[PATCH] Allow VM to read sysfs PCI config, revision files
Christian Ehrhardt
christian.ehrhardt at canonical.com
Thu May 19 05:59:37 UTC 2022
On Thu, May 12, 2022 at 3:27 PM Max Goodhart <c at chromakode.com> wrote:
>
> From: Max Goodhart <gitlab at chromakode.com>
Hi Max,
thanks for the work to identify and fix this!
It is indeed a natural evolution of my 27a9ebf2818 00fbb9e5167
f2cbb94eabd that made the rules so far.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> This fixes a blank screen when viewing a VM with virtio graphics and
> gl-accelerated Spice display on Ubuntu 22.04 / libvirt 8.0.0 / qemu 6.2.
>
> Without these AppArmor permissions, the libvirt error log contains
> repetitions of:
>
> qemu_spice_gl_scanout_texture: failed to get fd for texture
>
> This appears to be similar to this GNOME Boxes issue:
> https://gitlab.gnome.org/GNOME/gnome-boxes/-/issues/586
>
> Signed-off-by: Max Goodhart <c at chromakode.com>
> ---
> src/security/virt-aa-helper.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index 1f1cce8b3d..b314d2a059 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -1316,7 +1316,7 @@ get_files(vahControl * ctl)
> virBufferAddLit(&buf, " \"/dev/nvidiactl\" rw,\n");
> virBufferAddLit(&buf, " # Probe DRI device attributes\n");
> virBufferAddLit(&buf, " \"/dev/dri/\" r,\n");
> - virBufferAddLit(&buf, " \"/sys/devices/**/{uevent,vendor,device,subsystem_vendor,subsystem_device}\" r,\n");
> + virBufferAddLit(&buf, " \"/sys/devices/**/{uevent,vendor,device,subsystem_vendor,subsystem_device,config,revision}\" r,\n");
> virBufferAddLit(&buf, " # dri libs will trigger that, but t is not requited and DAC would deny it anyway\n");
> virBufferAddLit(&buf, " deny \"/var/lib/libvirt/.cache/\" w,\n");
> }
> --
> 2.34.1
>
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
More information about the libvir-list
mailing list