External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-07-30 21:47:18 +00:00
Code Issues Packages Projects Releases Wiki Activity
dc162adb90
libvirt/examples/apparmor
History
Christian Ehrhardt d4d50bcc79 virt-aa-helper: fix libusb access to udev usb descriptions 
In bf3a4140 "virt-aa-helper: fix libusb access to udev usb data" the
libusb access to properly detect the device/bus ids was fixed.

The path /run/udev/data/+usb* contains a subset of that information we
already allow to be read and are currently not needed for the function
qemu needs libusb for. But on the init of libusb all those files are
still read so a lot of apparmor denials can be seen when using usb host
devices, like:
  apparmor="DENIED" operation="open" name="/run/udev/data/+usb:2-1.2:1.0"
  comm="qemu-system-x86" requested_mask="r" denied_mask="r"

Today we could silence the warnings with a deny rule without breaking
current use cases. But since the data in there is only a subset of those
it can read already it is no additional information exposure. And on the
other hand a future udev/libusb/qemu combination might need it so allow
the access in the default apparmor profile.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2017-10-26 12:48:32 +02:00
..
libvirt-lxc Rework lxc apparmor profile 2014-07-15 12:57:05 -06:00
libvirt-qemu virt-aa-helper: fix libusb access to udev usb descriptions 2017-10-26 12:48:32 +02:00
TEMPLATE.lxc apparmor: add attach_disconnected 2017-09-18 19:06:52 +02:00
TEMPLATE.qemu apparmor: add attach_disconnected 2017-09-18 19:06:52 +02:00
usr.lib.libvirt.virt-aa-helper apparmor, virt-aa-helper: Explicit denies for host devices 2017-05-19 09:48:23 +02:00
usr.sbin.libvirtd apparmor: add dnsmasq ptrace rule to libvirtd profile 2017-10-06 16:39:15 -06:00