[libvirt] [PATCH 00/12] Drop KVM assignment
by Michal Privoznik
The KVM style of PCI assignment is not used, and it hasn't been for a
while. Any attempt to start a domain with it would result in error as
kernel dropped its support in 4.12.0 (after being deprecated for 1.5
years).
Michal Prívozník (12):
qemu: Drop KVM assignment
tests: Remove 'kvm' PCI backend from domaincapstest
virhostdev: Unify virDomainHostdevDef to virPCIDevice translation
qemu: Drop unused qemuOpenPCIConfig()
virhostdev: Disable legacy kvm assignment
virpci: Drop 'pci-stub' driver
virpci: Remove unused virPCIDeviceWaitForCleanup
virpci: Drop newid style of PCI device detach
virpcimock: Don't create "pci-stub" driver
virpcimock: Don't create new_id or remove_id files
virpcimock: Drop @driverActions enum
news: Document KVM assignment removal
docs/news.xml | 13 +
src/libvirt_private.syms | 1 -
src/qemu/qemu_capabilities.c | 6 -
src/qemu/qemu_command.c | 48 +--
src/qemu/qemu_command.h | 3 -
src/qemu/qemu_driver.c | 14 +-
src/qemu/qemu_hostdev.c | 44 +-
src/qemu/qemu_hostdev.h | 1 -
src/qemu/qemu_hotplug.c | 20 +-
src/util/virhostdev.c | 97 +++--
src/util/virpci.c | 403 +-----------------
src/util/virpci.h | 2 -
.../qemu_1.7.0.x86_64.xml | 1 -
.../qemu_2.12.0-virt.aarch64.xml | 1 -
.../qemu_2.12.0.ppc64.xml | 1 -
.../qemu_2.12.0.s390x.xml | 1 -
.../qemu_2.12.0.x86_64.xml | 1 -
.../qemu_2.6.0-virt.aarch64.xml | 1 -
.../qemu_2.6.0.aarch64.xml | 1 -
.../domaincapsschemadata/qemu_2.6.0.ppc64.xml | 1 -
.../qemu_2.6.0.x86_64.xml | 1 -
.../domaincapsschemadata/qemu_2.7.0.s390x.xml | 1 -
.../qemu_2.8.0-tcg.x86_64.xml | 1 -
.../domaincapsschemadata/qemu_2.8.0.s390x.xml | 1 -
.../qemu_2.8.0.x86_64.xml | 1 -
.../qemu_2.9.0-q35.x86_64.xml | 1 -
.../qemu_2.9.0-tcg.x86_64.xml | 1 -
.../qemu_2.9.0.x86_64.xml | 1 -
.../domaincapsschemadata/qemu_3.0.0.s390x.xml | 1 -
.../qemu_3.1.0.x86_64.xml | 1 -
.../domaincapsschemadata/qemu_4.0.0.s390x.xml | 1 -
.../qemu_4.0.0.x86_64.xml | 1 -
.../qemu_4.1.0.x86_64.xml | 1 -
tests/domaincapstest.c | 4 +-
tests/virpcimock.c | 137 +-----
35 files changed, 92 insertions(+), 722 deletions(-)
--
2.21.0
5 years, 3 months
[libvirt] [PATCH] mdev: point user to mdevctl for missing devices
by Jonathon Jongsma
When a host is rebooted, any mediated devices that were previously
configured will disappear. There have been requests for libvirt to
handle persisting these mediated devices across reboots, but the
decision was made that this should be handled at a lower level. mdevctl
is a new tool that handles registration and persistence of mediated
devices. If desired, mdevctl can automatically start these mediated
devices when the parent device becomes available.
Since mdevctl is the recommended solution for handling persistent
mediated devices, point users there when they encounter an error for a
missing mediated device.
