AppArmor handling of accesses to readonly files

Fixes https://launchpad.net/bugs/453335 * src/security/virt-aa-helper.c: suppress confusing and misleading apparmor denied message when kvm/qemu tries to open a libvirt specified readonly file (such as a cdrom) with write permissions. libvirt uses the readonly attribute for the security driver only, and has no way of telling kvm/qemu that the device should be opened readonly
author: Jamie Strandboge <jamie@canonical.com> 2009-11-13 15:25:30 +0100
committer: Daniel Veillard <veillard@redhat.com> 2009-11-13 15:32:55 +0100
commit: d0d4b8ad76d3e8a859ee90701a21a3f003a22c1f (patch)
tree: 08ab22a32a9533d34a3945a7138b3db70cf1ff3b
parent: AppArmor require absolute paths (diff)
download: libvirt-d0d4b8ad76d3e8a859ee90701a21a3f003a22c1f.tar.gz
libvirt-d0d4b8ad76d3e8a859ee90701a21a3f003a22c1f.tar.bz2
libvirt-d0d4b8ad76d3e8a859ee90701a21a3f003a22c1f.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 498979873..62f0977f5 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -755,6 +755,10 @@ vah_add_file(virBufferPtr buf, const char *path, const char *perms)
     }
 
     virBufferVSprintf(buf, "  \"%s\" %s,\n", tmp, perms);
+    if (readonly) {
+        virBufferVSprintf(buf, "  # don't audit writes to readonly media\n");
+        virBufferVSprintf(buf, "  deny \"%s\" w,\n", tmp);
+    }
 
   clean:
     free(tmp);
author	Jamie Strandboge <jamie@canonical.com>	2009-11-13 15:25:30 +0100
committer	Daniel Veillard <veillard@redhat.com>	2009-11-13 15:32:55 +0100
commit	d0d4b8ad76d3e8a859ee90701a21a3f003a22c1f (patch)
tree	08ab22a32a9533d34a3945a7138b3db70cf1ff3b
parent	AppArmor require absolute paths (diff)
download	libvirt-d0d4b8ad76d3e8a859ee90701a21a3f003a22c1f.tar.gz libvirt-d0d4b8ad76d3e8a859ee90701a21a3f003a22c1f.tar.bz2 libvirt-d0d4b8ad76d3e8a859ee90701a21a3f003a22c1f.zip