[libvirt] [PATCH] update apparmor security driver for new udev paths

Thu, 14 Jul 2011 10:13:19 -0700 

In the Ubuntu development release we recently got a new udev that
moves /var/run to /run, /var/lock to /run/lock and /dev/shm to /run/shm.
This change in udev requires updating the apparmor security driver in
libvirt[1].

Attached is a patch that:
 * adjusts src/security/virt-aa-helper.c to allow both
LOCALSTATEDIR/run/libvirt/**/%s.pid and /run/libvirt/**/%s.pid. While
the profile is not as precise, LOCALSTATEDIR/run/ is typically a symlink
to /run/ anyway, so there is no additional access (remember that
apparmor resolves symlinks, which is why this is still required even
if /var/run points to /run).
 * adjusts example/apparmor/libvirt-qemu paths for /dev/shm

[1]https://launchpad.net/bugs/810270

-- 
Jamie Strandboge             | http://www.canonical.com

diff -Naurp libvirt.orig/examples/apparmor/libvirt-qemu libvirt/examples/apparmor/libvirt-qemu
--- libvirt.orig/examples/apparmor/libvirt-qemu	2011-07-12 08:25:18.000000000 -0500
+++ libvirt/examples/apparmor/libvirt-qemu	2011-07-14 11:55:05.000000000 -0500
@@ -27,9 +27,9 @@
   # but may constitute a security risk. If your environment does not require
   # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
   # the rules for files in /dev.
-  /dev/shm/ r,
-  /dev/shm/pulse-shm* r,
-  /dev/shm/pulse-shm* rwk,
+  /{dev,run}/shm r,
+  /{dev,run}/shmpulse-shm* r,
+  /{dev,run}/shmpulse-shm* rwk,
   /dev/snd/* rw,
   capability ipc_lock,
   # 'kill' is not required for sound and is a security risk. Do not enable
diff -Naurp libvirt.orig/src/security/virt-aa-helper.c libvirt/src/security/virt-aa-helper.c
--- libvirt.orig/src/security/virt-aa-helper.c	2011-07-12 08:25:19.000000000 -0500
+++ libvirt/src/security/virt-aa-helper.c	2011-07-14 11:53:51.000000000 -0500
@@ -1166,6 +1166,8 @@ main(int argc, char **argv)
                               LOCALSTATEDIR, ctl->def->name);
             virBufferAsprintf(&buf, "  \"%s/run/libvirt/**/%s.pid\" rwk,\n",
                               LOCALSTATEDIR, ctl->def->name);
+            virBufferAsprintf(&buf, "  \"/run/libvirt/**/%s.pid\" rwk,\n",
+                              ctl->def->name);
             if (ctl->files)
                 virBufferAdd(&buf, ctl->files, -1);
         }

Attachment: signature.asc
Description: This is a digitally signed message part

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to