I'm not too familiar with AppArmour, nor kvm/libvirt's security model, but I assume the whole point of virt-aa-helper is to create custom per VM apparmor profiles with domain specific file names, so *_VARS.fd is technically insecure given all guest processes could in theory write to the EFI/OVFM NVRAM image files and proper guest vs guest isolation requires the fix in virt-aa-helper.
A work-arround is to (ab)use the template file /etc/apparmor. d/libvirt/ TEMPLATE. qemu
--- libvirt- qemu> lib/libvirt/ qemu/nvram/ *_VARS. fd rw,
profile LIBVIRT_TEMPLATE {
#include <abstractions/
/var/
}
---
I'm not too familiar with AppArmour, nor kvm/libvirt's security model, but I assume the whole point of virt-aa-helper is to create custom per VM apparmor profiles with domain specific file names, so *_VARS.fd is technically insecure given all guest processes could in theory write to the EFI/OVFM NVRAM image files and proper guest vs guest isolation requires the fix in virt-aa-helper.