fixes

2023-02-20 21:01:05 +00:00 · 2023-02-20 21:01:05 +00:00 · d18e012f9e
commit d18e012f9e
parent a873af1f26
5 changed files with 5 additions and 4 deletions
--- a/apparmor.d/groups/freedesktop/at-spi2-registryd
+++ b/apparmor.d/groups/freedesktop/at-spi2-registryd
@ -72,7 +72,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
  dbus send bus=session path=/org/a11y/bus
       interface=org.a11y.Bus
       member=GetAddress
-       peer=(name=org.a11y.Bus, label="{at-spi-bus-launcher,unconfined}"),
+       peer=(name=org.a11y.Bus, label=at-spi-bus-launcher),

  dbus receive bus=session path=/
       interface=org.freedesktop.DBus.Introspectable
--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@ -66,7 +66,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {

  dbus receive bus=session path=/org/freedesktop/Tracker3/Miner/**
       interface=org.freedesktop.Tracker3.Miner
-       peer=(name=:*, label=tracker-extract),
+       peer=(name=:*, label=tracker-extract), # all members

  dbus receive bus=session path=/{,org}
       interface=org.freedesktop.DBus.Introspectable
--- a/apparmor.d/groups/virt/virtiofsd
+++ b/apparmor.d/groups/virt/virtiofsd
@ -0,0 +1,47 @@
+# apparmor.d - Full set of apparmor profiles
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{LOCAL_SHARED_DIRS} = /var/lib/libvirt/shared
+include if exists <local/tunables/virtiofsd>
+
+@{exec_path} = /{,usr/}lib/qemu/virtiofsd
+profile virtiofsd @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+
+  capability setgid,
+  capability setuid,
+  capability fowner,
+  capability fsetid,
+  capability sys_resource,
+  capability sys_admin,
+  capability setpcap,
+  capability dac_read_search,
+  capability dac_override,
+  capability chown,
+
+  unix (send, receive) type=stream peer=(addr=none, label=libvirt-@{uuid}),
+
+  mount options=(rw, rslave) -> /,
+  umount /,
+  mount options=(rw, nosuid, nodev, noexec, relatime) -> @{PROC},
+  mount options=(rw, bind) @{PROC}/1/fd/ -> @{PROC},
+
+  @{exec_path} r,
+
+  @{PROC}/sys/fs/file-max r,
+
+  owner @{run}/libvirt/qemu/*.pid rw,
+
+  /var/lib/libvirt/qemu/*/fs[0-9]*-fs.sock rw,
+
+  # shared folders
+  mount options=(rw, rbind) -> @{LOCAL_SHARED_DIRS}/,
+  pivot_root @{LOCAL_SHARED_DIRS}/,
+  @{LOCAL_SHARED_DIRS}/ r,
+
+  include if exists <local/virtiofsd>
+}