[libvirt PATCH 1/1] apparmor: Allow umount(/dev)
Andrea Bolognani
abologna at redhat.com
Wed Jan 18 10:45:22 UTC 2023
On Wed, Jan 18, 2023 at 11:00:33AM +0100, Michal Prívozník wrote:
> On 1/18/23 10:43, Andrea Bolognani wrote:
> > Commit 379c0ce4bfed introduced a call to umount(/dev) performed
> > inside the namespace that we run QEMU in.
> >
> > As a result of this, on machines using AppArmor, VM startup now
> > fails with
> >
> > internal error: Process exited prior to exec: libvirt:
> > QEMU Driver error: failed to umount devfs on /dev: Permission denied
> >
> > The corresponding denial is
> >
> > AVC apparmor="DENIED" operation="umount" profile="libvirtd"
> > name="/dev/" pid=70036 comm="rpc-libvirtd"
> >
> > Extend the AppArmor configuration for virtqemud and libvirtd so
> > that this operation is allowed.
> >
> > Signed-off-by: Andrea Bolognani <abologna at redhat.com>
> > ---
> > src/security/apparmor/usr.sbin.libvirtd.in | 1 +
> > src/security/apparmor/usr.sbin.virtqemud.in | 1 +
> > 2 files changed, 2 insertions(+)
>
> Reviewed-by: Michal Privoznik <mprivozn at redhat.com>
>
> For more background on why umount is needed see my reply to Jim's
> question from earlier:
>
> https://listman.redhat.com/archives/libvir-list/2023-January/237149.html
Welp, missed that one O:-)
Jim, it looks like you came up with exactly the same solution as
me, despite concerns about the size of the resulting hammer. Any
other ideas, or should we just go ahead and merge this as-is?
--
Andrea Bolognani / Red Hat / Virtualization
More information about the libvir-list
mailing list