as the the valid 0x.
P.S. Thanks Hollis for the simple example code
--
Grüsse / regards,
Christian Ehrhardt
IBM Linux Technology Center, Open Virtualization
+49 7031/16-3385
[EMAIL PROTECTED]
[EMAIL PROTECTED]
IBM Deutschland Entwicklung GmbH
Vorsitzender des Aufsichtsrats: Johann
,
there are related tracebacks in xend.log
*change number of cpu's
*create virtual network
--
Grüsse / regards,
Christian Ehrhardt
IBM Linux Technology Center, Open Virtualization
+49 7031/16-3385
[EMAIL PROTECTED]
[EMAIL PROTECTED]
IBM Deutschland Entwicklung GmbH
Vorsitzender des Aufsichtsrats
- used size for the
padding and I like that kind of readability.
--
Grüsse / regards,
Christian Ehrhardt
IBM Linux Technology Center, Open Virtualization
+49 7031/16-3385
[EMAIL PROTECTED]
[EMAIL PROTECTED]
IBM Deutschland Entwicklung GmbH
Vorsitzender des Aufsichtsrats: Johann Weihen
Daniel Veillard wrote:
On Wed, Jul 11, 2007 at 02:11:38PM +0200, Christian Ehrhardt wrote:
[...]
yes the only potential problem would be with other architectures where
__BIG_ENDIAN__ is defined and where the relative size of pointers and long
would be different.
We can change
Hollis Blanchard wrote:
On Wed, 2007-07-11 at 15:48 +0200, Christian Ehrhardt wrote:
thanks a lot ! Does this fix all the libvirt proper platform issues
(i.e. independantly of possible xen specific ones) ?
Yes it fixes them as far as they are currently known to me.
As I wrote
Sorry, I seem to become a pest more than I'd like to, but my timer on this
thread expired again :-)
Was the feedback I gave to the questions last week ok to understand the
case and maybe reproduce to achieve a ack or do we need to discuss more?
--
libvir-list mailing list
libvir-list@redhat.com
ewed discussion.
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
tions are changed to return the original
non-fully compliant with RFC4514 string format, while the new
ones return the compliant string by default. This allows applications
which relied on the previous format to continue functioning without
changes.
--
Christian Ehrhardt
Software Engine
version dependent definition of the wildcard strings
used by the tests (older gnutls versions require the old order).
Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com>
---
tests/virnettlssessiontest.c | 28
1 file changed, 28 insertions(+)
diff
- if anyone want to reproduce - can be found on
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1641615
But the primary purpose of the cover letter is a call to everybody to think if
that change could imply the need for more changes in libvirt than just to make
the tests work again.
Christian
On Mon, Nov 21, 2016 at 9:03 AM, Guido Günther wrote:
> This should be shortened and clarified (see the other part of the
> thread). IMHO the root cause is that we parse the active domain XML but
> the live part of the seclabel is not filled in yet.
>
Ok, reasonable to keep
lid apparmor profile
Updates:
v2
- simplified and clarified commit message
- make the flag skip all secabel parsing
- shorten the new flag name
fixes: dfbc9a83 ("apparmor: QEMU monitor socket moved")
Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com>
---
src/c
Sorry to bother, but "ping" for the list and adding some more people to CC
- for review or comments on this.
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Mon, Oct 31, 2016 at 11:32 AM, Christian Ehrhardt <
christian.ehrha...@canonical.com> wrote:
> But that turned out to break non apparmor seclabels as well as apparmor
> seclabels in xmls without labels.
>
FYI - For a bit extra info on the case, debugging it and in general
stcase with virt-aa-helper on xml file:
virt-aa-helper -d -r -p 0 -u libvirt- < your-guest.xml
virt-aa-helper: error: could not parse XML
virt-aa-helper: error: could not get VM definition
(That should have printed a valid apparmor profile)
Signed-off-by: Christian Ehrhardt <christian.ehrha
On Thu, Nov 3, 2016 at 6:15 PM, Guido Günther <a...@sigxcpu.org> wrote:
Thanks for your feedback Guido!
