[libvirt] [PATCH 0/4] AppArmor updates

Jamie Strandboge jamie at canonical.com
Thu Nov 12 17:47:38 UTC 2009


The following patchset contains various cleanups for the AppArmor
driver. It assumes that the patch contained in the email with the
following subject is already applied:

[libvirt] [PATCH] fix virt-aa-helper failure when host arch and os.type arch are different

This patch was ACKed but never applied. When committing that patch,
please also chmod 755 ./tests/virt-aa-helper-test.

Adds pulseaudio, alsa and preliminary save/restore to the example
apparmor abstraction. Also allows libvirtd access to inet dgram, inet6
dgram, inet6 stream and /usr/lib/libvirt/*.

Require absolute path for dynamic added files. This is required by
AppArmor and conveniently prevents adding tcp consoles to the profile.
This fixes https://launchpad.net/bugs/460271.

Suppress confusing and misleading apparmor denied message when kvm/qemu
tries to open a libvirt specified readonly file (such as a cdrom) with
write permissions. libvirt uses the readonly attribute for the security
driver only, and has no way of telling kvm/qemu that the device should
be opened readonly. This fixes https://launchpad.net/bugs/453335.

Implements all changes requested by DV except for getting rid of
readlink(). I can't use virFileResolveLink() because it lstat()s the
file and uses st.st_size to create a buffer. Unfortunately, running
lstat() on /proc/self/exe results in st.st_size to be 0.

The changes pass 'syntax-check'. secaatest and virt-aa-helper-test both
pass (there are several problems in the test suite causing 'make check'
to fail. These are all unrelated to these patches).


Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20091112/c8ac3862/attachment-0001.sig>

More information about the libvir-list mailing list