[PATCH] security: apparmor: Allow QEMU read /proc/sys/vm/max_map_count
In its commit v9.0.0-rc0~1^2 QEMU started to read /proc/sys/vm/max_map_count file to set up coroutine limits better (something about VMAs, mmap(), see the commit for more info). Allow the file in apparmor profile. Resolves: https://gitlab.com/libvirt/libvirt/-/issues/660 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/security/apparmor/libvirt-qemu.in | 1 + 1 file changed, 1 insertion(+) diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/libvirt-qemu.in index 8b92915281..8f17256554 100644 --- a/src/security/apparmor/libvirt-qemu.in +++ b/src/security/apparmor/libvirt-qemu.in @@ -34,6 +34,7 @@ # only modify its comm value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, @{PROC}/sys/kernel/cap_last_cap r, + @{PROC}/sys/vm/max_map_count r, @{PROC}/sys/vm/overcommit_memory r, # detect hardware capabilities via qemu_getauxval owner @{PROC}/*/auxv r, -- 2.44.2
On Tue, Aug 20, 2024 at 12:16:20 +0200, Michal Privoznik wrote:
In its commit v9.0.0-rc0~1^2 QEMU started to read /proc/sys/vm/max_map_count file to set up coroutine limits better (something about VMAs, mmap(), see the commit for more info). Allow the file in apparmor profile.
Resolves: https://gitlab.com/libvirt/libvirt/-/issues/660 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/security/apparmor/libvirt-qemu.in | 1 + 1 file changed, 1 insertion(+)
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
participants (2)
-
Michal Privoznik -
Peter Krempa