From: Jamie Strandboge <jamie@ubuntu.com>
Allows (multi-arch enabled) access to libraries under the
/usr/lib/@{multiarch}/qemu/*.so path in the Debian/Ubuntu
qemu-block-extra package.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1554761
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
examples/apparmor/libvirt-qemu | 3 +++
1 file changed, 3 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 91d0e02..912b4ac 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -161,6 +161,9 @@
/usr/{lib,lib64}/qemu/block-curl.so mr,
/usr/{lib,lib64}/qemu/block-rbd.so mr,
+ # for Debian/Ubuntu qemu-block-extra (LP: #1554761)
+ /usr/lib/@{multiarch}/qemu/*.so rm,
+
# for use by libvirt-vnc (LP: #901272)
/etc/pki/CA/ r,
/etc/pki/CA/* r,
--
2.7.4
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote:
> From: Jamie Strandboge <jamie@ubuntu.com>
>
> Allows (multi-arch enabled) access to libraries under the
> /usr/lib/@{multiarch}/qemu/*.so path in the Debian/Ubuntu
> qemu-block-extra package.
>
> Bug-Ubuntu: https://bugs.launchpad.net/bugs/1554761
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> ---
> examples/apparmor/libvirt-qemu | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/examples/apparmor/libvirt-qemu
> b/examples/apparmor/libvirt-qemu
> index 91d0e02..912b4ac 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -161,6 +161,9 @@
> /usr/{lib,lib64}/qemu/block-curl.so mr,
> /usr/{lib,lib64}/qemu/block-rbd.so mr,
>
> + # for Debian/Ubuntu qemu-block-extra (LP: #1554761)
> + /usr/lib/@{multiarch}/qemu/*.so rm,
> +
+1 as is (though s/rm/mr/ for consistency), but on my system I see
block-curl.so, block-isci.so and block-rdb.so. I think it probably
makes to adjust this rule block to simply be:
/usr/{lib,lib64}/qemu/*.so mr,
/usr/lib/@{multiarch}/qemu/*.so mr,
Ie, rather than limiting the libraries that qemu can mmap that are in
its system library directory, allow qemu access to all of them and then
mediate the accesses those libraries need in policy.
--
Jamie Strandboge | http://www.canonical.com--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Tue, Dec 19, 2017 at 5:09 PM, Jamie Strandboge <jamie@canonical.com> wrote:
> On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote:
>> From: Jamie Strandboge <jamie@ubuntu.com>
>>
>> Allows (multi-arch enabled) access to libraries under the
>> /usr/lib/@{multiarch}/qemu/*.so path in the Debian/Ubuntu
>> qemu-block-extra package.
>>
>> Bug-Ubuntu: https://bugs.launchpad.net/bugs/1554761
>>
>> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
>> ---
>> examples/apparmor/libvirt-qemu | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/examples/apparmor/libvirt-qemu
>> b/examples/apparmor/libvirt-qemu
>> index 91d0e02..912b4ac 100644
>> --- a/examples/apparmor/libvirt-qemu
>> +++ b/examples/apparmor/libvirt-qemu
>> @@ -161,6 +161,9 @@
>> /usr/{lib,lib64}/qemu/block-curl.so mr,
>> /usr/{lib,lib64}/qemu/block-rbd.so mr,
>>
>> + # for Debian/Ubuntu qemu-block-extra (LP: #1554761)
>> + /usr/lib/@{multiarch}/qemu/*.so rm,
>> +
>
> +1 as is (though s/rm/mr/ for consistency),
ack
> but on my system I see
> block-curl.so, block-isci.so and block-rdb.so. I think it probably
> makes to adjust this rule block to simply be:
Yeah the number of those so's can change anyway.
The upper path is mostly for rpm systems, but e.g. SuSe is
rpm+apparmor so your suggestion is great.
> /usr/{lib,lib64}/qemu/*.so mr,
> /usr/lib/@{multiarch}/qemu/*.so mr,
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
From: Jamie Strandboge <jamie@ubuntu.com>
Allows (multi-arch enabled) access to libraries under the
/usr/lib/@{multiarch}/qemu/*.so path in the Debian/Ubuntu
qemu-block-extra package and all such libs for the paths
of rpm qemu-block-* packages.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1554761
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
examples/apparmor/libvirt-qemu | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 91d0e02..34a564f 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -158,8 +158,9 @@
/usr/bin/qemu-sparc64 rmix,
/usr/bin/qemu-unicore32 rmix,
/usr/bin/qemu-x86_64 rmix,
- /usr/{lib,lib64}/qemu/block-curl.so mr,
- /usr/{lib,lib64}/qemu/block-rbd.so mr,
+ # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761)
+ /usr/{lib,lib64}/qemu/*.so mr,
+ /usr/lib/@{multiarch}/qemu/*.so mr,
# for use by libvirt-vnc (LP: #901272)
/etc/pki/CA/ r,
--
2.7.4
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Christian Ehrhardt:
> From: Jamie Strandboge <jamie@ubuntu.com>
> Allows (multi-arch enabled) access to libraries under the
> /usr/lib/@{multiarch}/qemu/*.so path in the Debian/Ubuntu
> qemu-block-extra package and all such libs for the paths
> of rpm qemu-block-* packages.
> Bug-Ubuntu: https://bugs.launchpad.net/bugs/1554761
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> ---
> examples/apparmor/libvirt-qemu | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index 91d0e02..34a564f 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -158,8 +158,9 @@
> /usr/bin/qemu-sparc64 rmix,
> /usr/bin/qemu-unicore32 rmix,
> /usr/bin/qemu-x86_64 rmix,
> - /usr/{lib,lib64}/qemu/block-curl.so mr,
> - /usr/{lib,lib64}/qemu/block-rbd.so mr,
> + # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761)
> + /usr/{lib,lib64}/qemu/*.so mr,
> + /usr/lib/@{multiarch}/qemu/*.so mr,
+1
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Wed, 2017-12-20 at 08:41 +0100, Christian Ehrhardt wrote:
> From: Jamie Strandboge <jamie@ubuntu.com>
>
> Allows (multi-arch enabled) access to libraries under the
> /usr/lib/@{multiarch}/qemu/*.so path in the Debian/Ubuntu
> qemu-block-extra package and all such libs for the paths
> of rpm qemu-block-* packages.
>
> Bug-Ubuntu: https://bugs.launchpad.net/bugs/1554761
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> ---
> examples/apparmor/libvirt-qemu | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/examples/apparmor/libvirt-qemu
> b/examples/apparmor/libvirt-qemu
> index 91d0e02..34a564f 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -158,8 +158,9 @@
> /usr/bin/qemu-sparc64 rmix,
> /usr/bin/qemu-unicore32 rmix,
> /usr/bin/qemu-x86_64 rmix,
> - /usr/{lib,lib64}/qemu/block-curl.so mr,
> - /usr/{lib,lib64}/qemu/block-rbd.so mr,
> + # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP:
> #1554761)
> + /usr/{lib,lib64}/qemu/*.so mr,
> + /usr/lib/@{multiarch}/qemu/*.so mr,
>
+1 to apply. Thanks for the update. :)
--
Jamie Strandboge | http://www.canonical.com--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
© 2016 - 2025 Red Hat, Inc.