[libvirt] [PATCH v2] AppArmor: allow virt-aa-helper read access to Nova's qcow backing files.

intrigeri intrigeri+libvirt at boum.org
Mon Jun 11 11:50:37 UTC 2018


Christian Ehrhardt:
> On Mon, Jun 11, 2018 at 8:12 AM, Michal Prívozník <mprivozn at redhat.com>
> wrote:
>> Thank you for your exhaustive explanation. You've convinced me that it's
>> safe to merge this patch. However, what I still don't quite understand
>> is: Nova uses that path for ages, doesn't it? How come we've hit the bug
>> only now?
>>

> We didn't Ubuntu had this as downstream Delta as long as I can remember - I
> guess only now someone drives Nova in Debian to that point.

No Debian stable release has had AppArmor enabled by default yet,
which I think explains why nobody noticed this problem there so far.

>> Oh, I can't merge the patch as-is because it is missing S-O-B line which
>> is required (https://libvirt.org/hacking.html). Also, it would be nice
>> if you can use your real name.

> We had the real name discussion before, but at least the S-O-B as agreed
> last time should be added.

Here's an attached patch with S-O-B added. Sorry I did not keep
up-to-date with the contribution guidelines update, I'm not
contributing that often and only to a tiny part of libvirt, so I only
skim over what's happening on the mailing list.

> And I'd ask for an opinion on the "other" paths I listed - I can only
> recommend adding as much as we can commonly agree to be useful.
> To avoid coming back every few months adding another such line :-)

Indeed. Perhaps next step is to check if the same paths are used on
other major distros?

Cheers,
-- 
intrigeri

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-AppArmor-allow-virt-aa-helper-read-access-to-Nova-s-.patch
Type: text/x-diff
Size: 1357 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20180611/d68aaa22/attachment-0001.bin>


More information about the libvir-list mailing list