From: Sam Hartman <hartmans@debian.org>
Date: Mon, 3 Aug 2020 10:08:41 +0000 (+0200)
Subject: apparmor: allow default pki path
X-Git-Tag: v6.7.0-rc1~138
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=155d4fe3fa8b2115003973f692512a7007ab9264;p=thirdparty%2Flibvirt.git

apparmor: allow default pki path

/etc/pki/qemu is a pki path recommended by qemu tls docs [1]
and one that can cause issues with spice connections when missing.

Add the path to the allowed list of pki paths to fix the issue.

Note: this is active in Debian/Ubuntu [1] for quite a while already.

[1]: https://www.qemu.org/docs/master/system/tls.html
[2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930100

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Acked-by: Jamie Strandboge <jamie@canonical.com>
---

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 1a4b226612..2d08d6f7ad 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -94,6 +94,8 @@
   /etc/pki/CA/* r,
   /etc/pki/libvirt{,-spice,-vnc}/ r,
   /etc/pki/libvirt{,-spice,-vnc}/** r,
+  /etc/pki/qemu/ r,
+  /etc/pki/qemu/** r,
 
   # the various binaries
   /usr/bin/kvm rmix,