[libvirt] [PATCH] AppArmor: allow QEMU to set_process_name.

Daniel P. Berrange berrange at redhat.com
Tue Dec 13 13:26:37 UTC 2016 

On Mon, Dec 12, 2016 at 04:04:34PM +0100, Martin Kletzander wrote:
> On Mon, Dec 12, 2016 at 02:09:52PM +0000, Daniel P. Berrange wrote:
> > On Mon, Dec 12, 2016 at 02:53:02PM +0100, Christian Ehrhardt wrote:
> > > Acked-by: Christian Ehrhardt <christian.ehrhardt at canonical.co>
> > > 
> > > That (just FYI) is also equivalent to
> > > https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1615550
> > > 
> > > On Mon, Dec 12, 2016 at 11:59 AM, intrigeri <intrigeri+libvirt at boum.org>
> > > wrote:
> > > 
> > > > https://bugzilla.redhat.com/show_bug.cgi?id=1369281
> > > > ---
> > > >  examples/apparmor/libvirt-qemu | 3 +++
> > > >  1 file changed, 3 insertions(+)
> > > >
> > > > diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-
> > > > qemu
> > > > index 11381d4df0..fdb5a23291 100644
> > > > --- a/examples/apparmor/libvirt-qemu
> > > > +++ b/examples/apparmor/libvirt-qemu
> > > > @@ -21,6 +21,9 @@
> > > >    /dev/ptmx rw,
> > > >    /dev/kqemu rw,
> > > >    @{PROC}/*/status r,
> > > > +  # Per man(5) proc, the kernel enforces that a thread may
> > > > +  # only modify its comm value or those in its thread group.
> > > > +  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
> > > >    @{PROC}/sys/kernel/cap_last_cap r,
> > > >
> > > >    # For hostdev access. The actual devices will be added dynamically
> > 
> > Thanks, I'll push this patch.
> > 
> 
> Didn't we have a policy of using real names in commit messages?  I
> remember someone advocating that (Eric?), so I did that as well.  But to
> be honest, I can't find it anywhere in our docs, but it makes sense if
> there is a need for anything related to attributions or copyrights.

I just assumed "intrigeri" is a real name :-)  In this case the patches
are the same as those already carried by Ubuntu, and trivial enough to
not have copyright consequences imho.

Last time this came up was when someone submitted a large patch series
with an author of simply "TJ".  IIRC, we rejected the patch series as
they wouldn't provide a real name.

We've never formally documented this as a policy anywhere though.

If we want to formalize this, then I'd probably suggest we actually
explicitly adopt the kernel signed-off-by process. People are used
to adding S-o-B (many libvirt patches alrady have it) and git makes
it trivial.

The DCO doesn't say anything about psuedonyms directly though:

  http://developercertificate.org/

the kernel patch submission guidelines add it as an requirement

  https://www.kernel.org/doc/Documentation/SubmittingPatches

[quote]
then you just add a line saying::

	Signed-off-by: Random J Developer <random at developer.example.org>

using your real name (sorry, no pseudonyms or anonymous contributions.)
[/quote]


Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|

More information about the libvir-list mailing list