As I can see on my installation the following happens:
requested_mask="r::" denied_mask="r::"
but
virt-aa-helper.c: 865 for (i = 0; i < ctl->def->nserials; i++) 866 if (ctl->def->serials[i] && ctl->def->serials[i]->data.file.path) 867 if (vah_add_file(&buf, 868 ctl->def->serials[i]->data.file.path, "w") != 0) 869 goto clean; 870 871 if (ctl->def->console && ctl->def->console->data.file.path) 872 if (vah_add_file(&buf, ctl->def->console->data.file.path, "w") != 0) 873 goto clean;
so apparmor profiles contain e.g. /dev/ttyS0 w, which allows writing to the file, but not reading :-/
As I can see on my installation the following happens:
requested_ mask="r: :" denied_mask="r::"
but
virt-aa-helper.c: >serials[ i] && ctl->def- >serials[ i]->data. file.path) >serials[ i]->data. file.path, "w") != 0) >console- >data.file. path) >console- >data.file. path, "w") != 0)
865 for (i = 0; i < ctl->def->nserials; i++)
866 if (ctl->def-
867 if (vah_add_file(&buf,
868 ctl->def-
869 goto clean;
870
871 if (ctl->def->console && ctl->def-
872 if (vah_add_file(&buf, ctl->def-
873 goto clean;
so apparmor profiles contain e.g. /dev/ttyS0 w, which allows writing to the file, but not reading :-/