On Tue, 2012-03-13 at 08:42 -0400, Corey Bryant wrote: > This patch provides AppArmor policy updates for the QEMU bridge helper. > The QEMU bridge helper is a SUID executable exec'd by QEMU that drops > capabilities to CAP_NET_ADMIN and adds a tap device to a network > bridge. For more details on the helper, please refer to: > > http://lists.gnu.org/archive/html/qemu-devel/2012-01/msg03562.html > > Signed-off-by: Corey Bryant <coreyb@xxxxxxxxxxxxxxxxxx> > --- > examples/apparmor/libvirt-qemu | 22 +++++++++++++++++++++- > 1 files changed, 21 insertions(+), 1 deletions(-) > > diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu > index 10cdd36..c5a11b6 100644 > --- a/examples/apparmor/libvirt-qemu > +++ b/examples/apparmor/libvirt-qemu > @@ -1,4 +1,4 @@ > -# Last Modified: Mon Apr 5 15:11:27 2010 > +# Last Modified: Fri Mar 9 14:43:22 2012 > > #include <abstractions/base> > #include <abstractions/consoles> > @@ -108,3 +108,23 @@ > /bin/dash rmix, > /bin/dd rmix, > /bin/cat rmix, > + > + /usr/libexec/qemu-bridge-helper Cx, > + > + # child profile for bridge helper process > + profile /usr/libexec/qemu-bridge-helper { > + #include <abstractions/base> > + > + capability setuid, > + capability setgid, > + capability setpcap, > + capability net_admin, > + > + network inet stream, > + > + /dev/net/tun rw, > + /etc/qemu/** r, > + owner @{PROC}/*/status r, > + > + /usr/libexec/qemu-bridge-helper rmix, > + } The policy looks good to me. Thanks! It might make more sense to have this committed when libvirt has qemu-bridge-helper, but others can decide on that. Acked-By: Jamie Strandboge <jamie@xxxxxxxxxxxxx> -- Jamie Strandboge | http://www.canonical.com
Attachment:
signature.asc
Description: This is a digitally signed message part
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list