1. Patchew
  2. Libvirt
  3. [libvirt] [PATCH 0/2] Misc apparmor fixes
  4. View patch

[libvirt] [PATCH 1/2] apparmor: allow qemu to read max_segments

Christian Ehrhardt posted 2 patches 7 years, 6 months ago
[libvirt] [PATCH 1/2] apparmor: allow qemu to read max_segments
Posted by Christian Ehrhardt 7 years, 6 months ago 
Since qemu 2.9 via 9103f1ce "file-posix: Consider max_segments for
BlockLimits.max_transfer" this is a new access that is denied by the
qemu profile.

It is non fatal, but prevents the fix mentioned to actually work.
It should be safe to allow reading from that path.

Since qemu opens a symlink path we need to translate that for apparmor from
"/sys/dev/block/*/queue/max_segments" to
"/sys/devices/**/block/*/queue/max_segments"

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
 examples/apparmor/libvirt-qemu | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 97dd2d4..064501f 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -169,6 +169,9 @@
   # for rbd
   /etc/ceph/ceph.conf r,
 
+  # for file-posix getting limits since 9103f1ce
+  /sys/devices/**/block/*/queue/max_segments r,
+
   # for ppc device-tree access
   @{PROC}/device-tree/ r,
   @{PROC}/device-tree/** r,
-- 
2.7.4

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 1/2] apparmor: allow qemu to read max_segments
Posted by Jamie Strandboge 7 years, 6 months ago 
On Fri, 2017-11-03 at 09:46 +0100, Christian Ehrhardt wrote:
> Since qemu 2.9 via 9103f1ce "file-posix: Consider max_segments for
> BlockLimits.max_transfer" this is a new access that is denied by the
> qemu profile.
> 
> It is non fatal, but prevents the fix mentioned to actually work.
> It should be safe to allow reading from that path.
> 
> Since qemu opens a symlink path we need to translate that for
> apparmor from
> "/sys/dev/block/*/queue/max_segments" to
> "/sys/devices/**/block/*/queue/max_segments"
> 
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> ---
>  examples/apparmor/libvirt-qemu | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/examples/apparmor/libvirt-qemu
> b/examples/apparmor/libvirt-qemu
> index 97dd2d4..064501f 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -169,6 +169,9 @@
>    # for rbd
>    /etc/ceph/ceph.conf r,
>  
> +  # for file-posix getting limits since 9103f1ce
> +  /sys/devices/**/block/*/queue/max_segments r,
> +
>    # for ppc device-tree access
>    @{PROC}/device-tree/ r,
>    @{PROC}/device-tree/** r,

This LGTM. Thanks for the patch!

-- 
Jamie Strandboge             | http://www.canonical.com--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Patchew 2.1-devel-8c64711

© 2016 - 2025 Red Hat, Inc.