From 6a9bdf3f25fb3941d587b3f2877b36e4412d6762 Mon Sep 17 00:00:00 2001
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Date: Mon, 9 Apr 2018 08:24:19 +0200
Subject: [PATCH] apparmor: add rules to use qemu_bridge_helper

Due to mediation of socket and signal activity currently qemu:///session
connections calling qemu_bridge_helper fail.

We need the profile for libvirtd itself and the subprofile for
qemu-bridge-helper to be able to talk/notify to each other via unix socket and
signals.

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1754871

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Acked-by: Michal Privoznik <mprivozn@redhat.com>
---
 examples/apparmor/usr.sbin.libvirtd | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index be4fabf905..3102cab382 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -65,6 +65,10 @@
   signal (read, send) peer=libvirt-*,
   signal (send) set=("kill", "term") peer=unconfined,
 
+  # For communication/control to qemu-bridge-helper
+  unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd//qemu_bridge_helper),
+  signal (send) set=("term") peer=/usr/sbin/libvirtd//qemu_bridge_helper,
+
   # Very lenient profile for libvirtd since we want to first focus on confining
   # the guests. Guests will have a very restricted profile.
   / r,
@@ -112,6 +116,10 @@
 
    network inet stream,
 
+   # For communication/control from libvirtd
+   unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
+   signal (receive) set=("term") peer=/usr/sbin/libvirtd,
+
    /dev/net/tun rw,
    /etc/qemu/** r,
    owner @{PROC}/*/status r,