apparmor: let qemu load old shared objects after upgrades

Since [1] qemu can after upgrade fall back to pre-upgrade modules
to still be able to dynamically load qemu-module based features.

The paths for these modules are pre-defined by the code and should
be allowed to be mapped and loaded from which will allow packagers
avoiding the inability of late feature load [2] after package upgrades.

[1]: https://github.com/qemu/qemu/commit/bd83c861
[2]: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1847361

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Acked-by: Jamie Strandboge <jamie@canonical.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange redhat com>
This commit is contained in:
Christian Ehrhardt 2020-08-03 14:03:19 +02:00
parent 7c5ef98c00
commit 3ef2af8ed3
No known key found for this signature in database
GPG Key ID: BA3E29338280B242

View File

@ -169,6 +169,11 @@
/usr/{lib,lib64}/qemu/*.so mr, /usr/{lib,lib64}/qemu/*.so mr,
/usr/lib/@{multiarch}/qemu/*.so mr, /usr/lib/@{multiarch}/qemu/*.so mr,
# let qemu load old shared objects after upgrades (LP: #1847361)
/{var/,}run/qemu/*/*.so mr,
# but explicitly deny writing to these files
audit deny /{var/,}run/qemu/*/*.so w,
# swtpm # swtpm
/{usr/,}bin/swtpm rmix, /{usr/,}bin/swtpm rmix,
/usr/{lib,lib64}/libswtpm_libtpms.so mr, /usr/{lib,lib64}/libswtpm_libtpms.so mr,