Re: [PATCH] apparmor: Add denied capabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jun 7, 2021 at 6:34 PM Jim Fehlig <jfehlig@xxxxxxxx> wrote:
>
> The audit log contains the following denials from libvirtd
>
> apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="daemon-init" capability=17  capname="sys_rawio"
> apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="rpc-worker" capability=39  capname="bpf"
> apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="rpc-worker" capability=38  capname="perfmon"
>
> Squelch the denials and allow the capabilities in the libvirtd
> apparmor profile.
>
> Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx>
> ---
>
> I'm not really sure when these denials first started appearing, nor
> have I noticed any problems they are causing. Likely I have not exercised
> the affected functionality.
>
>  src/security/apparmor/usr.sbin.libvirtd.in | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
> index bf4563e1e8..928782b709 100644
> --- a/src/security/apparmor/usr.sbin.libvirtd.in
> +++ b/src/security/apparmor/usr.sbin.libvirtd.in
> @@ -25,6 +25,9 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
>    capability fsetid,
>    capability audit_write,
>    capability ipc_lock,
> +  capability sys_rawio,
> +  capability bpf,
> +  capability perfmon,
>
>    # Needed for vfio
>    capability sys_resource,
> --
> 2.31.1
>
>

The patch LGTM, but the title is confusing. Maybe the following?

"apparmor: Permit new capabilities required by libvirt"

Otherwise...

Reviewed-by: Neal Gompa <ngompa13@xxxxxxxxx>



--
真実はいつも一つ!/ Always, there's only one truth!





[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux