On Fri, 2017-11-03 at 09:46 +0100, Christian Ehrhardt wrote:
> Since qemu 2.9 via 9103f1ce "file-posix: Consider max_segments for
> BlockLimits.max_transfer" this is a new access that is denied by the
> qemu profile.
>
> It is non fatal, but prevents the fix mentioned to actually work.
> It should be safe to allow reading from that path.
>
> Since qemu opens a symlink path we need to translate that for
> apparmor from
> "/sys/dev/block/*/queue/max_segments" to
> "/sys/devices/**/block/*/queue/max_segments"
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
> ---
> examples/apparmor/libvirt-qemu | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/examples/apparmor/libvirt-qemu
> b/examples/apparmor/libvirt-qemu
> index 97dd2d4..064501f 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -169,6 +169,9 @@
> # for rbd
> /etc/ceph/ceph.conf r,
>
> + # for file-posix getting limits since 9103f1ce
> + /sys/devices/**/block/*/queue/max_segments r,
> +
> # for ppc device-tree access
> @{PROC}/device-tree/ r,
> @{PROC}/device-tree/** r,
This LGTM. Thanks for the patch!
--
Jamie Strandboge | http://www.canonical.comAttachment:
signature.asc
Description: This is a digitally signed message part
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
