From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Date: Fri, 7 Aug 2020 07:05:04 +0000 (+0200)
Subject: apparmor: allow unmounting .dev entries
X-Git-Tag: v6.7.0-rc1~124
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d61d8206f3f40fadbd0ed52f9480f8ae0fc9b6ff;p=thirdparty%2Flibvirt.git

apparmor: allow unmounting .dev entries

With qemu 5.0 and libvirt 6.6 there are new apparmor denials:
  apparmor="DENIED" operation="umount" profile="libvirtd"
  name="/run/libvirt/qemu/1-kvmguest-groovy-norm.dev/" comm="rpc-worker"

These are related to new issues around devmapper handling [1] and the
error path triggered by these issues now causes this new denial.

There are already related rules for mounting and it seems right to
allow also the related umount.

[1]: https://www.redhat.com/archives/libvir-list/2020-August/msg00236.html

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
---

diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
index 312fa4b6d1..4518e8f865 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -31,6 +31,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
 
   mount options=(rw,rslave)  -> /,
   mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
+  umount /{var/,}run/libvirt/qemu/*.dev/,
 
   # libvirt provides any mounts under /dev to qemu namespaces
   mount options=(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/,