[libvirt] [PATCH 1/3] Fix apparmor issues for Xen

Cedric Bosdonnat cbosdonnat at suse.com
Tue Jan 20 08:06:20 UTC 2015


On Mon, 2015-01-19 at 18:25 -0700, Mike Latimer wrote:
> In order for apparmor to work properly in Xen environments, the following
> access rights need to be allowed:
> 
>  - Allow CAP_SYS_PACCT, which is required when resetting some multi-port
>    Broadcom cards by writting to the PCI config space
> 
>  - Allow CAP_IPC_LOCK, which is required to lock/unlock memory. Without
>    this setting, an error 'Resource temporarily unavailable' can be seen
>    while attempting to mmap memory. At the same time, the following
>    apparmor message is seen:
> 
>    apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/libvirtd"
>    pid=2097 comm="libvirtd" pid=2097 comm="libvirtd" capability=14
>    capname="ipc_lock"
> 
>  - Allow access to distribution specific directories:
>      /usr/{lib,lib64}/xen/bin
> 
> ---
>  examples/apparmor/usr.sbin.libvirtd | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
> index 7151052..9917836 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -13,6 +13,7 @@
>    capability sys_admin,
>    capability sys_module,
>    capability sys_ptrace,
> +  capability sys_pacct,
>    capability sys_nice,
>    capability sys_chroot,
>    capability setuid,
> @@ -24,6 +25,7 @@
>    capability mknod,
>    capability fsetid,
>    capability audit_write,
> +  capability ipc_lock,
>  
>    # Needed for vfio
>    capability sys_resource,
> @@ -45,6 +47,7 @@
>    /usr/sbin/* PUx,
>    /lib/udev/scsi_id PUx,
>    /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
> +  /usr/{lib,lib64}/xen/bin/* Ux,
>  
>    # force the use of virt-aa-helper
>    audit deny /sbin/apparmor_parser rwxl,

ACK




More information about the libvir-list mailing list