See lp#1276719 for the bug description. As virt-aa-helper doesn't know
the VFIO groups to use for the guest, allow access to all
/dev/vfio/[0-9]* and /dev/vfio/vfio files.
---
examples/apparmor/libvirt-qemu | 5 +++++
examples/apparmor/usr.sbin.libvirtd | 3 +++
2 files changed, 8 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index e1980b7..c3dfa57 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -110,6 +110,7 @@
/usr/bin/qemu-sparc32plus rmix,
/usr/bin/qemu-sparc64 rmix,
/usr/bin/qemu-x86_64 rmix,
+ /usr/lib/qemu/block-curl.so mr,
# for save and resume
/bin/dash rmix,
@@ -122,6 +123,10 @@
/sys/bus/ r,
/sys/class/ r,
+ # for vfio access
+ /dev/vfio/vfio rw,
+ /dev/vfio/[0-9]* rw,
+
/usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
# child profile for bridge helper process
profile qemu_bridge_helper {
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index fd6def1..3011eff 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -25,6 +25,9 @@
capability fsetid,
capability audit_write,
+ # Needed for vfio
+ capability sys_resource,
+
network inet stream,
network inet dgram,
network inet6 stream,
--
1.9.0
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list