[libvirt] Qemu capability probes lifecycle should be tied to libvirtd

rrect" to stop the processes on a libvirtd stop? [1]: http://paste.ubuntu.com/26208661/ [2]: http://paste.ubuntu.com/26208664/ P.S. I discussed this on IRC last Friday, but other than Michael confirming the current state there was no further traction on the discussion yet. -- Christian Ehrhard

[libvirt] [PATCH] apparmor: add ptrace/mediation rules for unconfined guests

he road with "policy namespaces with scope and view control + stacking" This is more a use-case addition than a fix to the following two changes: - 3b1d19e6 AppArmor: add rules needed with additional mediation features - b482925c apparmor: support ptrace checks Signed-off-

[libvirt] [PATCH 2/2] apparmor, virt-aa-helper: allow ipv6

In case ipv6 is used the network inet6 permission is required for virt-aa-helper. Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- examples/apparmor/usr.lib.libvirt.virt-aa-helper | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/apparmor/usr.lib.libvir

[libvirt] [PATCH 0/2] Misc apparmor fixes

://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1729626 Christian Ehrhardt (2): apparmor: allow qemu to read max_segments apparmor, virt-aa-helper: allow ipv6 examples/apparmor/libvirt-qemu | 3 +++ examples/apparmor/usr.lib.libvirt.virt-aa-helper | 1 + 2 files changed, 4

[libvirt] [PATCH 1/2] apparmor: allow qemu to read max_segments

a symlink path we need to translate that for apparmor from "/sys/dev/block/*/queue/max_segments" to "/sys/devices/**/block/*/queue/max_segments" Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- examples/apparmor/libvirt-qemu | 3 +++ 1 file

Re: [libvirt] How to best handle the reoccurring of rom changes breaking cross version migrations?

On Thu, Nov 2, 2017 at 4:34 PM, Daniel P. Berrange <berra...@redhat.com> wrote: > > On Thu, Nov 02, 2017 at 04:14:06PM +0100, Christian Ehrhardt wrote: > > Ping - since there wasn't any reply so far - any best practices one could > > share? > > > > Let me

Re: [libvirt] How to best handle the reoccurring of rom changes breaking cross version migrations?

is really ok and how/where is the question. Also to +1 on bad things for today - I made this a cross post to libvirt in case there is one that has done that in the past. On Mon, Aug 28, 2017 at 4:36 PM, Christian Ehrhardt < christian.ehrha...@canonical.com> wrote: > Hi, > migra

[libvirt] [PATCH 2/2] virt-aa-helper-test: only fails go to stdout by default

following to clutter the log: Skipping FW AAVMF32 test. Could not find /usr/share/AAVMF/AAVMF32_CODE.fd Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- tests/virt-aa-helper-test | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/virt-aa-helper-t

[libvirt] [PATCH 0/2] virt-aa-helper cleanups

As follow up to [1] some smaller extensions and fixups to virt-aa-helper and its tests. [1]: https://www.redhat.com/archives/libvir-list/2017-October/msg01161.html Christian Ehrhardt (2): virt-aa-helper: apparmor wildcards to forbidden chars virt-aa-helper-test: only fails go to stdout

[libvirt] [PATCH 1/2] virt-aa-helper: apparmor wildcards to forbidden chars

Some globbing chars in the domain name could be used to break out of apparmor rules, so lets forbid these when in virt-aa-helper. Also adding a test to ensure all those cases were detected as bad char. Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- src/security/v

Re: [libvirt] [PATCH 3/4] virt-aa-helper: allow spaces in vm names

On Wed, Oct 25, 2017 at 8:48 PM, Jamie Strandboge <ja...@canonical.com> wrote: > On Wed, 2017-09-20 at 16:59 +0200, Christian Ehrhardt wrote: > > libvirt allows spaces in vm names, there were issues in the past but > > it > > seems not removed so the assum

[libvirt] [PATCH] virt-aa-helper: fix libusb access to udev usb descriptions

tion might need it so allow the access in the default apparmor profile. Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- examples/apparmor/libvirt-qemu | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-q

