apparmor: let qemu load old shared objects after upgrades

Since [1] qemu can after upgrade fall back to pre-upgrade modules to still be able to dynamically load qemu-module based features. The paths for these modules are pre-defined by the code and should be allowed to be mapped and loaded from which will allow packagers avoiding the inability of late feature load [2] after package upgrades. [1]: https://github.com/qemu/qemu/commit/bd83c861 [2]: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1847361 Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Acked-by: Jamie Strandboge <jamie@canonical.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange redhat com>
2024-12-22 13:45:38 +00:00 · 2020-08-03 14:03:19 +02:00 · 2020-08-03 14:03:19 +02:00 · 3ef2af8ed3
commit 3ef2af8ed3
parent 7c5ef98c00
1 changed files with 5 additions and 0 deletions
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@ -169,6 +169,11 @@
  /usr/{lib,lib64}/qemu/*.so mr,
  /usr/lib/@{multiarch}/qemu/*.so mr,

+  # let qemu load old shared objects after upgrades (LP: #1847361)
+  /{var/,}run/qemu/*/*.so mr,
+  # but explicitly deny writing to these files
+  audit deny /{var/,}run/qemu/*/*.so w,
+
  # swtpm
  /{usr/,}bin/swtpm rmix,
  /usr/{lib,lib64}/libswtpm_libtpms.so mr,