On Mon, Oct 31, 2016 at 11:32:44AM +0100, Christian Ehrhardt wrote:
> > When parsing labels virt-aa-helper does no more pass
> > VIR_DOMAIN_DEF_PARSE_INACTIVE due to d
Acked-by: Christian Ehrhardt <christian.ehrha...@canonical.co>
That (just FYI) is also equivalent to
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1615550
On Mon, Dec 12, 2016 at 11:59 AM, intrigeri <intrigeri+libv...@boum.org>
wrote:
> https://bugzilla.redhat.com/
idea who to cc.
Given that you come from a Debian point of view if I read mails correctly
you might want to add "Guido Günther <a...@sigxcpu.org>" for example.
Other than that it is down to waiting and sometimes pinging for response.
Also for both patches here my Acked-by: Chris
nux/man-pages/man5/proc.5.html
Quoting from there: "... A thread may modify *its* comm value, or that of
any of other thread *in the same thread group* ..."
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
explicit TID instead of a
pattern.
I'm convinced you confirmed your fix working, but I wonder if might want to
consider the "owner" part we had.
CCing a few people who were involved on the old patch.
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
--
libvir-list ma
F
virsh define /tmp/smoke-lxc.xml
virsh start sl
virsh list --all
# is running now
/etc/init.d/libvirtd restart
virsh list --all
# is no more running, but it should
Way more background and detail can be found at
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848317
--
Christian Ehrhardt
Softwa
Ha intrigeri beat me by 3 minutes with feedback :-)
Tested it as well over lunch time, working for me too now:
That said:
Acked-by Christian Ehrhardt <christian.ehrha...@canonical.com>
On Mon, Dec 19, 2016 at 2:35 PM, intrigeri <intrigeri+libv...@boum.org>
wrote:
> Hi,
&g
If a shutdown is expected because it was triggered via libvirt we can
also expect the monitor to close. In those cases do not report an
internal error like:
"internal error: End of file from qemu monitor"
Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com&g
On Thu, Mar 9, 2017 at 10:54 AM, Christian Ehrhardt <
christian.ehrha...@canonical.com> wrote:
> In those cases do not report an
> internal error like:
> "internal error: End of file from qemu monitor"
>
There is some extra background on the issue that shall be f
s now get
that permission, but no other rules are changed, example:
- "/var/lib/uvtool/libvirt/images/kvmguest-artful-normal-a2.qcow" rw,
+ "/var/lib/uvtool/libvirt/images/kvmguest-artful-normal-a2.qcow" rwk
Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonic
On Thu, Aug 10, 2017 at 11:19 AM, Christian Ehrhardt <
christian.ehrha...@canonical.com> wrote:
> Testing qemu-2.10-rc2 shows issues like:
> qemu-system-x86_64: -drive file=/var/lib/uvtool/libvirt/images/kvmguest-
> \
> artful-normal.qcow,format=qcow2,if=none,id=drive-virtio
Ping - opinions on this or is it ready to be committed?
On this reply setting Guido on CC as he has experience on apparmor patches
in libvirt and commit rights.
On Fri, Aug 11, 2017 at 8:58 PM, intrigeri <intrigeri+libv...@boum.org>
wrote:
> Hi,
>
> Christian Ehrhardt:
>
ck" [...]
name="/home/ubuntu/vm-start-stop/vms/7936-0_CODE.fd"
name="/var/lib/uvtool/libvirt/images/kvmguest-artful-normal.qcow"
[...] comm="qemu-system-aarch64" requested_mask="k" denied_mask="k"
The profile needs to allow locking for load
a v2 which states so more explicitly.
On Thu, Aug 17, 2017 at 1:23 PM, Michal Privoznik <mpriv...@redhat.com>
wrote:
> On 08/17/2017 10:55 AM, Christian Ehrhardt wrote:
> > Testing qemu-2.10-rc3 shows issues like:
> > qemu-system-aarch64: -drive file=/home/ubuntu/vm-start
, add that as
the default attribute just as it was added in the past.
Example of the verification error:
$ virt-xml-validate mytest.xml
Relax-NG validity error : Extra element devices in interleave
Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com>
---
src
ng store info added.
But as outlined above, at the point virt-aa-helper runs now the necessary
backingStore data seems to be missing.
I couldn't find the related change or a way to fix it so far, so any hints
are welcome.
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
--
libvir-list
On Sat, Jul 15, 2017 at 12:27 AM, Jim Fehlig <jfeh...@suse.com> wrote:
> On 07/11/2017 08:15 AM, Christian Ehrhardt wrote:
>
>>
>> What happens is that before the changes this auto-added a driver section
>> like:
>>
>> But now it does only add
>&
On said example:
Libvirt 2.5:
Breakpoint 1, 0x3fffb7c77ba8 in virDomainDiskDefForeachPath
(disk=0x200ab490, ignoreOpenFailure=true, iter=0x20011dc0 ,
opaque=0x3fffef70) at ../../../src/conf/domain_conf.c:24851
$1 = (virStorageSourcePtr) 0x200ab630
(gdb) p disk->src->path
$2 = 0x200a9ff0
Hi,
I was mislead by my former assumption on the lifecycle.
As virt-aa-helper gets his xml passed into stdin.
I captured that and found that in both cases it had the same content.
Below steps to reproduce based on that:
Test -Xml:
kvmguest-artful-normal-a2
On Mon, Jul 17, 2017 at 8:17 PM, Christian Ehrhardt <
christian.ehrha...@canonical.com> wrote:
>
> So it is the parsing of the XML into objects I have to track down.
> Maybe it is even some Ubuntu Delta that no more correctly matches.
> Will run on build from upstream master a
ou if you could take a look into this?
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Not sure how stupid it might be so clearly just a very humble RFC, but the
following seems to work for me:
Therefore no nicely polished patch, but just inline diff
--- a/src/libxl/libxl_domain.c
+++ b/src/libxl/libxl_domain.c
@@ -367,8 +367,9 @@
int actual_type =
On Mon, Jul 17, 2017 at 8:40 PM, Christian Ehrhardt <
christian.ehrha...@canonical.com> wrote:
>
>
> On Mon, Jul 17, 2017 at 8:17 PM, Christian Ehrhardt <
> christian.ehrha...@canonical.com> wrote:
>>
>> So it is the parsing of the XML into objects I have to
s you won't need
all three, but I happily give them all to you :-)
Thanks a lot Peter!
Acked-by: Christian Ehrhardt <christian.ehrha...@canonical.com>
Reported-by: Christian Ehrhardt <christian.ehrha...@canonical.com>
Tested-by: Christian Ehrhardt <christian.ehrha...@canonical.com>
We had the same rule for some time, it just is ordered later in our
submission stack and not yet pushed by me or Stefan for review.
But since we have the same rules for quite some time working fine I'm
clearly acking that.
Thanks intrigeri!
Acked-by: Christian Ehrhardt <christian.eh
or now I'm just rewording in regard to
this and resubmit to the thread.
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
From: Serge Hallyn <serge.hal...@ubuntu.com>
There should be no need to make dir based pools world/group readable.
So use 0711, not 0755, as the default perms for storage dirs.
Updates in v2:
- adapt commit wording to mention dropping group readable as well
Signed-off-by: Christian Eh
thank you a lot!
Since we are about to submit a bigger pile of apparmor changes that hint
might certainly be handy the next days/weeks.
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
PM spec - thanks Daniel to point this out.
It is 711 on Ubuntu as well for quite some time now.
Both together make this even less likely to have hidden drawbacks.
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Hi,
while cleaning out patchs that we held for a while on top of libvirt
I found this patch of Serge (thanks!) which I think would make just as
much sense in the upstream project itself.
Or in case the discussion might unveil why it might not make sense,
that would also be a win for us to adapt.
From: Serge Hallyn <serge.hal...@ubuntu.com>
There should be no need to make dir based pools world readable.
So use 0711, not 0755, as the default perms for storage dirs.
Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com>
---
docs/formatstorage.html.in | 2 +-
On Fri, May 19, 2017 at 9:55 AM, Guido Günther wrote:
> LGTM but I don't know much about PPC64, it's SLOF and where the device
> tree should be located.
>
Hi those paths for SLOF are the default one for Debian/Ubuntu at least.
$ dpkg -L qemu-slof
/.
/usr
/usr/share
d
explaiantions.
See especially [1] for some reasoning for 'R' in general.
[1]:
http://libvirt.org/git/?p=libvirt.git;a=commit;h=c726af2d5a2248f0dad01201b2fc5231fbd4c20f
[2]:
http://libvirt.org/git/?p=libvirt.git;a=commit;h=cedd2ab28262db62976b351dbf2a0f8d9f88ca9e
--
Christian Ehrhardt
Software E
On Fri, Jun 2, 2017 at 12:57 PM, Guido Günther wrote:
> Shouldn't this only be added when ceph is in use?