[libvirt] [PATCH] virt-aa-helper: grant locking permission on -f

the domain xml. But on attach-device a user will still trigger an apparmor deny by going through virt-aa-helper -f, to fix that add the lock "k" permission to the append file case of virt-aa-helper. Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- src/sec

[libvirt] [PATCH 1/2] Increase default file handle limits for virtlogd

by default we should raise the limit to 16k. Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- src/logging/virtlogd.service.in | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/logging/virtlogd.service.in b/src/logging/virtlogd.service.in

[libvirt] [PATCH 0/2] Further Increase default file handle limits

y have to be tweaked in really uncommon cases. Christian Ehrhardt (2): Increase default file handle limits for virtlogd Increase default file handle limits for virtlockd src/locking/virtlockd.service.in | 4 ++-- src/logging/virtlogd.service.in | 6 -- 2 files changed, 6 insertions(+), 4 del

[libvirt] [PATCH 2/2] Increase default file handle limits for virtlockd

The assumption so far was an average of 4 disks per guest. But some architectures, like s390x, still often use plenty of smaller disks. To include those in the considerations an assumption of an average of 10 disks is more reasonable. Signed-off-by: Christian Ehrhardt <christian.eh

Re: [libvirt] [PATCH 1/4] virt-aa-helper: fix paths for usb hostdevs

On Fri, Sep 29, 2017 at 4:58 PM, Michal Privoznik <mpriv...@redhat.com> wrote: > On 09/20/2017 04:59 PM, Christian Ehrhardt wrote: > > If users only specified vendor (the common case) then parsing > > the xml via virDomainHostdevSubsysUSBDefParseXML would only set these. >

Re: [libvirt] gnulib tests in libvirt broken by newer glibc 2.26

gards, > Daniel > -- > |: https://berrange.com -o-https://www.flickr.com/photos/ > dberrange :| > |: https://libvirt.org -o- > https://fstop138.berrange.com :| > |: https://entangle-photo.org-o-https://www.instagram.com/ > dberrange :| > --

Re: [libvirt] gnulib tests in libvirt broken by newer glibc 2.26

On Thu, Sep 28, 2017 at 2:05 PM, Christian Ehrhardt < christian.ehrha...@canonical.com> wrote: > > > On Thu, Sep 28, 2017 at 12:25 AM, Eric Blake <ebl...@redhat.com> wrote: > >> [adding gnulib] >> > > [...] > >> > then libvirt needs to pi

Re: [libvirt] gnulib tests in libvirt broken by newer glibc 2.26

On Thu, Sep 28, 2017 at 12:25 AM, Eric Blake <ebl...@redhat.com> wrote: > [adding gnulib] > > On 09/27/2017 04:36 PM, Christian Ehrhardt wrote: > > Hi, > > there seems to be an incompatibility to the last glibc due to [1]. > > Gnulib needs to be updated to track

Re: [libvirt] gnulib tests in libvirt broken by newer glibc 2.26

I did an in-place replacement of gnulib to the latest from gnulib upstream but the issue stays. So for the time being i'd assume it is not yet solved there. On Wed, Sep 27, 2017 at 11:36 PM, Christian Ehrhardt < christian.ehrha...@canonical.com> wrote: > Hi, >

[libvirt] gnulib tests in libvirt broken by newer glibc 2.26

ld not get the example to fail without libvirt (OTOH I'm sure it would). Therefore I'm reaching out to you for your help and experience on the build system what could be done. [1]: https://sourceware.org/ml/libc-alpha/2017-04/msg00115.html -- Christian Ehrhardt Software Engineer, Ubuntu Server Can

Re: [libvirt] [PATCH 0/4] misc virt-aa-helper fixes

Hi, just a ping to ask if anybody could take a look to review this set of smaller changes? On Wed, Sep 20, 2017 at 4:59 PM, Christian Ehrhardt < christian.ehrha...@canonical.com> wrote: > Hi, > this was mostly created by clearing old libvirt bugs in Ubuntu. > USB passthrough so

