mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-23 13:05:27 +00:00
5a21fd513a
Since a3ab6d42 "apparmor: convert libvirtd profile to a named profile" the detection of the subelement for qemu_bridge_helper is wrong. In combination with the older 123cc3e1 "apparmor: allow /usr/lib/qemu/qemu-bridge-helper" it now detects qemu-bridge-helper no more with its path, but instead as a proper subelement of the named profile like: label=libvirtd//qemu_bridge_helper In the same fashion the reverse rule in the qemu_bridge_helper sub-profile still uses the path and not the named profile label. Triggering denies like: apparmor="DENIED" operation="file_inherit" profile="libvirtd//qemu_bridge_helper" pid=5629 comm="qemu-bridge-hel" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="libvirtd" This patch fixes the unix socket rules for the communication between libvirtd and qemu-bridge-helper to match that. Fixes: a3ab6d42d825499af44b8f19f9299e150d9687bc Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1655111 Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>