Signed-off-by: Jonathon Jongsma <jjongsma(a)redhat.com>
---
NOTE:
- previous patch which attempted to start missing devices using mdevctl has
been withdrawn.
src/util/virmdev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/util/virmdev.c b/src/util/virmdev.c
index 3d5488cdae..df02fc8d28 100644
--- a/src/util/virmdev.c
+++ b/src/util/virmdev.c
@@ -149,7 +149,9 @@ virMediatedDeviceNew(const char *uuidstr, virMediatedDeviceModelType model)
if (!virFileExists(sysfspath)) {
virReportError(VIR_ERR_DEVICE_MISSING,
- _("mediated device '%s' not found"), uuidstr);
+ _("mediated device '%s' not found. "
+ "Persistent devices can be managed with 'mdevctl'."),
+ uuidstr);
return NULL;
}
--
2.21.0
5 years, 3 months
[libvirt] [PATCH v2 0/2] security: Deal with stale XATTRs
by Michal Privoznik
v2 of:
https://www.redhat.com/archives/libvir-list/2019-August/msg00520.html
diff to v1:
- use virOnce to obtain host boot time
- switched to configure time check of getutxid
- dropped host's UUID from timestamp
Michal Prívozník (2):
util: Introduce virhostuptime
security_util: Remove stale XATTRs
configure.ac | 1 +
src/libvirt_private.syms | 4 +
src/security/security_util.c | 196 +++++++++++++++++++++++++++++++-
src/util/Makefile.inc.am | 2 +
src/util/virhostuptime.c | 81 +++++++++++++
src/util/virhostuptime.h | 27 +++++
tests/qemusecuritymock.c | 12 ++
tools/libvirt_recover_xattrs.sh | 2 +-
8 files changed, 323 insertions(+), 2 deletions(-)
create mode 100644 src/util/virhostuptime.c
create mode 100644 src/util/virhostuptime.h
--
2.21.0
5 years, 3 months
[libvirt] [PATCH] security: Don't increase XATTRs refcounter on failure
by Michal Privoznik
If user has two domains, each have the same disk (configured for
RW) but each runs with different seclabel then we deny start of
the second domain because in order to do that we would need to
relabel the disk but that would cut the first domain off. Even if
we did not do that, qemu would fail to start because it would be
unable to lock the disk image for the second time. So far, this
behaviour is expected. But what is not expected is that we
increase the refcounter in XATTRs and leave it like that.
What happens is that when the second domain starts,
virSecuritySetRememberedLabel() is called, and since there are
XATTRs from the first domain it increments the refcounter and
returns it (refcounter == 2 at this point). Then callers
(virSecurityDACSetOwnership() and
virSecuritySELinuxSetFileconHelper()) realize that refcounter is
greater than 1 and desired seclabel doesn't match the one the
disk image already has and an error is produced. But the
refcounter is never decremented.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1740024
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/security/security_dac.c | 19 ++++++++++++++-----
src/security/security_selinux.c | 17 +++++++++++------
2 files changed, 25 insertions(+), 11 deletions(-)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 137daf5d28..b0070f7390 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -754,6 +754,8 @@ virSecurityDACSetOwnership(virSecurityManagerPtr mgr,
struct stat sb;
int refcount;
int rc;
+ bool rollback = false;
+ int ret = -1;
if (!path && src && src->path &&
virStorageSourceIsLocalStorage(src))
@@ -780,16 +782,18 @@ virSecurityDACSetOwnership(virSecurityManagerPtr mgr,
} else if (refcount < 0) {
return -1;
} else if (refcount > 1) {
+ rollback = true;
/* Refcount is greater than 1 which means that there
* is @refcount domains using the @path. Do not
* change the label (as it would almost certainly
* cause the other domains to lose access to the
- * @path). */
+ * @path). However, the refcounter was incremented in
+ * XATTRs so decrease it. */
if (sb.st_uid != uid || sb.st_gid != gid) {
virReportError(VIR_ERR_OPERATION_INVALID,