> Cheers,
> -- Guido
>
Yeah it is part of a category of rules where in a perfect world we would
wirte virt-aa-helper code for each of them.
In this particular case I
anularily via virt-aa-helper - but otherwise
please let me know - I'll then add it to a bunch of issues of the category
"needs to be done in virt-aa-helper" which I already track.
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
--
libvir-list mailing list
> +VIR_STRDUP(cfg->firmwares[2]->nvram,
> VIR_QEMU_OVMF_SEC_NVRAM_PATH) < 0 ||
> +VIR_STRDUP(cfg->firmwares[3]->name,
> VIR_QEMU_AAVMF32_LOADER_PATH) < 0 ||
> +VIR_STRDUP(cfg->firmwares[3]->nvram,
> VIR_QEMU_AAVMF32_NVRAM_PATH) < 0)
> goto error;
> #endif
>
> --
> 2.11.0
>
> --
> libvir-list mailing list
> libvir-list@redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
>
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
]: http://paste.ubuntu.com/25570670/
[2]: http://paste.ubuntu.com/25570673/
[3]: http://paste.ubuntu.com/25570720/
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
using now as a workaround.
Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com>
---
examples/apparmor/libvirt-qemu | 3 +++
1 file changed, 3 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index dcfb1a5..b341e31 100644
--- a/examples/
uncondtionally sets virHostdevFindUSBDevice mandatory attribute as
adding an apparmor rule for a device not found makes no sense no matter
what startup policy it has set.
Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com>
---
src/security/virt-aa-helper.c | 4
1 file changed, 4 insert
schema
should do so.
Apparmor rules are in quotes, so a space in a path based on the name works.
Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com>
---
src/security/virt-aa-helper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/security/virt-aa-he
To avoid any issues later on if paths ever change (unlikely but
possible) and to match the style of other generated rules the paths
of the static rules have to be quoted as well.
Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com>
---
src/security/virt-aa-helper.c | 6 +++
to that and
submit them today.
Christian Ehrhardt (4):
virt-aa-helper: fix paths for usb hostdevs
virt-aa-helper: fix libusb access to udev usb data
virt-aa-helper: allow spaces in vm names
virt-aa-helper: put static rules in quotes
examples/apparmor/libvirt-qemu | 3 +++
src/security/virt-aa-helper.c
On Fri, Sep 29, 2017 at 4:58 PM, Michal Privoznik <mpriv...@redhat.com>
wrote:
> On 09/20/2017 04:59 PM, Christian Ehrhardt wrote:
> > If users only specified vendor (the common case) then parsing
> > the xml via virDomainHostdevSubsysUSBDefParseXML would only set these.
>
eer=unconfined,
> > > + ptrace (trace) peer=/usr/sbin/libvirtd,
> > > + ptrace (trace) peer=libvirt-*,
> > > +
> >
> > This works here too! And I can even drop the first rule (ptrace (trace)
> > peer=unconfined) and things still work (and from reading the profile and
> > Jamies explanations it should work without it). Can you check if that
> > works for you too? Otherwise:
> >
> > Reviewed-By: Guido Günther <a...@sigxcpu.org>
>
> I've pushed that patch as is since without the unconfined ptrace we're
> seeing denials with gnome-boxes and virsh.
> Cheers,
> -- Guido
>
> >
> >
> > ># Very lenient profile for libvirtd since we want to first focus on
> confining
> > ># the guests. Guests will have a very restricted profile.
> > >/ r,
> > > --
> > > 2.14.1
> > >
> >
> > --
> > libvir-list mailing list
> > libvir-list@redhat.com
> > https://www.redhat.com/mailman/listinfo/libvir-list
> >
>
> --
> libvir-list mailing list
> libvir-list@redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
>
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
gards,
> Daniel
> --
> |: https://berrange.com -o-https://www.flickr.com/photos/
> dberrange :|
> |: https://libvirt.org -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org-o-https://www.instagram.com/
> dberrange :|
>
--
I did an in-place replacement of gnulib to the latest from gnulib upstream
but the issue stays.
So for the time being i'd assume it is not yet solved there.
On Wed, Sep 27, 2017 at 11:36 PM, Christian Ehrhardt <
christian.ehrha...@canonical.com> wrote:
> Hi,
>
ld not get the example to
fail without libvirt (OTOH I'm sure it would).
