Local apparmor include to tweak libvirt-qemu
Bug #1786019 reported by
Christian Ehrhardt
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Split from bug 1745114 which needs more apparmor features to complete.
The two most interesting places to tweak livbirt/qemu guest apparmor config are:
1. per guest (that is bug 1745114)
2. for all guests which is abstractions/
This might be a special case for being an abstraction, but worth a test for sure.
To post a comment you must log in.
This is already at its third iteration.
Discussions are on IRC in #ubuntu-hardened with jdstrand and jjohansen.
The TL;DR for now is: libvirt- qemu
- we don't want the profile reload from dh_apparmor as we are an abstraction
- dh_apparmor can't work with subdirs like abstractions/
- We only need a postinst snippet to ensure an empty include file is placed
If exist includes would make this even safer (no fail if the include doesn't exist), but what isn't in apparmor yet can't be used :-/