From: Felix Geyer <fgeyer@debian.org>
Date: Thu, 18 May 2017 08:53:43 +0000 (+0200)
Subject: apparmor, virt-aa-helper: Explicit denies for host devices
X-Git-Tag: v3.4.0-rc1~51
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dd875fb326ecb0dcd3b99da22b0737c5759b7ade;p=thirdparty%2Flibvirt.git

apparmor, virt-aa-helper: Explicit denies for host devices

Add explicit denies for disk devices to avoid cluttering dmesg with
(acceptable) denials.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Guido Günther <agx@sigxcpu.org>
---

diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
index ee53c2c12a..012080c676 100644
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -21,6 +21,15 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
   # for hostdev
   /sys/devices/ r,
   /sys/devices/** r,
+  deny /dev/sd* r,
+  deny /dev/vd* r,
+  deny /dev/dm-* r,
+  deny /dev/drbd[0-9]* r,
+  deny /dev/dasd* r,
+  deny /dev/nvme* r,
+  deny /dev/zd[0-9]* r,
+  deny /dev/mapper/ r,
+  deny /dev/mapper/* r,
 
   /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
   /{usr/,}sbin/apparmor_parser Ux,