Re: [libvirt] [PATCH V3] apparmor: support ptrace checks

eer=unconfined, > > > + ptrace (trace) peer=/usr/sbin/libvirtd, > > > + ptrace (trace) peer=libvirt-*, > > > + > > > > This works here too! And I can even drop the first rule (ptrace (trace) > > peer=unconfined) and things still work (and from reading the profile and > > Jamies explanations it should work without it). Can you check if that > > works for you too? Otherwise: > > > > Reviewed-By: Guido Günther <a...@sigxcpu.org> > > I've pushed that patch as is since without the unconfined ptrace we're > seeing denials with gnome-boxes and virsh. > Cheers, > -- Guido > > > > > > > ># Very lenient profile for libvirtd since we want to first focus on > confining > > ># the guests. Guests will have a very restricted profile. > > >/ r, > > > -- > > > 2.14.1 > > > > > > > -- > > libvir-list mailing list > > libvir-list@redhat.com > > https://www.redhat.com/mailman/listinfo/libvir-list > > > > -- > libvir-list mailing list > libvir-list@redhat.com > https://www.redhat.com/mailman/listinfo/libvir-list > -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH 2/4] virt-aa-helper: fix libusb access to udev usb data

using now as a workaround. Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- examples/apparmor/libvirt-qemu | 3 +++ 1 file changed, 3 insertions(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index dcfb1a5..b341e31 100644 --- a/examples/

[libvirt] [PATCH 3/4] virt-aa-helper: allow spaces in vm names

schema should do so. Apparmor rules are in quotes, so a space in a path based on the name works. Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- src/security/virt-aa-helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/security/virt-aa-he

[libvirt] [PATCH 4/4] virt-aa-helper: put static rules in quotes

To avoid any issues later on if paths ever change (unlikely but possible) and to match the style of other generated rules the paths of the static rules have to be quoted as well. Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- src/security/virt-aa-helper.c | 6 +++

[libvirt] [PATCH 1/4] virt-aa-helper: fix paths for usb hostdevs

uncondtionally sets virHostdevFindUSBDevice mandatory attribute as adding an apparmor rule for a device not found makes no sense no matter what startup policy it has set. Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- src/security/virt-aa-helper.c | 4 1 file changed, 4 insert

[libvirt] [PATCH 0/4] misc virt-aa-helper fixes

to that and submit them today. Christian Ehrhardt (4): virt-aa-helper: fix paths for usb hostdevs virt-aa-helper: fix libusb access to udev usb data virt-aa-helper: allow spaces in vm names virt-aa-helper: put static rules in quotes examples/apparmor/libvirt-qemu | 3 +++ src/security/virt-aa-helper.c

[libvirt] How to implement pool support in virt-aa-helper?

]: http://paste.ubuntu.com/25570670/ [2]: http://paste.ubuntu.com/25570673/ [3]: http://paste.ubuntu.com/25570720/ -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] virnetdaemon: Don't deadlock when talking to D-Bus

t; now and have it locked already (in > virNetDaemonAddShutdownInhibition()) > > Signed-off-by: Michal Privoznik <mpriv...@redhat.com> > > Change builds fine (on top of 3.6) and seems to fix the issue. Survived 20 minutes in my stress loop, which it never did before. Tested-by: Christian Ehrhardt <chri

Re: [libvirt] [PATCH] virt-aa-helper: locking loader/nvram for qemu 2.10

a v2 which states so more explicitly. On Thu, Aug 17, 2017 at 1:23 PM, Michal Privoznik <mpriv...@redhat.com> wrote: > On 08/17/2017 10:55 AM, Christian Ehrhardt wrote: > > Testing qemu-2.10-rc3 shows issues like: > > qemu-system-aarch64: -drive file=/home/ubuntu/vm-start

[libvirt] [PATCH] virt-aa-helper: locking loader/nvram for qemu 2.10

ck" [...] name="/home/ubuntu/vm-start-stop/vms/7936-0_CODE.fd" name="/var/lib/uvtool/libvirt/images/kvmguest-artful-normal.qcow" [...] comm="qemu-system-aarch64" requested_mask="k" denied_mask="k" The profile needs to allow locking for load

Re: [libvirt] [PATCH] virt-aa-helper: locking disk files for qemu 2.10

Ping - opinions on this or is it ready to be committed? On this reply setting Guido on CC as he has experience on apparmor patches in libvirt and commit rights. On Fri, Aug 11, 2017 at 8:58 PM, intrigeri <intrigeri+libv...@boum.org> wrote: > Hi, > > Christian Ehrhardt: >

[libvirt] [PATCH] virt-aa-helper: locking disk files for qemu 2.10

s now get that permission, but no other rules are changed, example: - "/var/lib/uvtool/libvirt/images/kvmguest-artful-normal-a2.qcow" rw, + "/var/lib/uvtool/libvirt/images/kvmguest-artful-normal-a2.qcow" rwk Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonic

Re: [libvirt] [PATCH] virt-aa-helper: locking disk files for qemu 2.10

On Thu, Aug 10, 2017 at 11:19 AM, Christian Ehrhardt < christian.ehrha...@canonical.com> wrote: > Testing qemu-2.10-rc2 shows issues like: > qemu-system-x86_64: -drive file=/var/lib/uvtool/libvirt/images/kvmguest- > \ > artful-normal.qcow,format=qcow2,if=none,id=drive-virtio

Re: [libvirt] [PATCH] apparmor, libvirt-qemu: Allow QEMU to gather information about available host resources.

We had the same rule for some time, it just is ordered later in our submission stack and not yet pushed by me or Stefan for review. But since we have the same rules for quite some time working fine I'm clearly acking that. Thanks intrigeri! Acked-by: Christian Ehrhardt <christian.eh

Re: [libvirt] [PATCH] security: apparmor: Properly link with storage driver in helper program

s you won't need all three, but I happily give them all to you :-) Thanks a lot Peter! Acked-by: Christian Ehrhardt <christian.ehrha...@canonical.com> Reported-by: Christian Ehrhardt <christian.ehrha...@canonical.com> Tested-by: Christian Ehrhardt <christian.ehrha...@canonical.com>

Re: [libvirt] backingStore info adding late breaks virt-aa-helper

On Mon, Jul 17, 2017 at 8:40 PM, Christian Ehrhardt < christian.ehrha...@canonical.com> wrote: > > > On Mon, Jul 17, 2017 at 8:17 PM, Christian Ehrhardt < > christian.ehrha...@canonical.com> wrote: >> >> So it is the parsing of the XML into objects I have to

Re: [libvirt] backingStore info adding late breaks virt-aa-helper

On Mon, Jul 17, 2017 at 8:17 PM, Christian Ehrhardt < christian.ehrha...@canonical.com> wrote: > > So it is the parsing of the XML into objects I have to track down. > Maybe it is even some Ubuntu Delta that no more correctly matches. > Will run on build from upstream master a

Re: [libvirt] backingStore info adding late breaks virt-aa-helper

On said example: Libvirt 2.5: Breakpoint 1, 0x3fffb7c77ba8 in virDomainDiskDefForeachPath (disk=0x200ab490, ignoreOpenFailure=true, iter=0x20011dc0 , opaque=0x3fffef70) at ../../../src/conf/domain_conf.c:24851 $1 = (virStorageSourcePtr) 0x200ab630 (gdb) p disk->src->path $2 = 0x200a9ff0

Re: [libvirt] backingStore info adding late breaks virt-aa-helper

Hi, I was mislead by my former assumption on the lifecycle. As virt-aa-helper gets his xml passed into stdin. I captured that and found that in both cases it had the same content. Below steps to reproduce based on that: Test -Xml: kvmguest-artful-normal-a2

[libvirt] [PATCH] libxl: fix cdrom default driver name

, add that as the default attribute just as it was added in the past. Example of the verification error: $ virt-xml-validate mytest.xml Relax-NG validity error : Extra element devices in interleave Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- src

Re: [libvirt] Xen device section defaults miss name='qemu'

On Sat, Jul 15, 2017 at 12:27 AM, Jim Fehlig <jfeh...@suse.com> wrote: > On 07/11/2017 08:15 AM, Christian Ehrhardt wrote: > >> >> What happens is that before the changes this auto-added a driver section >> like: >> >> But now it does only add >&

[libvirt] backingStore info adding late breaks virt-aa-helper

ng store info added. But as outlined above, at the point virt-aa-helper runs now the necessary backingStore data seems to be missing. I couldn't find the related change or a way to fix it so far, so any hints are welcome. -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- libvir-list

Re: [libvirt] Xen device section defaults miss name='qemu'

​Not sure how stupid it might be so clearly just a very humble RFC, but the following seems to work for me: Therefore no nicely polished patch, but just inline diff --- a/src/libxl/libxl_domain.c +++ b/src/libxl/libxl_domain.c @@ -367,8 +367,9 @@ int actual_type =

[libvirt] Xen device section defaults miss name='qemu'

ou if you could take a look into this? -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] qemu: Add AAVMF32 to the list of known UEFIs

> +VIR_STRDUP(cfg->firmwares[2]->nvram, > VIR_QEMU_OVMF_SEC_NVRAM_PATH) < 0 || > +VIR_STRDUP(cfg->firmwares[3]->name, > VIR_QEMU_AAVMF32_LOADER_PATH) < 0 || > +VIR_STRDUP(cfg->firmwares[3]->nvram, > VIR_QEMU_AAVMF32_NVRAM_PATH) < 0) > goto error; > #endif > > -- > 2.11.0 > > -- > libvir-list mailing list > libvir-list@redhat.com > https://www.redhat.com/mailman/listinfo/libvir-list > -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 08/10] apparmor, libvirt-qemu: Allow macvtap access

anularily via virt-aa-helper - but otherwise please let me know - I'll then add it to a bunch of issues of the category "needs to be done in virt-aa-helper" which I already track. -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- libvir-list mailing list

Re: [libvirt] [PATCH 07/10] apparmor, libvirt-qemu: Allow access to ceph config

On Fri, Jun 2, 2017 at 12:57 PM, Guido Günther wrote: > Shouldn't this only be added when ceph is in use? > Cheers, > -- Guido > Yeah it is part of a category of rules where in a perfect world we would wirte virt-aa-helper code for each of them. In this particular case I

Re: [libvirt] [PATCH 01/10] virt-aa-helper: Ask for no deny rule for readonly disk elements

d explaiantions. See especially [1] for some reasoning for 'R' in general. [1]: http://libvirt.org/git/?p=libvirt.git;a=commit;h=c726af2d5a2248f0dad01201b2fc5231fbd4c20f [2]: http://libvirt.org/git/?p=libvirt.git;a=commit;h=cedd2ab28262db62976b351dbf2a0f8d9f88ca9e -- Christian Ehrhardt Software E

Re: [libvirt] [PATCH 8/8] apparmor, libvirt-qemu: Add ppc64el related changes

On Fri, May 19, 2017 at 9:55 AM, Guido Günther wrote: > LGTM but I don't know much about PPC64, it's SLOF and where the device > tree should be located. > Hi those paths for SLOF are the default one for Debian/Ubuntu at least. $ dpkg -L qemu-slof /. /usr /usr/share

Re: [libvirt] [PATCH v2] storage: use 0711 as the default perms for dirs

thank you a lot! Since we are about to submit a bigger pile of apparmor changes that hint might certainly be handy the next days/weeks. -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH v2] storage: use 0711 as the default perms for dirs

From: Serge Hallyn <serge.hal...@ubuntu.com> There should be no need to make dir based pools world/group readable. So use 0711, not 0755, as the default perms for storage dirs. Updates in v2: - adapt commit wording to mention dropping group readable as well Signed-off-by: Christian Eh

Re: [libvirt] [PATCH] storage: use 0711 as the default perms for dirs

or now I'm just rewording in regard to this and resubmit to the thread. -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] storage: use 0711 as the default perms for dirs

PM spec - thanks Daniel to point this out. It is 711 on Ubuntu as well for quite some time now. Both together make this even less likely to have hidden drawbacks. -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH] safer default storage dir permissions

Hi, while cleaning out patchs that we held for a while on top of libvirt I found this patch of Serge (thanks!) which I think would make just as much sense in the upstream project itself. Or in case the discussion might unveil why it might not make sense, that would also be a win for us to adapt.

[libvirt] [PATCH] storage: use 0711 as the default perms for dirs

From: Serge Hallyn <serge.hal...@ubuntu.com> There should be no need to make dir based pools world readable. So use 0711, not 0755, as the default perms for storage dirs. Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- docs/formatstorage.html.in | 2 +-

Re: [libvirt] [RFC] qemu: monitor: do not report error on shutdown

On Thu, Mar 9, 2017 at 10:54 AM, Christian Ehrhardt < christian.ehrha...@canonical.com> wrote: > In those cases do not report an > internal error like: > "internal error: End of file from qemu monitor" > There is some extra background on the issue that shall be f

[libvirt] [RFC] qemu: monitor: do not report error on shutdown

If a shutdown is expected because it was triggered via libvirt we can also expect the monitor to close. In those cases do not report an internal error like: "internal error: End of file from qemu monitor" Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com&g

[libvirt] Loosing lxc guests when restarting libvirt

F virsh define /tmp/smoke-lxc.xml virsh start sl virsh list --all # is running now /etc/init.d/libvirtd restart virsh list --all # is no more running, but it should Way more background and detail can be found at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848317 -- Christian Ehrhardt Softwa

Re: [libvirt] [PATCH] apparmor: pass attach_disconnected

Ha intrigeri beat me by 3 minutes with feedback :-) Tested it as well over lunch time, working for me too now: That said: Acked-by Christian Ehrhardt <christian.ehrha...@canonical.com> On Mon, Dec 19, 2016 at 2:35 PM, intrigeri <intrigeri+libv...@boum.org> wrote: > Hi, &g

Re: [libvirt] [PATCH] AppArmor: allow QEMU to set_process_name.

Acked-by: Christian Ehrhardt <christian.ehrha...@canonical.co> That (just FYI) is also equivalent to https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1615550 On Mon, Dec 12, 2016 at 11:59 AM, intrigeri <intrigeri+libv...@boum.org> wrote: > https://bugzilla.redhat.com/

Re: [libvirt] [PATCH] AppArmor policy: support merged-/usr.

idea who to cc. Given that you come from a Debian point of view if I read mails correctly you might want to add "Guido Günther <a...@sigxcpu.org>" for example. Other than that it is down to waiting and sometimes pinging for response. Also for both patches here my Acked-by: Chris

Re: [libvirt] [PATCH] AppArmor: allow QEMU to set_process_name.

nux/man-pages/man5/proc.5.html Quoting from there: "... A thread may modify *its* comm value, or that of any of other thread *in the same thread group* ..." -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] AppArmor: allow QEMU to set_process_name.

explicit TID instead of a pattern. I'm convinced you confirmed your fix working, but I wonder if might want to consider the "owner" part we had. CCing a few people who were involved on the old patch. -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- libvir-list ma

Re: [libvirt] [PATCH v2] virt-aa-helper: fix parsing security labels

ewed discussion. -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH v2] virt-aa-helper: fix parsing security labels

lid apparmor profile Updates: v2 - simplified and clarified commit message - make the flag skip all secabel parsing - shorten the new flag name fixes: dfbc9a83 ("apparmor: QEMU monitor socket moved") Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- src/c

Re: [libvirt] [PATCH] fix parsing security labels from virt-aa-helper

On Mon, Nov 21, 2016 at 9:03 AM, Guido Günther wrote: > This should be shortened and clarified (see the other part of the > thread). IMHO the root cause is that we parse the active domain XML but > the live part of the seclabel is not filled in yet. > Ok, reasonable to keep

Re: [libvirt] [PATCH] tests: adapt to gnutls change in dname en-/decoding

tions are changed to return the original non-fully compliant with RFC4514 string format, while the new ones return the compliant string by default. This allows applications which relied on the previous format to continue functioning without changes. -- Christian Ehrhardt Software Engine

[libvirt] [PATCH] tests: adapt to gnutls change in dname en-/decoding

version dependent definition of the wildcard strings used by the tests (older gnutls versions require the old order). Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- tests/virnettlssessiontest.c | 28 1 file changed, 28 insertions(+) diff

