Oops, I didn't intend for the commit author email to be gitlab@xxxxxxxxxxxxxx here. Would you please use c@xxxxxxxxxxxxxx as the author of the patch?
On Wed, May 11, 2022, 6:09 PM Max Goodhart <c@xxxxxxxxxxxxxx> wrote:
From: Max Goodhart <gitlab@xxxxxxxxxxxxxx>
This fixes a blank screen when viewing a VM with virtio graphics and
gl-accelerated Spice display on Ubuntu 22.04 / libvirt 8.0.0 / qemu 6.2.
Without these AppArmor permissions, the libvirt error log contains
repetitions of:
qemu_spice_gl_scanout_texture: failed to get fd for texture
This appears to be similar to this GNOME Boxes issue:
https://gitlab.gnome.org/GNOME/gnome-boxes/-/issues/586
Signed-off-by: Max Goodhart <c@xxxxxxxxxxxxxx>
---
src/security/virt-aa-helper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 1f1cce8b3d..b314d2a059 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1316,7 +1316,7 @@ get_files(vahControl * ctl)
virBufferAddLit(&buf, " \"/dev/nvidiactl\" rw,\n");
virBufferAddLit(&buf, " # Probe DRI device attributes\n");
virBufferAddLit(&buf, " \"/dev/dri/\" r,\n");
- virBufferAddLit(&buf, " \"/sys/devices/**/{uevent,vendor,device,subsystem_vendor,subsystem_device}\" r,\n");
+ virBufferAddLit(&buf, " \"/sys/devices/**/{uevent,vendor,device,subsystem_vendor,subsystem_device,config,revision}\" r,\n");
virBufferAddLit(&buf, " # dri libs will trigger that, but t is not requited and DAC would deny it anyway\n");
virBufferAddLit(&buf, " deny \"/var/lib/libvirt/.cache/\" w,\n");
}
--
2.34.1
