This is sort of safe because:
- while /tmp could contain anything it is not recommended to put critical data there anyway
- while it would be hard to predict the PID as part of the string (this is not exposed through https://libvirt.org/formatdomain.html) so that virt-aa-helper could generate it it is guarded by the "owner" statement
In fact there already is an abstraction meant for this apparmor.d/abstractions/user-tmp
# per-user tmp directories
owner @{HOME}/tmp/** rwkl,
owner @{HOME}/tmp/ rw,
This is sort of safe because: /libvirt. org/formatdomai n.html) so that virt-aa-helper could generate it it is guarded by the "owner" statement
- while /tmp could contain anything it is not recommended to put critical data there anyway
- while it would be hard to predict the PID as part of the string (this is not exposed through https:/
In fact there already is an abstraction meant for this apparmor. d/abstractions/ user-tmp
# per-user tmp directories
owner @{HOME}/tmp/** rwkl,
owner @{HOME}/tmp/ rw,
# global tmp directories
owner /var/tmp/** rwkl,
/var/tmp/ rw,
owner /tmp/** rwkl,
/tmp/ rw,
This should be perfectly fine to be added I'd think.