提交 · c0273cd6f28bebb1e9fc2b9f2ec0fd789aeffd33 · openeuler / libvirt

23 1月, 2015 2 次提交

由 Mike Latimer 提交于 1月 19, 2015

The network and nwfilter tests contained in the libvirt-TCK testkit can fail
unless access to raw network packets is granted. Without this access, the
following apparmor error can be seen while running the tests:

apparmor="DENIED" operation="create" parent=1 profile="/usr/sbin/libvirtd"
pid=94731 comm="libvirtd" family="packet" sock_type="raw" protocol=768

c0273cd6

Fix apparmor issues for Xen · b61fb8e8

由 Mike Latimer 提交于 1月 19, 2015

In order for apparmor to work properly in Xen environments, the following
access rights need to be allowed:

 - Allow CAP_SYS_PACCT, which is required when resetting some multi-port
   Broadcom cards by writting to the PCI config space

 - Allow CAP_IPC_LOCK, which is required to lock/unlock memory. Without
   this setting, an error 'Resource temporarily unavailable' can be seen
   while attempting to mmap memory. At the same time, the following
   apparmor message is seen:

   apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/libvirtd"
   pid=2097 comm="libvirtd" pid=2097 comm="libvirtd" capability=14
   capname="ipc_lock"

 - Allow access to distribution specific directories:
     /usr/{lib,lib64}/xen/bin

b61fb8e8

05 1月, 2015 1 次提交

Teach AppArmor, that /usr/lib64 may exist. · 30c6aecc

由 Cedric Bosdonnat 提交于 12月 15, 2014

The apparmor profiles forgot about /usr/lib64 folders, just add lib64
as a possible alternative to lib in the paths

30c6aecc

27 3月, 2014 1 次提交

Fix apparmor profile to make vfio pci passthrough work · 74e86b6b

由 Cédric Bosdonnat 提交于 3月 25, 2014

See lp#1276719 for the bug description. As virt-aa-helper doesn't know
the VFIO groups to use for the guest, allow access to all
/dev/vfio/[0-9]* and /dev/vfio/vfio files if there is a potential need
for vfio
Signed-off-by: NEric Blake <eblake@redhat.com>

74e86b6b

08 2月, 2014 1 次提交

apparmor: Improve profiles · f88a3d9b

由 Felix Geyer 提交于 1月 26, 2014

Tested on Debian unstable.
The profile updates are partly taken from the Ubuntu trusty libvirt package.
Signed-off-by: NGuido Günther <agx@sigxcpu.org>

f88a3d9b

07 4月, 2010 1 次提交

Improve the apparmor example · 2df32060

由 Jamie Strandboge 提交于 4月 06, 2010

* examples/apparmor/libvirt-qemu examples/apparmor/usr.sbin.libvirtd
  examples/apparmor/usr.lib.libvirt.virt-aa-helper: Update the examples

2df32060

13 11月, 2009 1 次提交

AppArmor updates of examples · a8a560dd

由 Jamie Strandboge 提交于 11月 13, 2009

* examples/apparmor/libvirt-qemu: adds pulseaudio, alsa and preliminary
  save/restore to the example apparmor abstraction
* examples/apparmor/usr.sbin.libvirtd: allows libvirtd access to inet
  dgram, inet6 dgram, inet6 stream and /usr/lib/libvirt/*

a8a560dd

08 10月, 2009 1 次提交

Documentation and examples for SVirt Apparmor driver · 624a7927

由 Jamie Strandboge 提交于 10月 08, 2009

* docs/drvqemu.html.in: include documentation for AppArmor sVirt
  confinement
* examples/apparmor/TEMPLATE examples/apparmor/libvirt-qemu
  examples/apparmor/usr.lib.libvirt.virt-aa-helper
  examples/apparmor/usr.sbin.libvirtd: example templates and
  configuration files for SVirt Apparmor when using KVM/QEmu

624a7927