Re: [PATCH] Allow VM to read sysfs PCI config, revision files

Oops, I didn't intend for the commit author email to be gitlab(a)chromakode.com here. Would you please use c(a)chromakode.com as the author of the patch?

On Wed, May 11, 2022, 6:09 PM Max Goodhart <c(a)chromakode.com&gt; wrote: > > From: Max Goodhart <gitlab(a)chromakode.com&gt; > > This fixes a blank screen when viewing a VM with virtio graphics and > gl-accelerated Spice display on Ubuntu 22.04 / libvirt 8.0.0 / qemu 6.2. > > Without these AppArmor permissions, the libvirt error log contains > repetitions of: > > qemu_spice_gl_scanout_texture: failed to get fd for texture > > This appears to be similar to this GNOME Boxes issue: > https://gitlab.gnome.org/GNOME/gnome-boxes/-/issues/586 > > Signed-off-by: Max Goodhart <c(a)chromakode.com&gt; > --- > src/security/virt-aa-helper.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c > index 1f1cce8b3d..b314d2a059 100644 > --- a/src/security/virt-aa-helper.c > +++ b/src/security/virt-aa-helper.c > @@ -1316,7 +1316,7 @@ get_files(vahControl * ctl) > virBufferAddLit(&buf, " \"/dev/nvidiactl\" rw,\n"); > virBufferAddLit(&buf, " # Probe DRI device attributes\n"); > virBufferAddLit(&buf, " \"/dev/dri/\" r,\n"); > - virBufferAddLit(&buf, " \"/sys/devices/**/{uevent,vendor,device,subsystem_vendor,subsystem_device}\" r,\n"); > + virBufferAddLit(&buf, " \"/sys/devices/**/{uevent,vendor,device,subsystem_vendor,subsystem_device,config,revision}\" r,\n"); > virBufferAddLit(&buf, " # dri libs will trigger that, but t is not requited and DAC would deny it anyway\n"); > virBufferAddLit(&buf, " deny \"/var/lib/libvirt/.cache/\" w,\n"); > } > -- > 2.34.1 >