AppArmor handling of accesses to readonly files

Fixes https://launchpad.net/bugs/453335

* src/security/virt-aa-helper.c: suppress confusing and misleading
  apparmor denied message when kvm/qemu tries to open a libvirt specified
  readonly file (such as a cdrom) with write permissions. libvirt uses
  the readonly attribute for the security driver only, and has no way
  of telling kvm/qemu that the device should be opened readonly

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 498979873450e395b0645cf33dc661684a2f4835..62f0977f5d8fb105ed48788f804e96f0d5ed466c 100644 (file)
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -755,6 +755,10 @@ vah_add_file(virBufferPtr buf, const char *path, const char *perms)
     }
 
     virBufferVSprintf(buf, "  \"%s\" %s,\n", tmp, perms);
+    if (readonly) {
+        virBufferVSprintf(buf, "  # don't audit writes to readonly media\n");
+        virBufferVSprintf(buf, "  deny \"%s\" w,\n", tmp);
+    }
 
   clean:
     free(tmp);