Skip to content
Snippets Groups Projects
Verified Commit dd2d1a9e authored by Christian Ehrhardt's avatar Christian Ehrhardt
Browse files

Drop d/p/apparmor-Allow-virt-aa-helper-to-access-the-name-service-.patch

The abstraction brings too much permissions, see discussion when
upstreaming the change:
https://www.redhat.com/archives/libvir-list/2020-August/msg00099.html



(To me) with libvirt >=6.0 (actually even with the old versions, maybe
kernel dependent) this isn't reproducible anymore. We should drop the
rule and once anyone can reproduce it again we can try if we either
want to go with:

  # virt-aa-helper dependent libraries read (and if successful, other
  # files) this but virt-aa-helper itself doesn't require the access,
  # so silence the denial.
  deny /etc/nsswitch.conf r,

Or allowing a very reduced set (Ubuntu had that for a short while):

  # virt-aa-helper dependent libraries might read nss info, but do not
  # need full nameservice access.
  /etc/gai.conf r,
  /etc/hosts r,
  /etc/host.conf r,
  /etc/nsswitch.conf r,

Signed-off-by: default avatarChristian Ehrhardt <christian.ehrhardt@canonical.com>
parent ceab4030
No related branches found
No related tags found
Loading
Checking pipeline status
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment