[libvirt] [PATCH 1/4] apparmor: allow openGraphicsFD for virt manager >1.4

Christian Ehrhardt christian.ehrhardt at canonical.com
Tue Aug 14 06:12:39 UTC 2018 

On Mon, Aug 13, 2018 at 6:53 PM Jamie Strandboge <jamie at canonical.com>
wrote:

> On Mon, 2018-08-13 at 16:39 +0200, Christian Ehrhardt wrote:
> > virt-manager's UI connection will need socket access for
> > openGraphicsFD
> > to work - otherwise users will face a failed connection error when
> > opening the UI view.
> >
> > Depending on the exact versions of libvirt and qemu involved this
> > needs
> > either a rule from qemu to libvirt or vice versa.
> >
> > Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> > ---
> >  examples/apparmor/libvirt-qemu      | 3 +++
> >  examples/apparmor/usr.sbin.libvirtd | 5 +++++
> >  2 files changed, 8 insertions(+)
> >
> > diff --git a/examples/apparmor/libvirt-qemu
> > b/examples/apparmor/libvirt-qemu
> > index df5f512487..5caf14e418 100644
> > --- a/examples/apparmor/libvirt-qemu
> > +++ b/examples/apparmor/libvirt-qemu
> > @@ -188,6 +188,9 @@
> >    @{PROC}/device-tree/** r,
> >    /sys/firmware/devicetree/** r,
> >
> > +  # allow connect with openGraphicsFD to work
> > +  unix (send, receive) type=stream addr=none
> > peer=(label=/usr/sbin/libvirtd),
>
> +1 to apply
>
> > diff --git a/examples/apparmor/usr.sbin.libvirtd
> > b/examples/apparmor/usr.sbin.libvirtd
> > index 3102cab382..dd37866c2a 100644
> > --- a/examples/apparmor/usr.sbin.libvirtd
> > +++ b/examples/apparmor/usr.sbin.libvirtd
> > @@ -69,6 +69,11 @@
> >    unix (send, receive) type=stream addr=none
> > peer=(label=/usr/sbin/libvirtd//qemu_bridge_helper),
> >    signal (send) set=("term")
> > peer=/usr/sbin/libvirtd//qemu_bridge_helper,
> >
> > +  # allow connect with openGraphicsFD, direction reversed in newer
> > versions
> > +  unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-
> > 9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
> > +  # unconfined also required if guests run without security module
> > +  unix (send, receive) type=stream addr=none
> > peer=(label=unconfined),
>
> Makes sense. This libvirtd policy is meant to be super restrictive, so
> +1 to apply.
>

Thanks, added your Ack in the v2 submission due to rewriting the latter
patches of this series.

-- 
> Jamie Strandboge             | http://www.canonical.com



-- 
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20180814/f874e68a/attachment-0001.htm>

More information about the libvir-list mailing list