Christian Ehrhardt: > On Mon, Jun 11, 2018 at 8:12 AM, Michal Prívozník <mprivozn@xxxxxxxxxx> > wrote: >> Thank you for your exhaustive explanation. You've convinced me that it's >> safe to merge this patch. However, what I still don't quite understand >> is: Nova uses that path for ages, doesn't it? How come we've hit the bug >> only now? >> > We didn't Ubuntu had this as downstream Delta as long as I can remember - I > guess only now someone drives Nova in Debian to that point. No Debian stable release has had AppArmor enabled by default yet, which I think explains why nobody noticed this problem there so far. >> Oh, I can't merge the patch as-is because it is missing S-O-B line which >> is required (https://libvirt.org/hacking.html). Also, it would be nice >> if you can use your real name. > We had the real name discussion before, but at least the S-O-B as agreed > last time should be added. Here's an attached patch with S-O-B added. Sorry I did not keep up-to-date with the contribution guidelines update, I'm not contributing that often and only to a tiny part of libvirt, so I only skim over what's happening on the mailing list. > And I'd ask for an opinion on the "other" paths I listed - I can only > recommend adding as much as we can commonly agree to be useful. > To avoid coming back every few months adding another such line :-) Indeed. Perhaps next step is to check if the same paths are used on other major distros? Cheers, -- intrigeri
>From f4ea2da3ddeb275b3bd08b33ebe858dd6f7f274f Mon Sep 17 00:00:00 2001 From: intrigeri <intrigeri+libvirt@xxxxxxxx> Date: Sat, 9 Jun 2018 19:26:26 +0000 Subject: [PATCH] AppArmor: allow virt-aa-helper read access to Nova's qcow backing files. As reported on https://bugs.debian.org/892431, without this rule, when launching a QEMU KVM instance, an error occurs immediately upon launching the QEMU process such as: Could not open backing file: Could not open '/var/lib/nova/instances/_base/affe96668a4c64ef380ff1c71b4caec17039080e': Permission denied The other instance disk images are already covered by the existing rule: /**/disk{,.*} r Signed-off-by: intrigeri <intrigeri@xxxxxxxx> --- examples/apparmor/usr.lib.libvirt.virt-aa-helper | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper index 6869685c05..e32402a904 100644 --- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper +++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper @@ -50,6 +50,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { @{HOME}/** r, /var/lib/libvirt/images/ r, /var/lib/libvirt/images/** r, + /var/lib/nova/instances/_base/* r /{media,mnt,opt,srv}/** r, # For virt-sandbox /{,var/}run/libvirt/**/[sv]d[a-z] r, -- 2.17.1
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
