On Thu, 2010-09-23 at 16:10 +0100, Daniel P. Berrange wrote:
> On Mon, Aug 16, 2010 at 02:45:02PM -0500, Jamie Strandboge wrote:
> > Author: Jamie Strandboge <jamie@xxxxxxxxxxxxx>
> > Description: AppArmor example profile adjustments:
> > - libvirt-qemu: allow guests setgid and setuid so qemu can drop privileges
> > - virt-aa-helper:
> > + allow access to @{PROC}/[0-9]*/net/psched
> > + allow searching /sys/bus/usb/devices/
> > + deny access to /dev to suppress confusing, non-fatal profile denials
> > + allow access to user-tmp abstraction
> > Bug-Ubuntu: LP: #579584, LP: #565691
> >
> > diff -Naurp libvirt.orig/examples/apparmor/libvirt-qemu libvirt/examples/apparmor/libvirt-qemu
> > --- libvirt.orig/examples/apparmor/libvirt-qemu 2010-04-06 16:14:52.000000000 -0500
> > +++ libvirt/examples/apparmor/libvirt-qemu 2010-08-13 16:46:34.000000000 -0500
> > @@ -1,4 +1,4 @@
> > -# Last Modified: Mon Apr 5 15:11:27 2010
> > +# Last Modified: Fri Aug 13 16:38:32 2010
> >
> > #include <abstractions/base>
> > #include <abstractions/consoles>
> > @@ -9,6 +9,10 @@
> > capability dac_read_search,
> > capability chown,
> >
> > + # needed to drop privileges
> > + capability setgid,
> > + capability setuid,
> > +
> > network inet stream,
> > network inet6 stream,
>
> Does QEMU really need this ? The libvirt QEMU driver will drop
> privileges from root:root to qemu:qemu after forking, but before
> the /usr/bin/qemu binary is actually exec'd.
Yes. Users were seeing errors like:
libvir: QEMU error : cannot change to '109' group: Operation not
permitted
libvir: QEMU error : cannot change to '104' user: Operation not
permitted
For details, see:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/579584
--
Jamie Strandboge | http://www.canonical.com
Attachment:
signature.asc
Description: This is a digitally signed message part
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list