[libvirt] [PATCH 1/4] apparmor: allow openGraphicsFD for virt manager >1.4
Jamie Strandboge
jamie at canonical.com
Mon Aug 13 16:53:41 UTC 2018
On Mon, 2018-08-13 at 16:39 +0200, Christian Ehrhardt wrote:
> virt-manager's UI connection will need socket access for
> openGraphicsFD
> to work - otherwise users will face a failed connection error when
> opening the UI view.
>
> Depending on the exact versions of libvirt and qemu involved this
> needs
> either a rule from qemu to libvirt or vice versa.
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> ---
> examples/apparmor/libvirt-qemu | 3 +++
> examples/apparmor/usr.sbin.libvirtd | 5 +++++
> 2 files changed, 8 insertions(+)
>
> diff --git a/examples/apparmor/libvirt-qemu
> b/examples/apparmor/libvirt-qemu
> index df5f512487..5caf14e418 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -188,6 +188,9 @@
> @{PROC}/device-tree/** r,
> /sys/firmware/devicetree/** r,
>
> + # allow connect with openGraphicsFD to work
> + unix (send, receive) type=stream addr=none
> peer=(label=/usr/sbin/libvirtd),
+1 to apply
> diff --git a/examples/apparmor/usr.sbin.libvirtd
> b/examples/apparmor/usr.sbin.libvirtd
> index 3102cab382..dd37866c2a 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -69,6 +69,11 @@
> unix (send, receive) type=stream addr=none
> peer=(label=/usr/sbin/libvirtd//qemu_bridge_helper),
> signal (send) set=("term")
> peer=/usr/sbin/libvirtd//qemu_bridge_helper,
>
> + # allow connect with openGraphicsFD, direction reversed in newer
> versions
> + unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-
> 9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
> + # unconfined also required if guests run without security module
> + unix (send, receive) type=stream addr=none
> peer=(label=unconfined),
Makes sense. This libvirtd policy is meant to be super restrictive, so
+1 to apply.
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20180813/97ad901d/attachment-0001.sig>
More information about the libvir-list
mailing list