[lxc-devel] [lxd/master] Apparmor redux

simondeziel on Github Mon, 24 Aug 2020 08:53:42 -0700

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/7803


This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
man apparmor.d(5):

>    Globbing
>        File resources may be specified with a globbing syntax similar to that used by popular shells, such as csh(1), bash(1), zsh(1).
> 
>        *   can substitute for any number of characters, excepting '/'

This means `/snap/lxd/*/` covers `/snap/lxd/current/`.

From 99c62ecbe8c21ceb926545701378985561f048fc Mon Sep 17 00:00:00 2001
From: Simon Deziel <si...@sdeziel.info>
Date: Mon, 24 Aug 2020 11:50:29 -0400
Subject: [PATCH 1/2] lxd/apparmor/dnsmasq: drop dup rule, /snap/lxd/*/
 includes /snap/lxd/current/

Signed-off-by: Simon Deziel <si...@sdeziel.info>
---
 lxd/apparmor/network_dnsmasq.go | 2 --
 1 file changed, 2 deletions(-)

diff --git a/lxd/apparmor/network_dnsmasq.go b/lxd/apparmor/network_dnsmasq.go
index 0b63dc6048..f411627753 100644
--- a/lxd/apparmor/network_dnsmasq.go
+++ b/lxd/apparmor/network_dnsmasq.go
@@ -57,11 +57,9 @@ profile "{{ .name }}" 
flags=(attach_disconnected,mediate_deleted) {
 {{- if .snap }}
 
   # The binary itself (for nesting)
-  /snap/lxd/current/bin/dnsmasq           mr,
   /snap/lxd/*/bin/dnsmasq                 mr,
 
   # Snap-specific libraries
-  /snap/lxd/current/lib/**.so*            mr,
   /snap/lxd/*/lib/**.so*                  mr,
 {{- end }}
 }

From 42eef074a88a3d2facb7dd1a7d90d34a7a5c187e Mon Sep 17 00:00:00 2001
From: Simon Deziel <si...@sdeziel.info>
Date: Mon, 24 Aug 2020 11:50:45 -0400
Subject: [PATCH 2/2] lxd/apparmor/forkdns: drop dup rule, /snap/lxd/*/
 includes /snap/lxd/current/

Signed-off-by: Simon Deziel <si...@sdeziel.info>
---
 lxd/apparmor/network_forkdns.go | 2 --
 1 file changed, 2 deletions(-)

diff --git a/lxd/apparmor/network_forkdns.go b/lxd/apparmor/network_forkdns.go
index 396e87be67..8aaf43f8e2 100644
--- a/lxd/apparmor/network_forkdns.go
+++ b/lxd/apparmor/network_forkdns.go
@@ -38,11 +38,9 @@ profile "{{ .name }}" 
flags=(attach_disconnected,mediate_deleted) {
 {{- if .snap }}
   # The binary itself (for nesting)
   /var/snap/lxd/common/lxd.debug      mr,
-  /snap/lxd/current/bin/lxd           mr,
   /snap/lxd/*/bin/lxd                 mr,
 
   # Snap-specific libraries
-  /snap/lxd/current/lib/**.so*            mr,
   /snap/lxd/*/lib/**.so*                  mr,
 {{- end }}
 }

_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] Apparmor redux

Reply via email to