From 07c74ed0c25d9ccd64074aa9d30263f8493992cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
Date: Tue, 23 Jan 2024 15:15:26 -0500
Subject: [PATCH] incusd/apparmor/qemu: Allow access to agent path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
---
 internal/server/apparmor/instance.go      | 9 +++++++++
 internal/server/apparmor/instance_qemu.go | 5 +++++
 2 files changed, 14 insertions(+)

diff --git a/internal/server/apparmor/instance.go b/internal/server/apparmor/instance.go
index 128ce7d9870..9593372a8e2 100644
--- a/internal/server/apparmor/instance.go
+++ b/internal/server/apparmor/instance.go
@@ -200,6 +200,14 @@ func instanceProfile(sysOS *sys.OS, inst instance, extraBinaries []string) (stri
 			return "", err
 		}
 
+		agentPath := ""
+		if os.Getenv("INCUS_AGENT_PATH") != "" {
+			agentPath, err = filepath.EvalSymlinks(os.Getenv("INCUS_AGENT_PATH"))
+			if err != nil {
+				return "", err
+			}
+		}
+
 		execPath := localUtil.GetExecPath()
 		execPathFull, err := filepath.EvalSymlinks(execPath)
 		if err == nil {
@@ -217,6 +225,7 @@ func instanceProfile(sysOS *sys.OS, inst instance, extraBinaries []string) (stri
 			"path":           path,
 			"raw":            rawContent,
 			"ovmfPath":       ovmfPath,
+			"agentPath":      agentPath,
 		})
 		if err != nil {
 			return "", err
diff --git a/internal/server/apparmor/instance_qemu.go b/internal/server/apparmor/instance_qemu.go
index e4033acbc85..570b7142702 100644
--- a/internal/server/apparmor/instance_qemu.go
+++ b/internal/server/apparmor/instance_qemu.go
@@ -72,6 +72,11 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
   deny /sys/module/apparmor/parameters/enabled r,
   deny /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
+{{if .agentPath -}}
+  {{ .agentPath }}/ r,
+  {{ .agentPath }}/* r,
+{{- end }}
+
 {{if .libraryPath -}}
   # Entries from LD_LIBRARY_PATH
 {{range $index, $element := .libraryPath}}