[libvirt] [PATCH 05/12] apparmor, libvirt-qemu: Allow qemu-block-extra libraries
Jamie Strandboge
jamie at canonical.com
Tue Dec 19 16:09:55 UTC 2017
On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote:
> From: Jamie Strandboge <jamie at ubuntu.com>
>
> Allows (multi-arch enabled) access to libraries under the
> /usr/lib/@{multiarch}/qemu/*.so path in the Debian/Ubuntu
> qemu-block-extra package.
>
> Bug-Ubuntu: https://bugs.launchpad.net/bugs/1554761
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> ---
> examples/apparmor/libvirt-qemu | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/examples/apparmor/libvirt-qemu
> b/examples/apparmor/libvirt-qemu
> index 91d0e02..912b4ac 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -161,6 +161,9 @@
> /usr/{lib,lib64}/qemu/block-curl.so mr,
> /usr/{lib,lib64}/qemu/block-rbd.so mr,
>
> + # for Debian/Ubuntu qemu-block-extra (LP: #1554761)
> + /usr/lib/@{multiarch}/qemu/*.so rm,
> +
+1 as is (though s/rm/mr/ for consistency), but on my system I see
block-curl.so, block-isci.so and block-rdb.so. I think it probably
makes to adjust this rule block to simply be:
/usr/{lib,lib64}/qemu/*.so mr,
/usr/lib/@{multiarch}/qemu/*.so mr,
Ie, rather than limiting the libraries that qemu can mmap that are in
its system library directory, allow qemu access to all of them and then
mediate the accesses those libraries need in policy.
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20171219/860e95be/attachment-0001.sig>
More information about the libvir-list
mailing list