[libvirt] [PATCH] apparmor: Add openGraphicsFD rule for named profile
Commit a3ab6d42 changed the libvirtd profile to a named profile but neglected to accommodate the change in the qemu profile ptrace and signal rules. Later on 4ec3cf9a fixed that for ptrace and signal but openGraphicsFD is still missing. As a result, libvirtd is unable to open UI on libvirt >=5.1 e.g. with virt-manager. Add openGraphicsFD rule that references the libvirtd profile by name in addition to full binary path. Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1833040 Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- src/security/apparmor/libvirt-qemu | 1 + 1 file changed, 1 insertion(+) diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu index 165558fe83..d33348aa05 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -208,6 +208,7 @@ /sys/firmware/devicetree/** r, # allow connect with openGraphicsFD to work + unix (send, receive) type=stream addr=none peer=(label=libvirtd), unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), # for gathering information about available host resources -- 2.21.0
On Wed, 19 Jun 2019, Christian Ehrhardt wrote:
Commit a3ab6d42 changed the libvirtd profile to a named profile but neglected to accommodate the change in the qemu profile ptrace and signal rules. Later on 4ec3cf9a fixed that for ptrace and signal but openGraphicsFD is still missing.
As a result, libvirtd is unable to open UI on libvirt >=5.1 e.g. with virt-manager.
Add openGraphicsFD rule that references the libvirtd profile by name in addition to full binary path.
Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1833040
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- src/security/apparmor/libvirt-qemu | 1 + 1 file changed, 1 insertion(+)
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu index 165558fe83..d33348aa05 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -208,6 +208,7 @@ /sys/firmware/devicetree/** r,
# allow connect with openGraphicsFD to work + unix (send, receive) type=stream addr=none peer=(label=libvirtd), unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
# for gathering information about available host resources
+1 to apply. Thanks for chasing this down. -- Jamie Strandboge | http://www.canonical.com
On Wed, Jun 19, 2019 at 2:07 PM Jamie Strandboge <jamie@canonical.com> wrote:
On Wed, 19 Jun 2019, Christian Ehrhardt wrote:
Commit a3ab6d42 changed the libvirtd profile to a named profile but neglected to accommodate the change in the qemu profile ptrace and signal rules. Later on 4ec3cf9a fixed that for ptrace and signal but openGraphicsFD is still missing.
As a result, libvirtd is unable to open UI on libvirt >=5.1 e.g. with virt-manager.
Add openGraphicsFD rule that references the libvirtd profile by name in addition to full binary path.
Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1833040
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- src/security/apparmor/libvirt-qemu | 1 + 1 file changed, 1 insertion(+)
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu index 165558fe83..d33348aa05 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -208,6 +208,7 @@ /sys/firmware/devicetree/** r,
# allow connect with openGraphicsFD to work + unix (send, receive) type=stream addr=none peer=(label=libvirtd), unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
# for gathering information about available host resources
+1 to apply. Thanks for chasing this down.
Thanks for the review Jamie. Given that the change is rather safe I'm pushing it without waiting much longer.
-- Jamie Strandboge | http://www.canonical.com
-- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd
participants (2)
-
Christian Ehrhardt -
Jamie Strandboge