apparmor: move qemu-bridge-helper to libvirtd profile

qemu-bridge-helper is only called from libvirtd, it has to be moved from the qemu domain abstraction to the usr.sbin.libvirtd profile.
2024-07-07 18:35:46 +00:00 · 2016-08-05 09:32:54 +02:00 · 2016-08-05 09:32:54 +02:00 · f03013c212
commit f03013c212
parent f4f285d809
2 changed files with 18 additions and 19 deletions
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@ -148,22 +148,3 @@
  /etc/udev/udev.conf r,
  /sys/bus/ r,
  /sys/class/ r,
-
-  /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
-  # child profile for bridge helper process
-  profile qemu_bridge_helper {
-   #include <abstractions/base>
-
-   capability setuid,
-   capability setgid,
-   capability setpcap,
-   capability net_admin,
-
-   network inet stream,
-
-   /dev/net/tun rw,
-   /etc/qemu/** r,
-   owner @{PROC}/*/status r,
-
-   /usr/{lib,libexec}/qemu-bridge-helper rmix,
-  }
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@ -67,4 +67,22 @@
  # allow changing to our UUID-based named profiles
  change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,

+  /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
+  # child profile for bridge helper process
+  profile qemu_bridge_helper {
+   #include <abstractions/base>
+
+   capability setuid,
+   capability setgid,
+   capability setpcap,
+   capability net_admin,
+
+   network inet stream,
+
+   /dev/net/tun rw,
+   /etc/qemu/** r,
+   owner @{PROC}/*/status r,
+
+   /usr/{lib,libexec}/qemu-bridge-helper rmix,
+  }
 }