On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote:
From: Jamie Strandboge <jamie@ubuntu.com>
Allows (multi-arch enabled) access to libraries under the /usr/lib/@{multiarch}/qemu/*.so path in the Debian/Ubuntu qemu-block-extra package.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1554761
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- examples/apparmor/libvirt-qemu | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 91d0e02..912b4ac 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -161,6 +161,9 @@ /usr/{lib,lib64}/qemu/block-curl.so mr, /usr/{lib,lib64}/qemu/block-rbd.so mr,
+ # for Debian/Ubuntu qemu-block-extra (LP: #1554761) + /usr/lib/@{multiarch}/qemu/*.so rm, +
+1 as is (though s/rm/mr/ for consistency), but on my system I see block-curl.so, block-isci.so and block-rdb.so. I think it probably makes to adjust this rule block to simply be: /usr/{lib,lib64}/qemu/*.so mr, /usr/lib/@{multiarch}/qemu/*.so mr, Ie, rather than limiting the libraries that qemu can mmap that are in its system library directory, allow qemu access to all of them and then mediate the accesses those libraries need in policy. -- Jamie Strandboge | http://www.canonical.com