On Fri, 2011-12-02 at 13:10 -0600, Serge Hallyn wrote: > The pathname for the pipe for tunnelled migration is unresolvable. The > libvirt apparmor driver therefore refuses access, causing migration to > fail. If we can't resolve the path, the worst that can happen is that > we should have given permission to the file but didn't. Otherwise > (especially since this is a /proc/$$/fd/N file) the file is already open > and libvirt won't be refused access by apparmor anyway. > > Also adjust virt-aa-helper to allow access to the > *.tunnelmigrate.dest.name files. > > Changelog: Dec 2: per jdstrand comment, also change the Error to a VIR_WARN. > > For more information, see https://launchpad.net/bugs/869553. > > Signed-off-by: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx> > --- > src/security/security_apparmor.c | 6 +++--- > src/security/virt-aa-helper.c | 4 ++++ > 2 files changed, 7 insertions(+), 3 deletions(-) > > diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c > index 299dcc6..5e68da8 100644 > --- a/src/security/security_apparmor.c > +++ b/src/security/security_apparmor.c > @@ -791,9 +791,9 @@ AppArmorSetImageFDLabel(virSecurityManagerPtr mgr, > } > > if (virFileResolveLink(proc, &fd_path) < 0) { > - virSecurityReportError(VIR_ERR_INTERNAL_ERROR, > - "%s", _("could not find path for descriptor")); > - return rc; > + /* it's a deleted file, presumably. Ignore? */ > + VIR_WARN("could not find path for descriptor %s, skipping", proc); > + return 0; > } > > return reload_profile(mgr, vm, fd_path, true); ACK > diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c > index 14399cc..4561bb9 100644 > --- a/src/security/virt-aa-helper.c > +++ b/src/security/virt-aa-helper.c > @@ -1220,6 +1220,10 @@ main(int argc, char **argv) > LOCALSTATEDIR, ctl->def->name); > virBufferAsprintf(&buf, " \"/run/libvirt/**/%s.pid\" rwk,\n", > ctl->def->name); > + virBufferAsprintf(&buf, " \"%s/run/libvirt/**/*.tunnelmigrate.dest.%s\" rw,\n", > + LOCALSTATEDIR, ctl->def->name); > + virBufferAsprintf(&buf, " \"/run/libvirt/**/*.tunnelmigrate.dest.%s\" rw,\n", > + ctl->def->name); > if (ctl->files) > virBufferAdd(&buf, ctl->files, -1); > } ACK -- Jamie Strandboge | http://www.canonical.com
Attachment:
signature.asc
Description: This is a digitally signed message part
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list