_("Setting different DAC user or group on %s "
"which is already in use"), path);
- return -1;
+ goto cleanup;
}
}
}
@@ -797,7 +801,13 @@ virSecurityDACSetOwnership(virSecurityManagerPtr mgr,
VIR_INFO("Setting DAC user and group on '%s' to '%ld:%ld'",
NULLSTR(src ? src->path : path), (long)uid, (long)gid);
- if (virSecurityDACSetOwnershipInternal(priv, src, path, uid, gid) < 0) {
+ if (virSecurityDACSetOwnershipInternal(priv, src, path, uid, gid) < 0)
+ goto cleanup;
+
+ ret = 0;
+
+ cleanup:
+ if (ret < 0 && rollback) {
virErrorPtr origerr;
virErrorPreserveLast(&origerr);
@@ -812,10 +822,9 @@ virSecurityDACSetOwnership(virSecurityManagerPtr mgr,
NULLSTR(src ? src->path : path));
virErrorRestore(&origerr);
- return -1;
}
- return 0;
+ return ret;
}
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index ea20373a90..0c6ace75fa 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1334,6 +1334,7 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
security_context_t econ = NULL;
int refcount;
int rc;
+ bool rollback = false;
int ret = -1;
if ((rc = virSecuritySELinuxTransactionAppend(path, tcon,
@@ -1358,11 +1359,13 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
} else if (refcount < 0) {
goto cleanup;
} else if (refcount > 1) {
+ rollback = true;
/* Refcount is greater than 1 which means that there
* is @refcount domains using the @path. Do not
* change the label (as it would almost certainly
* cause the other domains to lose access to the
- * @path). */
+ * @path). However, the refcounter was
+ * incremented in XATTRs so decrease it. */
if (STRNEQ(econ, tcon)) {
virReportError(VIR_ERR_OPERATION_INVALID,
_("Setting different SELinux label on %s "
@@ -1373,7 +1376,12 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
}
}
- if (virSecuritySELinuxSetFileconImpl(path, tcon, optional, privileged) < 0) {
+ if (virSecuritySELinuxSetFileconImpl(path, tcon, optional, privileged) < 0)
+ goto cleanup;
+
+ ret = 0;
+ cleanup:
+ if (ret < 0 && rollback) {
virErrorPtr origerr;
virErrorPreserveLast(&origerr);
@@ -1388,11 +1396,8 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
path);
virErrorRestore(&origerr);
- goto cleanup;
- }
- ret = 0;
- cleanup:
+ }
freecon(econ);
return ret;
}
--
2.21.0
5 years, 3 months
[libvirt] [PATCH v10 00/10] incremental backup
by Eric Blake
This is not the final version of incremental backup - before we can
accept this series, it needs a lot of polish to pick up cleanups made
possible by Peter's blockdev work, and we need to settle on our Job
API addition (so that the return value of BackupBegin and the
parameter to BackupGetXMLDesc and BackupEnd use the same
representation, whether that be UUID or something else). I also know
that Peter left quite a few comments against v9, many of which I have
not actually attempted to address yet. But it rebases things on top
of the checkpoint work that landed in the 5.6 release, and is still
able to perform the pull-mode incremental backups that I demonstrated
at KVM Forum 2018.
There's still probably crashes in portions of the code that are not
exercised by my demo, and I know that we really want to use qemu's
blockdev image creation instead of calling out to qemu-img create for
preparing the qcow2 scratch image in pull mode. The main point of
this posting is to allow further testing before the actual feature
lands in an upstream libvirt release.
I've pushed a tag backup-v10 to both my libvirt.git and
libvirt-python.git repos to match:
https://repo.or.cz/libvirt/ericb.git/shortlog/refs/tags/backup-v10
https://repo.or.cz/libvirt-python/ericb.git/shortlog/refs/tags/backup-v10
001/10:[0033] [FC] 'backup: qemu: Implement VIR_DOMAIN_CHECKPOINT_XML_SIZE flag'
002/10:[0002] [FC] 'backup: Document new XML for backups'
003/10:[0010] [FC] 'backup: Introduce virDomainBackup APIs'
