apparmor: Add ptrace and signal rules for named profile

Commit a3ab6d42 changed the libvirtd profile to a named profile
but neglected to accommodate the change in the qemu profile
ptrace and signal rules. As a result, libvirtd is unable to
signal confined qemu processes and hence unable to shutdown
or destroy VMs.

Add ptrace and signal rules that reference the libvirtd profile
by name in addition to full binary path.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Acked-by: Jamie Strandboge <jamie@canonical.com>

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 7d28faa1636cde34cbf79d1e903abfbdc380d696..474aaefdf8f95e8600279734c783455d2da20ee0 100644 (file)
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -16,8 +16,10 @@
   network inet stream,
   network inet6 stream,
 
+  ptrace (readby, tracedby) peer=libvirtd,
   ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
 
+  signal (receive) peer=libvirtd,
   signal (receive) peer=/usr/sbin/libvirtd,
 
   /dev/net/tun rw,