apparmor, libvirt-qemu: add default pki path of libvirt-spice

Adding the PKI path that is used as default suggestion in src/qemu/qemu.conf
If people use non-default paths they should use local overrides but the
suggested defaults we should open up.

This is the default path as referenced by src/qemu/qemu.conf in libvirt.

While doing so merge the several places we have to cover PKI access into
one.

Bug-Ubuntu: https://bugs.launchpad.net/bugs/1690140

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index e10160a1b80d5bd004d0eefff36bd7fb35edd80d..f4009b8a70a23351c346e92b51465d7ed10d3d63 100644 (file)
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -88,8 +88,11 @@
   /usr/share/qemu-efi/** r,
   /usr/share/slof/** r,
 
-  # access PKI infrastructure
-  /etc/pki/libvirt-vnc/** r,
+  # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140)
+  /etc/pki/CA/ r,
+  /etc/pki/CA/* r,
+  /etc/pki/libvirt{,-spice,-vnc}/ r,
+  /etc/pki/libvirt{,-spice,-vnc}/** r,
 
   # the various binaries
   /usr/bin/kvm rmix,
@@ -156,12 +159,6 @@
   /usr/{lib,lib64}/qemu/*.so mr,
   /usr/lib/@{multiarch}/qemu/*.so mr,
 
-  # for use by libvirt-vnc (LP: #901272)
-  /etc/pki/CA/ r,
-  /etc/pki/CA/* r,
-  /etc/pki/libvirt/ r,
-  /etc/pki/libvirt/** r,
-
   # for save and resume
   /{usr/,}bin/dash rmix,
   /{usr/,}bin/dd rmix,