Merge abstractions/nameservice: tighten libnss_libvirt file access

Limit access to \*.status files located in /var/lib/libvirt/dnsmasq/ as opposed to every file in the same directory. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1379 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: John Johansen <john@jjmx.net>
2025-08-30 05:47:59 +00:00 · 2024-10-16 18:24:04 +00:00 · 2024-10-16 18:24:04 +00:00 · e23633ff0e
commit e23633ff0e
parent 6d20a10606 5be4295b5a
1 changed files with 2 additions and 1 deletions
--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@ -63,7 +63,8 @@
  @{run}/nscd/db*  rmix,

  # make libnss-libvirt name resolution work.
-  /var/lib/libvirt/dnsmasq/*  r,
+  /var/lib/libvirt/dnsmasq/  r,
+  /var/lib/libvirt/dnsmasq/*.status  r,

  # The nss libraries are sometimes used in addition to PAM; make sure
  # they are available