virt-aa-helper needs read access to the disk image to resolve symlinks
and add the proper rules to the profile. Its profile whitelists a few
common paths, but users can place their images anywhere.
This commit helps users allowing access to their images by adding their
own rules in apparmor.d/local/usr.lib.libvirt.virt-aa-helper.
This commit also adds rules to allow reading files named:
- *.raw as this is a rather common disk image extension
- /run/libvirt/**[vd]d[a-z] as these are used by virt-sandbox
Add explicit denies for disk devices to avoid cluttering dmesg with
(acceptable) denials.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Guido Günther <agx@sigxcpu.org>
* docs/drvqemu.html.in: include documentation for AppArmor sVirt
confinement
* examples/apparmor/TEMPLATE examples/apparmor/libvirt-qemu
examples/apparmor/usr.lib.libvirt.virt-aa-helper
examples/apparmor/usr.sbin.libvirtd: example templates and
configuration files for SVirt Apparmor when using KVM/QEmu
