From: Jamie Strandboge Date: Fri, 13 Nov 2009 14:25:30 +0000 (+0100) Subject: AppArmor handling of accesses to readonly files X-Git-Tag: v0.7.3~34 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d0d4b8ad76d3e8a859ee90701a21a3f003a22c1f;p=thirdparty%2Flibvirt.git AppArmor handling of accesses to readonly files Fixes https://launchpad.net/bugs/453335 * src/security/virt-aa-helper.c: suppress confusing and misleading apparmor denied message when kvm/qemu tries to open a libvirt specified readonly file (such as a cdrom) with write permissions. libvirt uses the readonly attribute for the security driver only, and has no way of telling kvm/qemu that the device should be opened readonly --- diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 4989798734..62f0977f5d 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -755,6 +755,10 @@ vah_add_file(virBufferPtr buf, const char *path, const char *perms) } virBufferVSprintf(buf, " \"%s\" %s,\n", tmp, perms); + if (readonly) { + virBufferVSprintf(buf, " # don't audit writes to readonly media\n"); + virBufferVSprintf(buf, " deny \"%s\" w,\n", tmp); + } clean: free(tmp);