AppArmor handling of accesses to readonly files

Fixes https://launchpad.net/bugs/453335 * src/security/virt-aa-helper.c: suppress confusing and misleading apparmor denied message when kvm/qemu tries to open a libvirt specified readonly file (such as a cdrom) with write permissions. libvirt uses the readonly attribute for the security driver only, and has no way of telling kvm/qemu that the device should be opened readonly

AppArmor handling of accesses to readonly files
Fixes https://launchpad.net/bugs/453335 * src/security/virt-aa-helper.c: suppress confusing and misleading apparmor denied message when kvm/qemu tries to open a libvirt specified readonly file (such as a cdrom) with write permissions. libvirt uses the readonly attribute for the security driver only, and has no way of telling kvm/qemu that the device should be opened readonly
d0d4b8ad · Jamie Strandboge · Daniel Veillard · dae7054b · d0d4b8ad
隐藏空白更改
内联并排

Showing with 4 addition and 0 deletion

src/security/virt-aa-helper.c src/security/virt-aa-helper.c +4 -0

未找到文件。
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -755,6 +755,10 @@ vah_add_file(virBufferPtr buf, const char *path, const char *perms)
    }

    virBufferVSprintf(buf, "  \"%s\" %s,\n", tmp, perms);
+    if (readonly) {
+        virBufferVSprintf(buf, "  # don't audit writes to readonly media\n");
+        virBufferVSprintf(buf, "  deny \"%s\" w,\n", tmp);
+    }

  clean:
    free(tmp);