Ubuntu
libvirt package

  1. Bug #1483071
  2. Comment #21

Comment 21 for bug 1483071

Revision history for this message
Jean-Pierre van Riel (jpvr) wrote :

A work-arround is to (ab)use the template file /etc/apparmor.d/libvirt/TEMPLATE.qemu

---
profile LIBVIRT_TEMPLATE {
  #include <abstractions/libvirt-qemu>
  /var/lib/libvirt/qemu/nvram/*_VARS.fd rw,
}
---

I'm not too familiar with AppArmour, nor kvm/libvirt's security model, but I assume the whole point of virt-aa-helper is to create custom per VM apparmor profiles with domain specific file names, so *_VARS.fd is technically insecure given all guest processes could in theory write to the EFI/OVFM NVRAM image files and proper guest vs guest isolation requires the fix in virt-aa-helper.