[libvirt] [PATCH 08/10] apparmor, libvirt-qemu: Allow macvtap access

Christian Ehrhardt christian.ehrhardt at canonical.com
Wed Jun 7 16:59:52 UTC 2017


On Fri, Jun 2, 2017 at 12:55 PM, Guido Günther <agx at sigxcpu.org> wrote:

> Shouldn't this only be added when macvtap is in use?
> Cheers,
>  -- Guido
>

Right again - as the ceph change this is part of a category of rules where
in a perfect world we would write virt-aa-helper code for each of them.

In this particular case allowing that in general might be less safe, so I
agree to lean towards virt-aa-helper if possible.
OTOH I'm not sure virt-aa-helper can easily detect that from the guest
context that it has access to, it might need to reach out to the network
config and I'm not sure if we have a case doing that already one could
easily build on implementing this.
If(f) that is done - and working it might be down to knowing the exact tap
device and only add that.

That said if one is willing to consider this patch as-is that would be
great until implemented more granularily via virt-aa-helper - but otherwise
please let me know - I'll then add it to a bunch of issues of the category
"needs to be done in virt-aa-helper" which I already track.


-- 
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20170607/c33622f1/attachment-0001.htm>


More information about the libvir-list mailing list