subject:"\[libvirt\] \[PATCH 08\/10\] apparmor, libvirt\-qemu\: Allow macvtap access"

Re: [libvirt] [PATCH 08/10] apparmor, libvirt-qemu: Allow macvtap access

2017-06-07 Thread Christian Ehrhardt

On Fri, Jun 2, 2017 at 12:55 PM, Guido Günther  wrote:

> Shouldn't this only be added when macvtap is in use?
> Cheers,
>  -- Guido
>

Right again - as the ceph change this is part of a category of rules where
in a perfect world we would write virt-aa-helper code for each of them.

In this particular case allowing that in general might be less safe, so I
agree to lean towards virt-aa-helper if possible.
OTOH I'm not sure virt-aa-helper can easily detect that from the guest
context that it has access to, it might need to reach out to the network
config and I'm not sure if we have a case doing that already one could
easily build on implementing this.
If(f) that is done - and working it might be down to knowing the exact tap
device and only add that.

That said if one is willing to consider this patch as-is that would be
great until implemented more granularily via virt-aa-helper - but otherwise
please let me know - I'll then add it to a bunch of issues of the category
"needs to be done in virt-aa-helper" which I already track.

-- 
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 08/10] apparmor, libvirt-qemu: Allow macvtap access

2017-06-02 Thread Guido Günther

On Tue, May 23, 2017 at 06:22:46PM +0200, Stefan Bader wrote:
> From: Guilhem Lettron 
> 
> Add rule to allow access to /dev/tap* used by macvtap.
> 
> Bug-Ubuntu: https://bugs.launchpad.net/bugs/921870
> 
> Signed-off-by: Christian Ehrhardt 
> Signed-off-by: Stefan Bader 
> ---
>  examples/apparmor/libvirt-qemu | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index fddc93a..e2b0dfd 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -17,6 +17,7 @@
>network inet6 stream,
>  
>/dev/net/tun rw,
> +  /dev/tap* rw,
>/dev/kvm rw,
>/dev/ptmx rw,
>/dev/kqemu rw,

Shouldn't this only be added when macvtap is in use? 
Cheers,
 -- Guido

> -- 
> 2.7.4
> 
> --
> libvir-list mailing list
> libvir-list@redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
> 

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH 08/10] apparmor, libvirt-qemu: Allow macvtap access

2017-05-23 Thread Stefan Bader

From: Guilhem Lettron 

Add rule to allow access to /dev/tap* used by macvtap.

Bug-Ubuntu: https://bugs.launchpad.net/bugs/921870

Signed-off-by: Christian Ehrhardt 
Signed-off-by: Stefan Bader 
---
 examples/apparmor/libvirt-qemu | 1 +
 1 file changed, 1 insertion(+)

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index fddc93a..e2b0dfd 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -17,6 +17,7 @@
   network inet6 stream,
 
   /dev/net/tun rw,
+  /dev/tap* rw,
   /dev/kvm rw,
   /dev/ptmx rw,
   /dev/kqemu rw,
-- 
2.7.4

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 08/10] apparmor, libvirt-qemu: Allow macvtap access

Re: [libvirt] [PATCH 08/10] apparmor, libvirt-qemu: Allow macvtap access

[libvirt] [PATCH 08/10] apparmor, libvirt-qemu: Allow macvtap access

3 matches

Site Navigation

Mail list logo

Footer information