[libvirt] [PATCH 02/12] apparmor, libvirt-qemu: Silence lttng related deny messages

intrigeri intrigeri+libvirt at boum.org
Wed Dec 20 09:30:14 UTC 2017


Christian Ehrhardt:
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -191,3 +191,7 @@
>    /sys/devices/system/node/ r,
>    /sys/devices/system/node/node[0-9]*/meminfo r,
>    /sys/module/vhost/parameters/max_mem_regions r,
> +
> +  # silence refusals to open lttng files (see LP: #1432644)
> +  deny /dev/shm/lttng-ust-wait-* r,
> +  deny /run/shm/lttng-ust-wait-* r,

In principle this looks OK to me but I wonder if this is the sweet
spot regarding admin UX.

I've skimmed over the Ubuntu bug report but found it confusing as it
mixes breakage caused by the fact we deny such access (which
apparently does not happen anymore otherwise you would not be
proposing these deny rules) with log flooding issues (that will be
fixed by the proposed rules).

So I'm afraid I need to ask an executive summary :)
Under which circumstances do we log these denials?

I'd like to make sure we're not creating the following situation:

 - In most practical cases we don't even try to access these files, so
   don't log denials, and then these rules are not useful.

 - In the rare(r) case when the admin actually enables LTT-ng
   debugging, with these added rules it'll be hard to discover why it
   does not work.

Thanks in advance!


More information about the libvir-list mailing list