On Fri, 2017-11-03 at 09:46 +0100, Christian Ehrhardt wrote:
Since qemu 2.9 via 9103f1ce "file-posix: Consider max_segments
for
BlockLimits.max_transfer" this is a new access that is denied by the
qemu profile.
It is non fatal, but prevents the fix mentioned to actually work.
It should be safe to allow reading from that path.
Since qemu opens a symlink path we need to translate that for
apparmor from
"/sys/dev/block/*/queue/max_segments" to
"/sys/devices/**/block/*/queue/max_segments"
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
---
examples/apparmor/libvirt-qemu | 3 +++
1 file changed, 3 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu
b/examples/apparmor/libvirt-qemu
index 97dd2d4..064501f 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -169,6 +169,9 @@
# for rbd
/etc/ceph/ceph.conf r,
+ # for file-posix getting limits since 9103f1ce
+ /sys/devices/**/block/*/queue/max_segments r,
+
# for ppc device-tree access
@{PROC}/device-tree/ r,
@{PROC}/device-tree/** r,
This LGTM. Thanks for the patch!
--
Jamie Strandboge |
http://www.canonical.com