From 3b1d19e6c9500d392b6635de92877b725d214f7f Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sun, 19 Nov 2017 14:57:33 +0000 Subject: [PATCH] AppArmor: add rules needed with additional mediation features brought by Linux 4.14. --- examples/apparmor/libvirt-qemu | 4 ++++ examples/apparmor/usr.sbin.libvirtd | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 064501f08e..73bdbae872 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -16,6 +16,10 @@ network inet stream, network inet6 stream, + ptrace (readby, tracedby) peer=/usr/sbin/libvirtd, + + signal (receive) peer=/usr/sbin/libvirtd, + /dev/net/tun rw, /dev/kvm rw, /dev/ptmx rw, diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 819068ffc3..12b9d45bf0 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -34,6 +34,7 @@ network inet dgram, network inet6 stream, network inet6 dgram, + network netlink raw, network packet dgram, network packet raw, @@ -42,6 +43,9 @@ ptrace (trace) peer=/usr/sbin/dnsmasq, ptrace (trace) peer=libvirt-*, + signal (send) peer=/usr/sbin/dnsmasq, + signal (read, send) peer=libvirt-*, + # Very lenient profile for libvirtd since we want to first focus on confining # the guests. Guests will have a very restricted profile. / r, -- GitLab