Re: [libvirt] Various apparmor related changes (part 1), version 2
Quoting Stefan Bader (stefan.ba...@canonical.com): > > Over the years there have been a bunch of changes to the > > apparmor profiles and/or virt-aa-helper which have been > > carried in Debian/Ubuntu but never made it upstream. > > > > In an attempt to clean this up and generally improve the > > apparmor based environments, we (Christian and I) went > > over the changes, cleaned out cruft as much as possible > > and would be sending out hunks of changes to this list > > for upstream inclusion. > > > > I hope doing multiple but smaller rounds of submissions > > will make it simpler to get those reviewed and hopefully > > accepted. > > For the second version I added acks, merged the patches > related to explicit device denials and local apparmor > profiles, and split the 9p support one (holding back the > part allowing link access for later or to be replaced by > a safer solution). > I also tried to improve the explanation in the description > of patch #1 (virt-aa-helper: Ask for no deny rule for readonly > disk elements). > > Thanks, > Stefan Thanks, Acked-by: Serge HallynI don't like the added capabilities in the one patch, but I'm not nacking it on that account. Still a toggle would be comforting. Make people who want 9p consciously sign in to the added privs. -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] Various apparmor related changes (part 1), version 2
> Over the years there have been a bunch of changes to the > apparmor profiles and/or virt-aa-helper which have been > carried in Debian/Ubuntu but never made it upstream. > > In an attempt to clean this up and generally improve the > apparmor based environments, we (Christian and I) went > over the changes, cleaned out cruft as much as possible > and would be sending out hunks of changes to this list > for upstream inclusion. > > I hope doing multiple but smaller rounds of submissions > will make it simpler to get those reviewed and hopefully > accepted. For the second version I added acks, merged the patches related to explicit device denials and local apparmor profiles, and split the 9p support one (holding back the part allowing link access for later or to be replaced by a safer solution). I also tried to improve the explanation in the description of patch #1 (virt-aa-helper: Ask for no deny rule for readonly disk elements). Thanks, Stefan -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] Various apparmor related changes (part 1)
Over the years there have been a bunch of changes to the apparmor profiles and/or virt-aa-helper which have been carried in Debian/Ubuntu but never made it upstream. In an attempt to clean this up and generally improve the apparmor based environments, we (Christian and I) went over the changes, cleaned out cruft as much as possible and would be sending out hunks of changes to this list for upstream inclusion. I hope doing multiple but smaller rounds of submissions will make it simpler to get those reviewed and hopefully accepted. This first batch contains a mix of changes from Debian and Ubuntu. Thanks, Stefan -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list