On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote: > vfio devices are generated on the fly, but the generic base is > missing. > > The base vfio has not much functionality but to provide a custom > container by opening this path. > See https://www.kernel.org/doc/Documentation/vfio.txt for more. > > Current access by qemu is "wr": > [ 2652.756712] audit: type=1400 audit(1491303691.719:25): > apparmor="DENIED" operation="open" > profile="libvirt-17a61b87-5132-497c-b928-421ac2ee0c8a" > name="/dev/vfio/vfio" pid=8486 comm="qemu-system-x86" > requested_mask="wr" denied_mask="wr" fsuid=64055 ouid=0 > > Bug-Ubuntu: https://bugs.launchpad.net/bugs/1678322 > > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> > Signed-off-by: Stefan Bader <stefan.bader@xxxxxxxxxxxxx> > --- > examples/apparmor/libvirt-qemu | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/examples/apparmor/libvirt-qemu > b/examples/apparmor/libvirt-qemu > index 5d811f9..eb4d58c 100644 > --- a/examples/apparmor/libvirt-qemu > +++ b/examples/apparmor/libvirt-qemu > @@ -212,3 +212,6 @@ > # silence refusals to open lttng files (see LP: #1432644) > deny /dev/shm/lttng-ust-wait-* r, > deny /run/shm/lttng-ust-wait-* r, > + > + # for vfio (LP: #1678322) > + /dev/vfio/vfio rw, Why not just also add this rule iff there is a vfio-specific device rule? Ie, just add this along with the vfio device rule in virt-aa- helper instead of giving all VMs access when it isn't needed. -- Jamie Strandboge | http://www.canonical.com
Attachment:
signature.asc
Description: This is a digitally signed message part
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
