On Fri, Jun 2, 2017 at 12:55 PM, Guido Günther <agx@sigxcpu.org> wrote:
Shouldn't this only be added when macvtap is in use?
Cheers,
 -- Guido

Right again - as the ceph change this is part of a category of rules where in a perfect world we would write virt-aa-helper code for each of them.

In this particular case allowing that in general might be less safe, so I agree to lean towards virt-aa-helper if possible.
OTOH I'm not sure virt-aa-helper can easily detect that from the guest context that it has access to, it might need to reach out to the network config and I'm not sure if we have a case doing that already one could easily build on implementing this.
If(f) that is done - and working it might be down to knowing the exact tap device and only add that.

That said if one is willing to consider this patch as-is that would be great until implemented more granularily via virt-aa-helper - but otherwise please let me know - I'll then add it to a bunch of issues of the category "needs to be done in virt-aa-helper" which I already track.


--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd