[libvirt] [PATCH] apparmor: Don't scrub environment of virtlogd process
otherwise we drop variables like XDG_RUNTIME_DIR with qemu:///session and libvirtd faild to find virtlogd's socket. --- examples/apparmor/usr.sbin.libvirtd | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 5d606e6..23f70f5 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -45,6 +45,7 @@ /bin/* PUx, /sbin/* PUx, /usr/bin/* PUx, + /usr/sbin/virtlogd pix, /usr/sbin/* PUx, /lib/udev/scsi_id PUx, /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, -- 2.8.1
On 06/05/2016 05:06 AM, Guido Günther wrote:
otherwise we drop variables like XDG_RUNTIME_DIR with qemu:///session and libvirtd faild to find virtlogd's socket. --- examples/apparmor/usr.sbin.libvirtd | 1 + 1 file changed, 1 insertion(+)
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 5d606e6..23f70f5 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -45,6 +45,7 @@ /bin/* PUx, /sbin/* PUx, /usr/bin/* PUx, + /usr/sbin/virtlogd pix, /usr/sbin/* PUx, /lib/udev/scsi_id PUx, /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
I took a quick peek and it seems XDC_RUNTIME_DIR is the only environment variable accessed by virtlogd. So I think this is fine, but soft ACK since I'm not the apparmor expert here. BTW, I didn't test this myself but recently received a bug report against gnome-boxes for the issue and asked those affected to test your patch. I received positive feedback from at least one user https://bugzilla.opensuse.org/show_bug.cgi?id=980441 Regards, Jim
Hi Jim, On Mon, Jun 06, 2016 at 10:22:14PM -0600, Jim Fehlig wrote:
On 06/05/2016 05:06 AM, Guido Günther wrote:
otherwise we drop variables like XDG_RUNTIME_DIR with qemu:///session and libvirtd faild to find virtlogd's socket. --- examples/apparmor/usr.sbin.libvirtd | 1 + 1 file changed, 1 insertion(+)
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 5d606e6..23f70f5 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -45,6 +45,7 @@ /bin/* PUx, /sbin/* PUx, /usr/bin/* PUx, + /usr/sbin/virtlogd pix, /usr/sbin/* PUx, /lib/udev/scsi_id PUx, /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
I took a quick peek and it seems XDC_RUNTIME_DIR is the only environment variable accessed by virtlogd. So I think this is fine, but soft ACK since I'm not the apparmor expert here.
BTW, I didn't test this myself but recently received a bug report against gnome-boxes for the issue and asked those affected to test your patch. I received positive feedback from at least one user
I've pushed this since there wasn't any negative feedback and the permissions are wide open (PUx) for all other binaries at the moment and libvirtd/virtlogd try hard to only pass on a sane environment. Cheers, -- Guido
participants (2)
-
Guido Günther -
Jim Fehlig