On Sun, 2017-11-05 at 15:29 +0000, intrigeri+libvirt@boum.org wrote:
From: intrigeri <intrigeri+libvirt@boum.org>
--- examples/apparmor/libvirt-qemu | 4 ++++ examples/apparmor/usr.sbin.libvirtd | 6 ++++++ 2 files changed, 10 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 97dd2d45a9..9d487bf92f 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -16,6 +16,10 @@ network inet stream, network inet6 stream,
+ ptrace (readby, tracedby) peer=/usr/sbin/libvirtd, + + signal (receive) peer=/usr/sbin/libvirtd, +
These LGTM
/dev/net/tun rw, /dev/kvm rw, /dev/ptmx rw, diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 819068ffc3..d2831aa491 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -30,10 +30,13 @@ # Needed for vfio capability sys_resource,
+ mount, +
Yuck, but fixed in 2/2. Better might've been to skip this rule and add all the mount rules in 2/2.
network inet stream, network inet dgram, network inet6 stream, network inet6 dgram, + network netlink raw,
Looks fine. Almost certainly needed for udev.
network packet dgram, network packet raw,
@@ -42,6 +45,9 @@ ptrace (trace) peer=/usr/sbin/dnsmasq, ptrace (trace) peer=libvirt-*,
+ signal (send) peer=/usr/sbin/dnsmasq, + signal (read, send) peer=libvirt-*, +
LGTM, thanks! -- Jamie Strandboge | http://www.canonical.com