From: Andrea Bolognani <abologna@redhat.com>
Date: Tue, 7 Mar 2023 18:20:09 +0000 (+0100)
Subject: apparmor: Enable passt support
X-Git-Tag: v9.2.0-rc1~108
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7a39b04d683f12b9008df716d0228e553a43ffe2;p=thirdparty%2Flibvirt.git

apparmor: Enable passt support

passt provides an AppArmor abstraction that covers all the
inner details of its operation, so we can simply import that
and add the libvirt-specific parts on top: namely, passt
needs to be able to create a socket and pid file, while
the libvirt daemon needs to be able to kill passt.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
---

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 9af1333b22..44056b5f14 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -185,6 +185,21 @@
   /usr/{lib,lib64}/libswtpm_libtpms.so mr,
   /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
 
+  # support for passt network back-end
+  /usr/bin/passt Cx -> passt,
+
+  profile passt {
+    /usr/bin/passt r,
+
+    signal (receive) set=("term") peer=/usr/sbin/libvirtd,
+    signal (receive) set=("term") peer=libvirtd,
+    signal (receive) set=("term") peer=virtqemud,
+
+    owner /{,var/}run/libvirt/qemu/passt/* rw,
+
+    include if exists <abstractions/passt>
+  }
+
   # for save and resume
   /{usr/,}bin/dash rmix,
   /{usr/,}bin/dd rmix,