Re: [libvirt PATCH 1/1] apparmor: Allow umount(/dev)

On Wed, Jan 18, 2023 at 11:00:33AM +0100, Michal Prívozník wrote: > On 1/18/23 10:43, Andrea Bolognani wrote: >> Commit 379c0ce4bfed introduced a call to umount(/dev) performed >> inside the namespace that we run QEMU in. >> >> As a result of this, on machines using AppArmor, VM startup now >> fails with >> >> internal error: Process exited prior to exec: libvirt: >> QEMU Driver error: failed to umount devfs on /dev: Permission denied >> >> The corresponding denial is >> >> AVC apparmor="DENIED" operation="umount" profile="libvirtd" >> name="/dev/" pid=70036 comm="rpc-libvirtd" >> >> Extend the AppArmor configuration for virtqemud and libvirtd so >> that this operation is allowed. >> >> Signed-off-by: Andrea Bolognani <abologna(a)redhat.com&gt; >> --- >> src/security/apparmor/usr.sbin.libvirtd.in | 1 + >> src/security/apparmor/usr.sbin.virtqemud.in | 1 + >> 2 files changed, 2 insertions(+) > > Reviewed-by: Michal Privoznik <mprivozn(a)redhat.com&gt; > > For more background on why umount is needed see my reply to Jim's > question from earlier: > > https://listman.redhat.com/archives/libvir-list/2023-January/237149.html Welp, missed that one O:-) Jim, it looks like you came up with exactly the same solution as me, despite concerns about the size of the resulting hammer. Any other ideas, or should we just go ahead and merge this as-is?