[libvirt] fix for recent gnutls behavior change

- if anyone want to reproduce - can be found on https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1641615 But the primary purpose of the cover letter is a call to everybody to think if that change could imply the need for more changes in libvirt than just to make the tests work again. Christian

Re: [libvirt] [PATCH] fix parsing security labels from virt-aa-helper

Sorry, I seem to become a pest more than I'd like to, but my timer on this thread expired again :-) Was the feedback I gave to the questions last week ok to understand the case and maybe reproduce to achieve a ack or do we need to discuss more? ​ -- libvir-list mailing list libvir-list@redhat.com

Re: [libvirt] [PATCH] fix parsing security labels from virt-aa-helper

On Thu, Nov 3, 2016 at 6:15 PM, Guido Günther <a...@sigxcpu.org> wrote: Thanks for your feedback Guido! On Mon, Oct 31, 2016 at 11:32:44AM +0100, Christian Ehrhardt wrote: > > When parsing labels virt-aa-helper does no more pass > > VIR_DOMAIN_DEF_PARSE_INACTIVE due to d

Re: [libvirt] [PATCH] fix parsing security labels from virt-aa-helper

Sorry to bother, but "ping" for the list and adding some more people to CC - for review or comments on this. -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] fix parsing security labels from virt-aa-helper

On Mon, Oct 31, 2016 at 11:32 AM, Christian Ehrhardt < christian.ehrha...@canonical.com> wrote: > But that turned out to break non apparmor seclabels as well as apparmor > seclabels in xmls without labels. > FYI - For a bit extra info on the case, debugging it and in general

[libvirt] [PATCH] fix parsing security labels from virt-aa-helper

stcase with virt-aa-helper on xml file: virt-aa-helper -d -r -p 0 -u libvirt- < your-guest.xml virt-aa-helper: error: could not parse XML virt-aa-helper: error: could not get VM definition (That should have printed a valid apparmor profile) Signed-off-by: Christian Ehrhardt <christian.ehrha

Re: [Libvir] big-endian support for libvirt - introduce GUEST_HANDLE infrastructure ?

Hollis Blanchard wrote: On Wed, 2007-07-11 at 15:48 +0200, Christian Ehrhardt wrote: thanks a lot ! Does this fix all the libvirt proper platform issues (i.e. independantly of possible xen specific ones) ? Yes it fixes them as far as they are currently known to me. As I wrote

Re: [Libvir] big-endian support for libvirt - introduce GUEST_HANDLE infrastructure ?

- used size for the padding and I like that kind of readability. -- Grüsse / regards, Christian Ehrhardt IBM Linux Technology Center, Open Virtualization +49 7031/16-3385 [EMAIL PROTECTED] [EMAIL PROTECTED] IBM Deutschland Entwicklung GmbH Vorsitzender des Aufsichtsrats: Johann Weihen

Re: [Libvir] big-endian support for libvirt - introduce GUEST_HANDLE infrastructure ?

Daniel Veillard wrote: On Wed, Jul 11, 2007 at 02:11:38PM +0200, Christian Ehrhardt wrote: [...] yes the only potential problem would be with other architectures where __BIG_ENDIAN__ is defined and where the relative size of pointers and long would be different. We can change

Re: [Libvir] big-endian support for libvirt - introduce GUEST_HANDLE infrastructure ?

, there are related tracebacks in xend.log *change number of cpu's *create virtual network -- Grüsse / regards, Christian Ehrhardt IBM Linux Technology Center, Open Virtualization +49 7031/16-3385 [EMAIL PROTECTED] [EMAIL PROTECTED] IBM Deutschland Entwicklung GmbH Vorsitzender des Aufsichtsrats

[Libvir] big-endian support for libvirt - introduce GUEST_HANDLE infrastructure ?

as the the valid 0x. P.S. Thanks Hollis for the simple example code -- Grüsse / regards, Christian Ehrhardt IBM Linux Technology Center, Open Virtualization +49 7031/16-3385 [EMAIL PROTECTED] [EMAIL PROTECTED] IBM Deutschland Entwicklung GmbH Vorsitzender des Aufsichtsrats: Johann

<    1   2   3   4   5