Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates

On Mon, Jul 30, 2012 at 06:33:54PM -0600, Jim Fehlig wrote: Laine Stump wrote: The way that I think the problem should be solved is this: 1) All of the network-related functionality in the system instance of libvirt that is used by the qemu, lxc, etc. drivers internal to libvirt

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates

Quoting Jamie Strandboge ja...@canonical.com: On Mon, 2012-07-09 at 10:22 -0400, rmar...@linux.vnet.ibm.com wrote: Quoting Jamie Strandboge ja...@canonical.com: On Tue, 2012-07-03 at 12:05 -0400, rmar...@linux.vnet.ibm.com wrote: Quoting Jamie Strandboge ja...@canonical.com: On Fri,

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates

On 07/27/2012 04:00 PM, Laine Stump wrote: On 07/26/2012 11:54 PM, Corey Bryant wrote: On 07/26/2012 10:30 AM, rmar...@linux.vnet.ibm.com wrote: Quoting Jamie Strandboge ja...@canonical.com: On Mon, 2012-07-09 at 10:22 -0400, rmar...@linux.vnet.ibm.com wrote: Quoting Jamie Strandboge

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates

On Tue, Jul 31, 2012 at 11:26:05AM -0400, Corey Bryant wrote: At this point I wonder if we might be able to get away with no XML modifications since we know that we only want to attempt to run the helper when libvirt is running unprivileged. I certainly don't expect there to be any changes

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates

On 07/31/2012 12:06 PM, Daniel P. Berrange wrote: On Tue, Jul 31, 2012 at 11:26:05AM -0400, Corey Bryant wrote: At this point I wonder if we might be able to get away with no XML modifications since we know that we only want to attempt to run the helper when libvirt is running unprivileged.

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates

Laine Stump wrote: The way that I think the problem should be solved is this: 1) All of the network-related functionality in the system instance of libvirt that is used by the qemu, lxc, etc. drivers internal to libvirt (including the nwfilter subsystem, and everything in bridge_driver.c)

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates

Quoting Corey Bryant cor...@linux.vnet.ibm.com: On 07/26/2012 10:30 AM, rmar...@linux.vnet.ibm.com wrote: Quoting Jamie Strandboge ja...@canonical.com: On Mon, 2012-07-09 at 10:22 -0400, rmar...@linux.vnet.ibm.com wrote: Quoting Jamie Strandboge ja...@canonical.com: On Tue, 2012-07-03

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates

On 07/26/2012 11:54 PM, Corey Bryant wrote: On 07/26/2012 10:30 AM, rmar...@linux.vnet.ibm.com wrote: Quoting Jamie Strandboge ja...@canonical.com: On Mon, 2012-07-09 at 10:22 -0400, rmar...@linux.vnet.ibm.com wrote: Quoting Jamie Strandboge ja...@canonical.com: On Tue, 2012-07-03 at 12:05

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates

Quoting Jamie Strandboge ja...@canonical.com: On Mon, 2012-07-09 at 10:22 -0400, rmar...@linux.vnet.ibm.com wrote: Quoting Jamie Strandboge ja...@canonical.com: On Tue, 2012-07-03 at 12:05 -0400, rmar...@linux.vnet.ibm.com wrote: Quoting Jamie Strandboge ja...@canonical.com: On Fri,

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates

On 07/26/2012 10:30 AM, rmar...@linux.vnet.ibm.com wrote: Quoting Jamie Strandboge ja...@canonical.com: On Mon, 2012-07-09 at 10:22 -0400, rmar...@linux.vnet.ibm.com wrote: Quoting Jamie Strandboge ja...@canonical.com: On Tue, 2012-07-03 at 12:05 -0400, rmar...@linux.vnet.ibm.com wrote:

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates

Quoting Jamie Strandboge ja...@canonical.com: On Tue, 2012-07-03 at 12:05 -0400, rmar...@linux.vnet.ibm.com wrote: Quoting Jamie Strandboge ja...@canonical.com: On Fri, 2012-06-29 at 14:08 -0400, rmar...@linux.vnet.ibm.com wrote: From: Richa Marwaha rmar...@linux.vnet.ibm.com This patch

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates

On Mon, 2012-07-09 at 10:22 -0400, rmar...@linux.vnet.ibm.com wrote: Quoting Jamie Strandboge ja...@canonical.com: On Tue, 2012-07-03 at 12:05 -0400, rmar...@linux.vnet.ibm.com wrote: Quoting Jamie Strandboge ja...@canonical.com: On Fri, 2012-06-29 at 14:08 -0400,

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates

On Tue, 2012-07-03 at 12:05 -0400, rmar...@linux.vnet.ibm.com wrote: Quoting Jamie Strandboge ja...@canonical.com: On Fri, 2012-06-29 at 14:08 -0400, rmar...@linux.vnet.ibm.com wrote: From: Richa Marwaha rmar...@linux.vnet.ibm.com This patch provides AppArmor policy updates for the QEMU

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates

Quoting Jamie Strandboge ja...@canonical.com: On Fri, 2012-06-29 at 14:08 -0400, rmar...@linux.vnet.ibm.com wrote: From: Richa Marwaha rmar...@linux.vnet.ibm.com This patch provides AppArmor policy updates for the QEMU bridge helper. The QEMU bridge helper is a SUID executable exec'd by QEMU

Re: [libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates

On Fri, 2012-06-29 at 14:08 -0400, rmar...@linux.vnet.ibm.com wrote: From: Richa Marwaha rmar...@linux.vnet.ibm.com This patch provides AppArmor policy updates for the QEMU bridge helper. The QEMU bridge helper is a SUID executable exec'd by QEMU that drops capabilities to CAP_NET_ADMIN and

[libvirt] [Patch v2 3/3] apparmor: QEMU bridge helper policy updates

From: Richa Marwaha rmar...@linux.vnet.ibm.com This patch provides AppArmor policy updates for the QEMU bridge helper. The QEMU bridge helper is a SUID executable exec'd by QEMU that drops capabilities to CAP_NET_ADMIN and adds a tap device to a network bridge. Signed-off-by: Richa Marwaha