apparmor, virt-aa-helper: Explicit denies for host devices

Add explicit denies for disk devices to avoid cluttering dmesg with (acceptable) denials. Signed-off-by: N Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: N Stefan Bader <stefan.bader@canonical.com> Acked-by: N Guido Günther <agx@sigxcpu.org>

apparmor, virt-aa-helper: Explicit denies for host devices
Add explicit denies for disk devices to avoid cluttering dmesg with (acceptable) denials. Signed-off-by: N Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: N Stefan Bader <stefan.bader@canonical.com> Acked-by: N Guido Günther <agx@sigxcpu.org>
dd875fb3 · Felix Geyer · Guido Günther · 95740052 · dd875fb3
隐藏空白更改
内联并排

Showing with 9 addition and 0 deletion

examples/apparmor/usr.lib.libvirt.virt-aa-helper examples/apparmor/usr.lib.libvirt.virt-aa-helper +9 -0

未找到文件。
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -21,6 +21,15 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
  # for hostdev
  /sys/devices/ r,
  /sys/devices/** r,
+  deny /dev/sd* r,
+  deny /dev/vd* r,
+  deny /dev/dm-* r,
+  deny /dev/drbd[0-9]* r,
+  deny /dev/dasd* r,
+  deny /dev/nvme* r,
+  deny /dev/zd[0-9]* r,
+  deny /dev/mapper/ r,
+  deny /dev/mapper/* r,

  /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
  /{usr/,}sbin/apparmor_parser Ux,