On Mon, 03 Aug 2020, Christian Ehrhardt wrote:

> From: Serge Hallyn <serge hallyn ubuntu com>
> 
> Chardevs/sockets configured for openvswitch-dpdk use cases
> might be probed by virt-aa-helper. Allow that access to enable
> virt-aa-helper rendering per-guest rules for the actual qemu
> guest accessing these sockets eventually.
> 
> Signed-off-by: Christian Ehrhardt <christian ehrhardt canonical com>
> Signed-off-by: Stefan Bader <stefan bader canonical com>
> Signed-off-by: Serge Hallyn <serge hallyn ubuntu com>
> ---
>  src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> index 3f204799a6..877cb04b1e 100644
> --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> @@ -46,6 +46,9 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
>    @sysconfdir@/apparmor.d/libvirt/* r,
>    @sysconfdir@/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
>  
> +  # for openvswitch sockets
> +  /{,var/}run/openvswitch/** rw,

A bit unfortunate and unexpected. What kind of probing does
virt-aa-helper do on these?

-- 
Jamie Strandboge             | http://www.canonical.com


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]