apparmor: allow qemu to read max_segments

Since qemu 2.9 via 9103f1ce "file-posix: Consider max_segments for BlockLimits.max_transfer" this is a new access that is denied by the qemu profile. It is non fatal, but prevents the fix mentioned to actually work. It should be safe to allow reading from that path. Since qemu opens a symlink path we need to translate that for apparmor from "/sys/dev/block/*/queue/max_segments" to "/sys/devices/**/block/*/queue/max_segments" Signed-off-by: N Christian Ehrhardt <christian.ehrhardt@canonical.com>

apparmor: allow qemu to read max_segments
Since qemu 2.9 via 9103f1ce "file-posix: Consider max_segments for BlockLimits.max_transfer" this is a new access that is denied by the qemu profile. It is non fatal, but prevents the fix mentioned to actually work. It should be safe to allow reading from that path. Since qemu opens a symlink path we need to translate that for apparmor from "/sys/dev/block/*/queue/max_segments" to "/sys/devices/**/block/*/queue/max_segments" Signed-off-by: N Christian Ehrhardt <christian.ehrhardt@canonical.com>
37a4e6d4 · Christian Ehrhardt · Michal Privoznik · 96be3e72 · 37a4e6d4
隐藏空白更改
内联并排

Showing with 3 addition and 0 deletion

examples/apparmor/libvirt-qemu examples/apparmor/libvirt-qemu +3 -0

未找到文件。
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -169,6 +169,9 @@
  # for rbd
  /etc/ceph/ceph.conf r,

+  # for file-posix getting limits since 9103f1ce
+  /sys/devices/**/block/*/queue/max_segments r,
+
  # for ppc device-tree access
  @{PROC}/device-tree/ r,
  @{PROC}/device-tree/** r,