AppArmor policy: support merged-/usr.

Acked-by: N Christian Ehrhardt <christian.ehrhardt@canonical.co>

AppArmor policy: support merged-/usr.
Acked-by: N Christian Ehrhardt <christian.ehrhardt@canonical.co>
de79efde · intrigeri · Daniel P. Berrange · e36a0e0c · de79efde · de79efde
3 changed file
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -136,12 +136,12 @@
  /usr/{lib,lib64}/qemu/block-rbd.so mr,
  # for save and resume
-  /bin/dash rmix,
+  /{usr/,}bin/dash rmix,
-  /bin/dd rmix,
+  /{usr/,}bin/dd rmix,
-  /bin/cat rmix,
+  /{usr/,}bin/cat rmix,
  # for restore
-  /bin/bash rmix,
+  /{usr/,}bin/bash rmix,
  # for usb access
  /dev/bus/usb/ r,

--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -21,7 +21,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
  /sys/devices/** r,
  /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
-  /sbin/apparmor_parser Ux,
+  /{usr/,}sbin/apparmor_parser Ux,
  /etc/apparmor.d/libvirt/* r,
  /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,

--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -47,12 +47,12 @@
  /usr/bin/* PUx,
  /usr/sbin/virtlogd pix,
  /usr/sbin/* PUx,
-  /lib/udev/scsi_id PUx,
+  /{usr/,}lib/udev/scsi_id PUx,
  /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
  /usr/{lib,lib64}/xen/bin/* Ux,
  # force the use of virt-aa-helper
-  audit deny /sbin/apparmor_parser rwxl,
+  audit deny /{usr/,}sbin/apparmor_parser rwxl,
  audit deny /etc/apparmor.d/libvirt/** wxl,
  audit deny /sys/kernel/security/apparmor/features rwxl,
  audit deny /sys/kernel/security/apparmor/matching rwxl,