Quoting Guido Günther (agx@sigxcpu.org):
On Thu, May 18, 2017 at 11:21:54AM -0500, Serge E. Hallyn wrote:
Mind you I'm not crazy about this. If this could be toggled with a default-off config option that would seem better than always giving these caps to libvirt-qemu.
virt-aa-helper could add these if it detects a 9pfs file system. That would be better than always adding it.
Agreed
Cheers, -- Guido
Quoting Stefan Bader (stefan.bader@canonical.com):
From: Serge Hallyn <serge.hallyn@ubuntu.com>
Add fowner and fsetid to libvirt-qemu profile.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1378434
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- examples/apparmor/libvirt-qemu | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 89466c9..f04ce04 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -13,6 +13,10 @@ capability setgid, capability setuid,
+ # for 9p + capability fsetid, + capability fowner, + network inet stream, network inet6 stream,
-- 2.7.4