004/10:[0031] [FC] 'backup: Implement backup APIs for remote driver'
005/10:[----] [--] 'backup: Parse and output backup XML'
006/10:[----] [--] 'backup: Implement virsh support for backup'
007/10:[0025] [FC] 'backup: qemu: Implement framework for backup job APIs'
008/10:[0002] [FC] 'backup: Wire up qemu full pull backup commands over QMP'
009/10:[----] [--] 'backup: qemu: Wire up qemu full push backup commands over QMP'
010/10:[0017] [FC] 'backup: Implement qemu incremental pull backup'
Eric Blake (10):
backup: qemu: Implement VIR_DOMAIN_CHECKPOINT_XML_SIZE flag
backup: Document new XML for backups
backup: Introduce virDomainBackup APIs
backup: Implement backup APIs for remote driver
backup: Parse and output backup XML
backup: Implement virsh support for backup
backup: qemu: Implement framework for backup job APIs
backup: Wire up qemu full pull backup commands over QMP
backup: qemu: Wire up qemu full push backup commands over QMP
backup: Implement qemu incremental pull backup
include/libvirt/libvirt-domain.h | 41 +-
src/conf/backup_conf.h | 94 +++
src/conf/virconftypes.h | 3 +
src/driver-hypervisor.h | 14 +
src/qemu/qemu_blockjob.h | 1 +
src/qemu/qemu_domain.h | 4 +
src/qemu/qemu_monitor.h | 4 +
src/qemu/qemu_monitor_json.h | 4 +
docs/docs.html.in | 3 +-
docs/format.html.in | 1 +
docs/formatbackup.html.in | 184 +++++
docs/formatcheckpoint.html.in | 12 +-
docs/index.html.in | 3 +-
docs/schemas/domainbackup.rng | 219 ++++++
examples/c/misc/event-test.c | 3 +
libvirt.spec.in | 1 +
mingw-libvirt.spec.in | 2 +
src/conf/Makefile.inc.am | 2 +
src/conf/backup_conf.c | 546 +++++++++++++++
src/conf/domain_conf.c | 2 +-
src/libvirt-domain-checkpoint.c | 7 +-
src/libvirt-domain.c | 219 ++++++
src/libvirt_private.syms | 8 +-
src/libvirt_public.syms | 7 +
src/qemu/qemu_blockjob.c | 3 +
src/qemu/qemu_domain.c | 35 +-
src/qemu/qemu_driver.c | 684 ++++++++++++++++++-
src/qemu/qemu_monitor.c | 11 +
src/qemu/qemu_monitor_json.c | 84 +++
src/qemu/qemu_process.c | 8 +
src/remote/remote_driver.c | 3 +
src/remote/remote_protocol.x | 54 +-
src/remote_protocol-structs | 28 +
tests/Makefile.am | 2 +
tests/domainbackupxml2xmlin/backup-pull.xml | 9 +
tests/domainbackupxml2xmlin/backup-push.xml | 9 +
tests/domainbackupxml2xmlin/empty.xml | 1 +
tests/domainbackupxml2xmlout/backup-pull.xml | 9 +
tests/domainbackupxml2xmlout/backup-push.xml | 9 +
tests/domainbackupxml2xmlout/empty.xml | 7 +
tests/virschematest.c | 2 +
tools/virsh-domain.c | 253 ++++++-
tools/virsh.pod | 49 ++
43 files changed, 2623 insertions(+), 21 deletions(-)
create mode 100644 src/conf/backup_conf.h
create mode 100644 docs/formatbackup.html.in
create mode 100644 docs/schemas/domainbackup.rng
create mode 100644 src/conf/backup_conf.c
create mode 100644 tests/domainbackupxml2xmlin/backup-pull.xml
create mode 100644 tests/domainbackupxml2xmlin/backup-push.xml
create mode 100644 tests/domainbackupxml2xmlin/empty.xml
create mode 100644 tests/domainbackupxml2xmlout/backup-pull.xml
create mode 100644 tests/domainbackupxml2xmlout/backup-push.xml
create mode 100644 tests/domainbackupxml2xmlout/empty.xml
--
2.21.0
5 years, 3 months
[libvirt] [PATCH 00/11] Fix 10 tests on macOS
by Roman Bolshakov
Hi!
This patch series attempts to reduce the number of failing tests on macOS.
The fixes involve some funk with macOS dynamic and static linkers, dyld and
ld64, respectively.
As result, instead of 15 failing tests we get only 5.
The tests have been fixed:
qemublocktest
qemumonitorjsontest
viriscsitest
virmacmaptest
virnetserverclienttest
vircryptotest
qemufirmwaretest
domaincapstest
commandtest
sockettest
The tests are still failing:
qemumemlocktest
storagepoolxml2argvtest
qemuxml2xmltest
qemusecuritytest
qemuxml2argvtest
qemucapsprobe doesn't yet works but I started working on the fix.
