[libvirt] [PATCH 0/4] AppArmor updates

Daniel Veillard veillard at redhat.com
Fri Nov 13 14:35:47 UTC 2009 

On Thu, Nov 12, 2009 at 11:47:38AM -0600, Jamie Strandboge wrote:
> Hi,
> 
> The following patchset contains various cleanups for the AppArmor
> driver. It assumes that the patch contained in the email with the
> following subject is already applied:
> 
> [libvirt] [PATCH] fix virt-aa-helper failure when host arch and os.type arch are different
> 
> This patch was ACKed but never applied. When committing that patch,
> please also chmod 755 ./tests/virt-aa-helper-test.

  done,

> 1_aa_profile_updates.patch:
> Adds pulseaudio, alsa and preliminary save/restore to the example
> apparmor abstraction. Also allows libvirtd access to inet dgram, inet6
> dgram, inet6 stream and /usr/lib/libvirt/*.
> 
> 2_aa_require_absolute_path.patch:
> Require absolute path for dynamic added files. This is required by
> AppArmor and conveniently prevents adding tcp consoles to the profile.
> This fixes https://launchpad.net/bugs/460271.
> 
> 3_aa_deny_write_to_readonly.patch:
> Suppress confusing and misleading apparmor denied message when kvm/qemu
> tries to open a libvirt specified readonly file (such as a cdrom) with
> write permissions. libvirt uses the readonly attribute for the security
> driver only, and has no way of telling kvm/qemu that the device should
> be opened readonly. This fixes https://launchpad.net/bugs/453335.
> 
> 4_aa_driver_cleanups.patch:
> Implements all changes requested by DV except for getting rid of
> readlink(). I can't use virFileResolveLink() because it lstat()s the
> file and uses st.st_size to create a buffer. Unfortunately, running
> lstat() on /proc/self/exe results in st.st_size to be 0.

  Okay, ot a big deal, fixes all look fine, I applied and pushed them !

> The changes pass 'syntax-check'. secaatest and virt-aa-helper-test both
> pass (there are several problems in the test suite causing 'make check'
> to fail. These are all unrelated to these patches).

  Hum, make check works for me, but I don't have apparmor to test

   thanks !

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel at veillard.com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/

More information about the libvir-list mailing list