In the Ubuntu development release we recently got a new udev that
moves /var/run to /run, /var/lock to /run/lock and /dev/shm to /run/shm.
This change in udev requires updating the apparmor security driver in
libvirt[1].
Attached is a patch that:
* adjusts src/security/virt-aa-helper.c to allow both
LOCALSTATEDIR/run/libvirt/**/%s.pid and /run/libvirt/**/%s.pid. While
the profile is not as precise, LOCALSTATEDIR/run/ is typically a symlink
to /run/ anyway, so there is no additional access (remember that
apparmor resolves symlinks, which is why this is still required even
if /var/run points to /run).
* adjusts example/apparmor/libvirt-qemu paths for /dev/shm
[1]https://launchpad.net/bugs/810270
--
Jamie Strandboge | http://www.canonical.com
# but may constitute a security risk. If your environment does not require
# the use of sound in your VMs, feel free to comment out or prepend 'deny' to
# the rules for files in /dev.
- /dev/shm/ r,
- /dev/shm/pulse-shm* r,
- /dev/shm/pulse-shm* rwk,
+ /{dev,run}/shm r,
+ /{dev,run}/shmpulse-shm* r,
+ /{dev,run}/shmpulse-shm* rwk,
/dev/snd/* rw,
capability ipc_lock,
# 'kill' is not required for sound and is a security risk. Do not enable
LOCALSTATEDIR, ctl->def->name);
virBufferAsprintf(&buf, " \"%s/run/libvirt/**/%s.pid\" rwk,\n",
LOCALSTATEDIR, ctl->def->name);
+ virBufferAsprintf(&buf, " \"/run/libvirt/**/%s.pid\" rwk,\n",
+ ctl->def->name);
if (ctl->files)
virBufferAdd(&buf, ctl->files, -1);
}
projects / people / liuw / libxenctrl-split / libvirt.git / commitdiff