The failing tests depend on virpcimock that is guarded by ifdefs so no
functions are injected and the mock is no-op on macOS. How can we fix
the tests that rely on the mock? Should we select only specific tests to
run on macOS or we should make virpci mock cross-platform? Skipping
them entirely is not an option IMO as I think qemu driver can be used on
macOS with qemu/hvf/haxm domains and the tests are helpful for the
domains.
And as soon as we get working tests and qemucapsprobe I'd want to resend hvf
patchset.
Best regards,
Roman
Roman Bolshakov (11):
tests: Don't test octal localhost IP in sockettest on macOS
tests: Avoid IPv4-translated IPv6 address in sockettest
tests: Preload mocks with DYLD_INSERT_LIBRARIES on macOS
tests: Add lib- prefix to all mocks
tests: Remove -module flag for mocks
tests: Drop /private CWD prefix in commandhelper
build: Use flat namespace for libvirt on macOS
tests: Lookup extended stat/lstat in mocks
tests: Use flat namespace on macOS
tests: Avoid gnulib replacements in mocks
tests: Make references to global symbols indirect in test drivers
configure.ac | 1 +
src/Makefile.am | 9 +-
tests/Makefile.am | 199 +++++++++++++++++----------------
tests/bhyveargv2xmltest.c | 2 +-
tests/bhyvexml2argvtest.c | 2 +-
tests/bhyvexml2xmltest.c | 2 +-
tests/commandhelper.c | 9 ++
tests/domaincapstest.c | 6 +-
tests/fchosttest.c | 2 +-
tests/libxlxml2domconfigtest.c | 2 +-
tests/nsstest.c | 2 +-
tests/qemucaps2xmltest.c | 2 +-
tests/qemucapsprobe.c | 2 +-
tests/qemumemlocktest.c | 3 +-
tests/qemumonitorjsontest.c | 2 +-
tests/qemuxml2argvtest.c | 8 +-
tests/qemuxml2xmltest.c | 6 +-
tests/sockettest.c | 6 +-
tests/testutils.c | 4 +-
tests/testutils.h | 18 ++-
tests/vircaps2xmltest.c | 2 +-
tests/vircgrouptest.c | 2 +-
tests/vircryptotest.c | 2 +-
tests/virfilecachetest.c | 2 +-
tests/virfiletest.c | 2 +-
tests/virfilewrapper.c | 5 +
tests/virfirewalltest.c | 2 +-
tests/virhostcputest.c | 2 +-
tests/virhostdevtest.c | 2 +-
tests/viriscsitest.c | 3 +-
tests/virmacmaptest.c | 2 +-
tests/virmock.h | 10 ++
tests/virmockstathelpers.c | 18 +++
tests/virnetdaemontest.c | 2 +-
tests/virnetdevbandwidthtest.c | 2 +-
tests/virnetdevtest.c | 2 +-
tests/virnetserverclienttest.c | 2 +-
tests/virnettlscontexttest.c | 2 +-
tests/virnettlssessiontest.c | 2 +-
tests/virpcitest.c | 2 +-
tests/virpolkittest.c | 2 +-
tests/virportallocatortest.c | 2 +-
tests/virsystemdtest.c | 2 +-
tests/virusbtest.c | 2 +-
44 files changed, 214 insertions(+), 149 deletions(-)
--
2.22.0
5 years, 3 months
[libvirt] [PATCH 00/10] ci: Several fixes and improvements
by Andrea Bolognani
See the individual commits for details, but the gist of it is that
after this series it's possible for users to hook into the build
process and customize it according to their needs; on top of that,
the whole thing is made more maintainable in the process.
