Do nor clear caps when invoking virt-aa-helper
The calls to virExec() in security_apparmor.c when invoking virt-aa-helper use VIR_EXEC_CLEAR_CAPS. When compiled without libcap-ng, this is not a problem (it's effectively a no-op) but with libcap-ng this causes MAC_ADMIN to be cleared. MAC_ADMIN is needed by virt-aa-helper to manipulate apparmor profiles and without it VMs will not start[1]. This patch calls virExec with the default VIR_EXEC_NONE instead. * src/security/security_apparmor.c: fallback to VIR_EXEC_NONE flags for virExec of virt_aa_helper
Showing
想要评论请 注册 或 登录