Andrea Bolognani:
> Are you okay with changing the authorship email
> address so that it matches the S-o-b and pushing the patch?
If you don't mind doing it yourself, sure, go ahead :)
Thanks!
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/m
From: intrigeri
Add hppa, nios2, or1k, riscv32 and riscv64 to the profile.
Fixes: https://bugs.debian.org/914940
Signed-off-by: intrigeri
Reviewed-by: Andrea Bolognani
---
src/security/apparmor/libvirt-qemu | 5 +
1 file changed, 5 insertions(+)
diff --git a/src/security/apparmor
v2 following up to Andrea Bolognani's review (thanks!)
- Adds missing Signed-off-by tag
- Improves commit message
- Adds Reviewed-by Andrea Bolognani
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
From: intrigeri
Fixes: https://bugs.debian.org/914940
---
src/security/apparmor/libvirt-qemu | 5 +
1 file changed, 5 insertions(+)
diff --git a/src/security/apparmor/libvirt-qemu
b/src/security/apparmor/libvirt-qemu
index 474aaefdf8..165558fe83 100644
--- a/src/security/apparmor/libvirt
usion of that discussion has been applied consistently
(although implicitly): 4 commits of mine have been applied to Git
since Daniel wrote that this was a valid exception, and nobody raised
this topic again until today.
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
t.
> And I'd ask for an opinion on the "other" paths I listed - I can only
> recommend adding as much as we can commonly agree to be useful.
> To avoid coming back every few months adding another such line :-)
Indeed. Perhaps next step is to c
From: intrigeri
As reported on https://bugs.debian.org/892431, without this rule, when launching
a QEMU KVM instance, an error occurs immediately upon launching the QEMU
process such as:
Could not open backing file: Could not open
'/var/lib/nova/instances/_base
gt; + signal (send) set=("kill", "term") peer=unconfined,
+1
Reviewed-by: intrig...@boum.org
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
lls so
it's out of my league.
> But until then the rule here is required to not get into awkward situations.
> +1 from me, thanks intrigeri
Thanks :)
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
From: intrigeri <intrigeri+libv...@boum.org>
On startup libvirtd runs a number of QEMU processes unconfined such as:
/usr/bin/qemu-system-x86_64 -S -no-user-config -nodefaults -nographic
-machine none,accel=kvm:tcg -qmp
unix:/var/lib/libvirt/qemu/capabilities.monitor.sock,server,
Cédric Bosdonnat:
> * to handle /var/run not being a symlink to /run
Does this still really exist in any distro that has chances to run
a recent libvirt?
If yes, then:
> - /run/libvirt/**/[sv]d[a-z] r
> + /{,var/}run/libvirt/**/[sv]d[a-z] r,
+1
And in any case, +1 the missing comma.
--
Hi,
Cedric Bosdonnat:
> On Tue, 2017-12-12 at 15:01 +0100, intrigeri wrote:
>> Cédric Bosdonnat:
>> > This commit helps users allowing access to their images by adding their
>> > own rules in apparmor.d/local/usr.lib.libvirt.virt-aa-helper.
>> > […]
>>
Christian Ehrhardt:
> Great point intrigeri!
> #1
> At least as far as my history analysis went this was triggered by ceph
> having the support for lttng enabled.
> Not by actually (trying to) enable the LTT-ng tracking.
> While being disabled in ceph package since the
Christian Ehrhardt:
> Adding the PKI path that is used as default suggestion in src/qemu/qemu.conf
> If people use non-default paths they should use local overrides but the
> suggested defaults we should open up.
> This is the default path as referenced by src/qemu/qemu.conf in libvirt.
> While
Hi,
Jamie Strandboge:
> On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote:
>> examples/apparmor/usr.lib.libvirt.virt-aa-helper | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
>>
ese...
I concur with Jamie: I'd rather can avoid spreading copies of these
rules around if we can.
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Christian Ehrhardt:
> From: Jamie Strandboge
> Allows (multi-arch enabled) access to libraries under the
> /usr/lib/@{multiarch}/qemu/*.so path in the Debian/Ubuntu
> qemu-block-extra package and all such libs for the paths
> of rpm qemu-block-* packages.
> Bug-Ubuntu:
140)
/etc/pki/CA/ r,
/etc/pki/CA/* r,
/etc/pki/libvirt{,-spice,-vnc}/ r,
/etc/pki/libvirt{,-spice,-vnc}/** r,
What do you think?
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
s/devices/**/usb[0-9]*/** r,
I think I've already upstream'ed this 4 months ago: commit
e7f5d627f93c1c71260d2a795a1227b16b0d3186.
Maybe rebase your patch series on top of the current upstream
master branch? :)
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Christian Ehrhardt:
> Allows read access to /sys/module/vhost/parameters/max_mem_regions.
Same as patch 03, already done back in August.
