openkylin
/
libvirt
mirror of https://gitee.com/openkylin/libvirt.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

apparmor: allow to call vhost-user-gpu 

Configuring vhost-user-gpu like:
    <video>
      <driver name='vhostuser'/>
      <model type='virtio' heads='1'/>
    </video>
Triggers an apparmor denial like:
    apparmor="DENIED" operation="exec" profile="libvirtd"
    name="/usr/lib/qemu/vhost-user-gpu" pid=888257 comm="libvirtd"
    requested_mask="x" denied_mask="x" fsuid=0 ouid=0

This helper is provided by qemu for vhost-user-gpu and thereby being
in the same path as qemu_bridge_helper. Due to that adding a rule allowing
to call uses the same path list.

Reviewed-by: Jim Fehlig <jfehlig@suse.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
This commit is contained in:
Christian Ehrhardt 2020-02-13 12:29:00 +01:00
parent 958d6ebe53
commit 8dd9875787
No known key found for this signature in database
GPG Key ID: BA3E29338280B242
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/security/apparmor/usr.sbin.libvirtd.in
View File

@ -86,6 +86,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
/usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
/usr/{lib,lib64}/xen/bin/* Ux,
/usr/lib/xen-*/bin/libxl-save-helper PUx,
/usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
# Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
# read and run an ebtables script.