On Mon, Aug 3, 2020 at 5:07 PM Jamie Strandboge <[email protected]> wrote:
> On Mon, 03 Aug 2020, Christian Ehrhardt wrote: > > > From: Stefan Bader <[email protected]> > > > > On some architectures (ppc, s390x, sparc, arm) qemu will read auxv > > to detect hardware capabilities via qemu_getauxval. > > > > Allow that access read-only for the entry owned by the current > > qemu process. > > > > Signed-off-by: Christian Ehrhardt <[email protected]> > > Signed-off-by: Stefan Bader <[email protected]> > > --- > > src/security/apparmor/libvirt-qemu | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/src/security/apparmor/libvirt-qemu > b/src/security/apparmor/libvirt-qemu > > index b132cf0226..25eff20b82 100644 > > --- a/src/security/apparmor/libvirt-qemu > > +++ b/src/security/apparmor/libvirt-qemu > > @@ -33,6 +33,7 @@ > > owner @{PROC}/@{pid}/task/@{tid}/comm rw, > > @{PROC}/sys/kernel/cap_last_cap r, > > @{PROC}/sys/vm/overcommit_memory r, > > + owner @{PROC}/*/auxv r, > > +1 to apply. A code comment that is simply the first sentence of > Stefan's commit message might be a nice touch, but that is not a > blocker. > Yeah I added that comment when researching the reason - added a comment to the commit, but not worth a v2 submission. Tanks for reading through all of these changes! > -- > Jamie Strandboge | http://www.canonical.com > -- Christian Ehrhardt Staff Engineer, Ubuntu Server Canonical Ltd