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
ugging, with these added rules it'll be hard to discover why it
does not work.
Thanks in advance!
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Jamie Strandboge:
>> --- a/examples/apparmor/libvirt-qemu
>> +++ b/examples/apparmor/libvirt-qemu
>> @@ -81,6 +81,7 @@
>>/usr/share/proll/** r,
>>/usr/share/vgabios/** r,
>>/usr/share/seabios/** r,
>> + /usr/share/misc/sgabios.bin r,
>>/usr/share/ovmf/** r,
>>
Hi,
Cedric Bosdonnat:
> Has that one landed in abyssal depths of the mailing list?
Well, no, it's waiting for your comments about my feedback:
https://www.redhat.com/archives/libvir-list/2017-December/msg00389.html
Thanks for pinging!
(Sorry I did not put you in explicit copy, I assumed you
an mentioned, we
> discussed that this is the best option for the moment. +1 to apply.
> Thanks for the patch!
Same here, these rules are much less problematic than they look like
at first glance ⇒ +1
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.
Hi,
Cédric Bosdonnat:
> This commit helps users allowing access to their images by adding their
> own rules in apparmor.d/local/usr.lib.libvirt.virt-aa-helper.
> […]
> profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
>#include
> + #include
The packaging helper we use in
use, so I was wondering if we should allow this operation or
just ignore the denial & silence the logs. Now that we understand what
it is about, I agree we should allow it. Denying this access would
make it harder to debug issues in the future e.g. if QEMU ever starts
needing it for other, more cri
From: intrigeri <intrigeri+libv...@boum.org>
This set of rules was proposed by Christian Boltz <appar...@cboltz.de>
on https://bugzilla.opensuse.org/show_bug.cgi?id=1065123.
---
examples/apparmor/usr.sbin.libvirtd | 15 +++
1 file changed, 15 insertions(+)
diff --gi
From: intrigeri <intrigeri+libv...@boum.org>
---
examples/apparmor/libvirt-qemu | 4
examples/apparmor/usr.sbin.libvirtd | 4
2 files changed, 8 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 064501f08e..73bdbae872
Changes since v3:
- don't add in 1/2 blanket catch-all mount rule that 2/2 was replacing anyway
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
From: intrigeri <intrigeri+libv...@boum.org>
---
examples/apparmor/libvirt-qemu | 4
examples/apparmor/usr.sbin.libvirtd | 6 ++
2 files changed, 10 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 97dd2d45a9..9d487bf92f
Changes since v2:
- made signal rules broader, as suggested by Jamie Strandboge
and indeed my tests confirm v2 was too
strict;
- allowed libvirtd "ptrace (read)" on libvirt-* guests, as suggested
by Jamie Strandboge
- added fine-grained
From: intrigeri <intrigeri+libv...@boum.org>
This set of rules was proposed by Christian Boltz <appar...@cboltz.de>
on https://bugzilla.opensuse.org/show_bug.cgi?id=1065123.
---
examples/apparmor/usr.sbin.libvirtd | 15 ++-
1 file changed, 14 insertions(+), 1 deletion(-)
Hi,
thanks Jamie for this review. All your suggestions make sense to me,
I'll implement + test them and will re-submit as v3.
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
From: intrigeri <intrigeri+libv...@boum.org>
---
examples/apparmor/libvirt-qemu | 2 ++
examples/apparmor/usr.sbin.libvirtd | 6 ++
2 files changed, 8 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index b341e31f42..5994a35042
[PATCH v2] AppArmor: add rules needed with additional mediation features
Changes since v1:
- remove unneeded "network unix" rules added by v1: they were only
needed due to a bug in apparmor_parser, that was fixed in AppArmor
2.11.1 since then;
- move the "network netlink raw" rule to
intrigeri:
> + network unix dgram,
> + network unix stream,
Hold on, these two rules are probably not needed (chances are that
they were needed due to a bug in the AppArmor parser, that got fixed
in 2.11.1). I'll double-check tomorrow. Sorry for the noise!
--
libvir-list mailing list
---
examples/apparmor/libvirt-qemu | 2 ++
examples/apparmor/usr.sbin.libvirtd | 9 +
2 files changed, 11 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index b341e31f42..5994a35042 100644
--- a/examples/apparmor/libvirt-qemu
+++
l for :)
Take care,
cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Hi,
Jamie Strandboge:
> On Fri, 2017-09-15 at 17:17 +0200, Guido Günther wrote:
>> Otherwise we fail to reconnect to /dev/net/tun opened by libvirtd
>> like
I confirm I see the bug on current Debian sid and Guido's patch
fixes it. Please commit :)
Cheers,
--
intrigeri
--
libv
gt; +"/usr/share/qemu-efi/", /* for AAVMF images */
>> +"/usr/share/qemu-efi-aarch64/" /* for AAVMF images */
>> };
>> /* override the above with these */
>> const char * const override[] = {
> +1. LGTM
+1 too after verifyi
-level AppArmor
perspective, the proposed change seems entirely harmless.
