Merge pull request #1007 from stgraber/apparmor

incusd/apparmor/qemu: Relax apparmor rules a bit
lxc · Jul 17, 2024 · cb07550 · cb07550
2 parents c0a4672 + 56e6c1a
commit cb07550
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/internal/server/apparmor/instance_qemu.go b/internal/server/apparmor/instance_qemu.go
@@ -30,7 +30,9 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
   /etc/ceph/**                              r,
   /etc/machine-id                           r,
   /run/udev/data/*                          r,
-  /proc/sys/vm/max_map_count                r,
+  ${PROC}/sys/vm/max_map_count              r,
+  ${PROC}/@{pid}/cpuset                     r,
+  ${PROC}/@{pid}/task/*/comm                rw,
   /sys/bus/                                 r,
   /sys/bus/nd/devices/                      r,
   /sys/bus/usb/devices/                     r,
@@ -44,8 +46,6 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
 {{- end }}
   /usr/share/qemu/**                        kr,
   /usr/share/seabios/**                     kr,
-  owner @{PROC}/@{pid}/cpuset               r,
-  owner @{PROC}/@{pid}/task/@{tid}/comm     rw,
   /etc/nsswitch.conf         r,
   /etc/passwd                r,
   /etc/group                 r,