Andrea Bolognani (10):
ci: Fix /etc/sub{u,g}id parsing
ci: Drop $(CI_SUBMODULES)
ci: Move everything to a separate directory
ci: Create user's home directory in the container
ci: Move source directory under $(CI_USER_HOME)
ci: Introduce $(CI_BUILD_SCRIPT)
ci: Generalize running commands inside the container
ci: Introduce $(CI_PREPARE_SCRIPT)
ci: Run $(CI_PREPARE_SCRIPT) as root
ci: Stop using --workdir
.gitignore | 2 +-
.travis.yml | 8 +--
Makefile.am | 6 +-
Makefile.ci => ci/Makefile | 109 +++++++++++++++++++------------------
ci/build.sh | 40 ++++++++++++++
ci/prepare.sh | 13 +++++
6 files changed, 118 insertions(+), 60 deletions(-)
rename Makefile.ci => ci/Makefile (79%)
create mode 100644 ci/build.sh
create mode 100644 ci/prepare.sh
--
2.21.0
5 years, 3 months
[libvirt] [PATCH v2 0/9] More consistent virDomainUndefine flag handling
by Eric Blake
Since v1:
- use syntax-check rather than dynamic runtime check for API mismatch
- fix more stragglers with mismatched API, found by the syntax-check
- fix a bug in bhyve no-op flag handling
- expand no-op flag handling to other affected drivers
Eric Blake (9):
vbox: Add various vir*Flags API
xenapi: Add various vir*Flags API
maint: Enhance check-driverimpls.pl to check for API pairing
bhyve: Ignore no-op flag during virDomainUndefine
libxl: Ignore no-op flag during virDomainUndefine
lxc: Ignore no-op flag during virDomainUndefine
openvz: Ignore no-op flag during virDomainUndefine
vmware: Ignore no-op flag during virDomainUndefine
xenapi: Ignore no-op flag during virDomainUndefine
src/bhyve/bhyve_driver.c | 6 +++++-
src/check-driverimpls.pl | 33 +++++++++++++++++++++++++++++++--
src/libxl/libxl_driver.c | 4 +++-
src/lxc/lxc_driver.c | 5 ++++-
src/openvz/openvz_driver.c | 5 ++++-
src/vbox/vbox_common.c | 24 ++++++++++++++++++++++--
src/vmware/vmware_driver.c | 5 ++++-
src/xenapi/xenapi_driver.c | 28 ++++++++++++++++++++++++----
8 files changed, 97 insertions(+), 13 deletions(-)
--
2.20.1
5 years, 3 months
[libvirt] [PATCH 0/5] security: Deal with stale XATTRs
by Michal Privoznik
There are some ways users can end up in stale XATTRs. One is sudden
power loss, the other is stopping libvirt whilst some domains are
running and then rebooting the host. And I believe users will find other
creative ways to shut down domains without qemuProcessStop() being
called. When that happens our XATTRs will be left behind and not reflect
the real state of things (e.g. refcounter). To resolve this, record a
timestamp within XATTRs too so that host reboots can be detected.
Michal Prívozník (5):
virUUIDFormat: s/VIR_UUID_RAW_LEN/VIR_UUID_BUFLEN/ in comment
security_util: Use more VIR_AUTOFREE()
security_util: Document virSecurityMoveRememberedLabel
util: Introduce virhostuptime
security_util: Remove stale XATTRs
src/libvirt_private.syms | 4 +
src/security/security_util.c | 293 +++++++++++++++++++++++++++++------
src/util/Makefile.inc.am | 2 +
src/util/virhostuptime.c | 61 ++++++++
src/util/virhostuptime.h | 27 ++++
src/util/viruuid.c | 2 +-
tests/qemusecuritymock.c | 12 ++
7 files changed, 353 insertions(+), 48 deletions(-)
create mode 100644 src/util/virhostuptime.c
create mode 100644 src/util/virhostuptime.h
--
2.21.0
5 years, 3 months
[libvirt] [PATCH] virt-aa-helper: Drop unnecessary AppArmor rule
by Andrea Bolognani
Apparently /proc/self is automatically converted to /proc/@{pid}
before checking rules, which makes spelling it out explicitly
redundant.
Suggested-by: Jamie Strandboge <jamie(a)canonical.com>
Signed-off-by: Andrea Bolognani <abologna(a)redhat.com>
---
src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
index 64772f0756..11e9c039ca 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -18,7 +18,6 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
@{PROC}/filesystems r,
# Used when internally running another command (namely apparmor_parser)
- @{PROC}/self/fd/ r,
@{PROC}/@{pid}/fd/ r,
/etc/libnl-3/classid r,
--
2.21.0
5 years, 3 months