Hi Pascal,
thanks for finding all the references - interesting read.
There is a long story short to this - the default apparmor profile tries
to allow you things that are safe and common. If you want to allow it
more, you'd have to extend the profile e.g. the abstraction in
/etc/apparmor.d/libvirt-qemu. What you add there is allowed to all
guests.
The base profile already has a /dev/shm rule, but it has no
subdir/subfiles and already has a comment to disable it if you like
security.
45 # WARNING: this gives the guest direct access to host hardware and
specific
46 # portions of shared memory. This is required for sound using ALSA with
kvm,
47 # but may constitute a security risk. If your environment does not
require
48 # the use of sound in your VMs, feel free to comment out or prepend
'deny' to
49 # the rules for files in /dev.
50 /{dev,run}/shm r,
51 /{dev,run}/shmpulse-shm* r,
52 /{dev,run}/shmpulse-shm* rwk,
55 # spice
56 owner /{dev,run}/shm/spice.* rw,
Therefore adding further /dev/shm/** is unlikely as a default, but ok for
people who set things up to use it.
Maybe in this particular case that addon should provide scripting or a hint at
least to do that?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1786677
Title:
[bionic] [libvirt-daemon-system] Missing AppArmor configuration
file(s)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1786677/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
