[libvirt] [PATCH] apparmor: Add openGraphicsFD rule for named profile
Christian Ehrhardt
christian.ehrhardt at canonical.com
Wed Jun 19 12:23:43 UTC 2019
On Wed, Jun 19, 2019 at 2:07 PM Jamie Strandboge <jamie at canonical.com> wrote:
>
> On Wed, 19 Jun 2019, Christian Ehrhardt wrote:
>
> > Commit a3ab6d42 changed the libvirtd profile to a named profile
> > but neglected to accommodate the change in the qemu profile
> > ptrace and signal rules.
> > Later on 4ec3cf9a fixed that for ptrace and signal but openGraphicsFD
> > is still missing.
> >
> > As a result, libvirtd is unable to open UI on libvirt >=5.1 e.g. with
> > virt-manager.
> >
> > Add openGraphicsFD rule that references the libvirtd profile
> > by name in addition to full binary path.
> >
> > Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1833040
> >
> > Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> > ---
> > src/security/apparmor/libvirt-qemu | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
> > index 165558fe83..d33348aa05 100644
> > --- a/src/security/apparmor/libvirt-qemu
> > +++ b/src/security/apparmor/libvirt-qemu
> > @@ -208,6 +208,7 @@
> > /sys/firmware/devicetree/** r,
> >
> > # allow connect with openGraphicsFD to work
> > + unix (send, receive) type=stream addr=none peer=(label=libvirtd),
> > unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
> >
> > # for gathering information about available host resources
>
> +1 to apply. Thanks for chasing this down.
Thanks for the review Jamie.
Given that the change is rather safe I'm pushing it without waiting much longer.
> --
> Jamie Strandboge | http://www.canonical.com
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
More information about the libvir-list
mailing list