On Sun, 2017-11-05 at 15:29 +0000, intrigeri+libvirt@xxxxxxxx wrote: > From: intrigeri <intrigeri+libvirt@xxxxxxxx> > > --- > examples/apparmor/libvirt-qemu | 4 ++++ > examples/apparmor/usr.sbin.libvirtd | 6 ++++++ > 2 files changed, 10 insertions(+) > > diff --git a/examples/apparmor/libvirt-qemu > b/examples/apparmor/libvirt-qemu > index 97dd2d45a9..9d487bf92f 100644 > --- a/examples/apparmor/libvirt-qemu > +++ b/examples/apparmor/libvirt-qemu > @@ -16,6 +16,10 @@ > network inet stream, > network inet6 stream, > > + ptrace (readby, tracedby) peer=/usr/sbin/libvirtd, > + > + signal (receive) peer=/usr/sbin/libvirtd, > + These LGTM > /dev/net/tun rw, > /dev/kvm rw, > /dev/ptmx rw, > diff --git a/examples/apparmor/usr.sbin.libvirtd > b/examples/apparmor/usr.sbin.libvirtd > index 819068ffc3..d2831aa491 100644 > --- a/examples/apparmor/usr.sbin.libvirtd > +++ b/examples/apparmor/usr.sbin.libvirtd > @@ -30,10 +30,13 @@ > # Needed for vfio > capability sys_resource, > > + mount, > + Yuck, but fixed in 2/2. Better might've been to skip this rule and add all the mount rules in 2/2. > network inet stream, > network inet dgram, > network inet6 stream, > network inet6 dgram, > + network netlink raw, Looks fine. Almost certainly needed for udev. > network packet dgram, > network packet raw, > > @@ -42,6 +45,9 @@ > ptrace (trace) peer=/usr/sbin/dnsmasq, > ptrace (trace) peer=libvirt-*, > > + signal (send) peer=/usr/sbin/dnsmasq, > + signal (read, send) peer=libvirt-*, > + LGTM, thanks! -- Jamie Strandboge | http://www.canonical.com
Attachment:
signature.asc
Description: This is a digitally signed message part
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
