apparmor: Add openGraphicsFD rule for named profile

Commit a3ab6d42 changed the libvirtd profile to a named profile
but neglected to accommodate the change in the qemu profile
ptrace and signal rules.
Later on 4ec3cf9a fixed that for ptrace and signal but openGraphicsFD
is still missing.

As a result, libvirtd is unable to open UI on libvirt >=5.1 e.g. with
virt-manager.

Add openGraphicsFD rule that references the libvirtd profile
by name in addition to full binary path.

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1833040
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 165558fe83e64eb3a1184c136bce535b7ad6e485..d33348aa05b41fa88726b9c519fb37d7b703e43e 100644 (file)
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -208,6 +208,7 @@
   /sys/firmware/devicetree/** r,
 
   # allow connect with openGraphicsFD to work
+  unix (send, receive) type=stream addr=none peer=(label=libvirtd),
   unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
 
   # for gathering information about available host resources