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
---
examples/apparmor/libvirt-qemu | 6 ++
1 file changed, 6 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index f462d7428c..dcfb1a5985 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -169,3 +169,9 @@
better :)
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
ot;open" info="Failed name lookup - disconnected
> path" error=-13 profile="/usr/sbin/libvirtd" name="" pid=1422 comm="libvirtd"
> requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> ---
> Thanks to intrigeri for the suggestion!
Te
anywhere in our docs, but it makes sense if
>> there is a need for anything related to attributions or copyrights.
> I just assumed "intrigeri" is a real name :-)
I have no ID with "intrigeri" written on it, so you may consider it's
not a "real name".
However,
https://bugzilla.redhat.com/show_bug.cgi?id=1369281
---
examples/apparmor/libvirt-qemu | 3 +++
1 file changed, 3 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 11381d4df0..fdb5a23291 100644
--- a/examples/apparmor/libvirt-qemu
+++
Hi,
Jamie Strandboge:
> Changes LGTM.
[Disclaimer: I'm new to submitting patches to libvirt.]
What's the process to get this merged, now that Jamie has ack'ed the
proposed changes?
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listi
Jamie Strandboge:
> This rule would allow any confined guest to change the 'comm' value of any
> task
> on the system, if the system otherwise allowed it.
Right. Fixed with the 'owner' prefix in my v2 patch, as suggested
by Christian.
Cheers,
--
intrigeri
--
libvir-list mailing li
https://bugzilla.redhat.com/show_bug.cgi?id=1369281
---
examples/apparmor/libvirt-qemu | 1 +
1 file changed, 1 insertion(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 11381d4df0..10d2ac958c 100644
--- a/examples/apparmor/libvirt-qemu
+++
https://bugzilla.redhat.com/show_bug.cgi?id=1369281
---
examples/apparmor/libvirt-qemu | 1 +
1 file changed, 1 insertion(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 11381d4df0..a07291d583 100644
--- a/examples/apparmor/libvirt-qemu
+++
From: intrigeri <intrig...@debian.org>
---
examples/apparmor/libvirt-qemu | 8
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 2 +-
examples/apparmor/usr.sbin.libvirtd | 4 ++--
3 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/ex
Hi,
> Stefan Bader wrote (20 May 2015 10:11:45 GMT) :
> intrigeri wrote (15 Jun 2015 15:09:11 GMT) :
> My (possibly incomplete) records say that I've tested the latest
> proposed patch set back in February (<85iof8v6j5@boum.org>).
>> Since I lost most context by no
. Thanks!
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Hi,
this patchset breaks the test suite for me once applied on top of the
debian/experimental branch (while the test suite passes fine without
these patches there). Sorry, no time to look into it further today.
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https
, the proposed logic looks fine to me. I'm not skilled
enough at C to review the actual patch, though.
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
in my environment (applied on top of 1.2.18)
so I'm forwarding it here.
[1] https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1483071
Cheers,
--
intrigeri
From 0b1f1318125a8f9d4460641b6d216d7657dc0d1e Mon Sep 17 00:00:00 2001
From: intrigeri intrig...@debian.org
Date: Wed, 12 Aug 2015 14:48:53
will try to find my most recent proposal
again and try to get it moved into present state of packages.
Thanks!
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Hi Stefan,
any news on what follows? Now that Ubuntu 15.04 has been released,
perhaps you'll be able to allocate some cycles to it? :)
intrigeri wrote (11 Feb 2015 14:58:54 GMT) :
Hi Stefan and others,
Stefan Bader wrote (21 Oct 2014 11:50:24 GMT) :
On 20.10.2014 12:48, Stefan Bader wrote
Hi Stefan and others,
Stefan Bader wrote (21 Oct 2014 11:50:24 GMT) :
On 20.10.2014 12:48, Stefan Bader wrote:
On 19.10.2014 17:07, intrigeri wrote:
Cool, I've tested this. I've imported these two patches in Debian's
1.2.9-3 quilt series, made the build system use dh-autoreconf (the
build
]: Leaving directory '/tmp/buildd/libvirt-1.2.9/debian/build'
dh_auto_build: make -j5 returned exit code 2
debian/rules:126: recipe for target 'build' failed
make: *** [build] Error 2
Any hint?
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com
,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
distro shipping
a different version writes the same kind of hacks.
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
-submitting.
What is missing to get these patches merged, then?
(Apart of porting them to the latest version again, of course :)
Regards,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
.
Ticket: https://bugzilla.redhat.com/show_bug.cgi?id=922495
Thanks for your work on libvirt!
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
--
libvir-list mailing list
64 matches
Mail list logo