apparmor: allow kvm-spice compat wrapper

'kvm-spice' is a binary name used to call 'kvm' which actually is a wrapper
around qemu-system-x86_64 enabling kvm acceleration. This isn't in use
for quite a while anymore, but required to work for compatibility e.g.
when migrating in old guests.

For years this was a symlink kvm-spice->kvm and therefore covered
apparmor-wise by the existing entry:
   /usr/bin/kvm rmix,
But due to a recent change [1] in qemu packaging this now is no symlink,
but a wrapper on its own and therefore needs an own entry that allows it
to be executed.

[1]: https://salsa.debian.org/qemu-team/qemu/-/commit/9944836d3

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Michal Privoznik <mprivozn redhat com>

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index a03e9e2c94274e42c135271f8860ed57a2eeb5bb..85c9e61d6c6dbbfffa0f76979090ba7e23e20bbf 100644 (file)
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -102,6 +102,7 @@
 
   # the various binaries
   /usr/bin/kvm rmix,
+  /usr/bin/kvm-spice rmix,
   /usr/bin/qemu rmix,
   /usr/bin/qemu-aarch64 rmix,
   /usr/bin/qemu-alpha rmix,