Therefore I'm reaching out to you for your help and experience on the build
system what could be done.
[1]: https://sourceware.org/ml/libc-alpha/2017-04/msg00115.html
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Can
On Thu, Sep 28, 2017 at 12:25 AM, Eric Blake <ebl...@redhat.com> wrote:
> [adding gnulib]
>
> On 09/27/2017 04:36 PM, Christian Ehrhardt wrote:
> > Hi,
> > there seems to be an incompatibility to the last glibc due to [1].
>
> Gnulib needs to be updated to track
On Thu, Sep 28, 2017 at 2:05 PM, Christian Ehrhardt <
christian.ehrha...@canonical.com> wrote:
>
>
> On Thu, Sep 28, 2017 at 12:25 AM, Eric Blake <ebl...@redhat.com> wrote:
>
>> [adding gnulib]
>>
>
> [...]
>
>>
> then libvirt needs to pi
t; now and have it locked already (in
> virNetDaemonAddShutdownInhibition())
>
> Signed-off-by: Michal Privoznik <mpriv...@redhat.com>
>
>
Change builds fine (on top of 3.6) and seems to fix the issue.
Survived 20 minutes in my stress loop, which it never did before.
Tested-by: Christian Ehrhardt <chri
Hi,
just a ping to ask if anybody could take a look to review this set of
smaller changes?
On Wed, Sep 20, 2017 at 4:59 PM, Christian Ehrhardt <
christian.ehrha...@canonical.com> wrote:
> Hi,
> this was mostly created by clearing old libvirt bugs in Ubuntu.
> USB passthrough so
by default we
should raise the limit to 16k.
Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com>
---
src/logging/virtlogd.service.in | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/logging/virtlogd.service.in b/src/logging/virtlogd.service.in
y have to be tweaked in really uncommon cases.
Christian Ehrhardt (2):
Increase default file handle limits for virtlogd
Increase default file handle limits for virtlockd
src/locking/virtlockd.service.in | 4 ++--
src/logging/virtlogd.service.in | 6 --
2 files changed, 6 insertions(+), 4 del
The assumption so far was an average of 4 disks per guest.
But some architectures, like s390x, still often use plenty of smaller disks.
To include those in the considerations an assumption of an average of 10
disks is more reasonable.
Signed-off-by: Christian Ehrhardt <christian.eh
rrect" to stop
the processes on a libvirtd stop?
[1]: http://paste.ubuntu.com/26208661/
[2]: http://paste.ubuntu.com/26208664/
P.S. I discussed this on IRC last Friday, but other than Michael
confirming the current state there was no further traction on the
discussion yet.
--
Christian Ehrhard
On Mon, Dec 18, 2017 at 3:35 PM, Daniel P. Berrange <berra...@redhat.com> wrote:
> On Mon, Dec 18, 2017 at 03:22:57PM +0100, Christian Ehrhardt wrote:
>> Hi,
>> on libvirt 3.10 I see a set of qemu processes used for capability
>> probing [1] (in my case 8x x86_64 a
For now the lack of a profile on the
peer as well as comm not being a conditional on rules do not allow to filter
further.
Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com>
---
examples/apparmor/usr.sbin.libvirtd | 3 +++
1 file changed, 3 insertions(+)
diff --git a/e
>> >> +
>> >> + # allow connect with openGraphicsFD to work
>> >> + unix (send, receive) type=stream peer=(label=/usr/sbin/libvirtd),
>> >
>> > Shouldn't this only be added via virt-aa-helper when a corresponding
>> > console is in u
From: Serge Hallyn
Allows read access to /sys/module/vhost/parameters/max_mem_regions.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1531564
Signed-off-by: Stefan Bader
---
examples/apparmor/libvirt-qemu | 2 ++
1 file changed, 2
From: Jamie Strandboge
This is required for the ebtables functionality added in
libvirt 0.8.0.
Signed-off-by: Stefan Bader
---
examples/apparmor/usr.sbin.libvirtd | 4
1 file changed, 4 insertions(+)
diff --git
From: Jamie Strandboge
Newer qemu wants to read
/sys/devices/system/node/
/sys/devices/system/cpu/
/sys/devices/system/node/node[0-9]*/meminfo
Signed-off-by: Stefan Bader
---
examples/apparmor/libvirt-qemu | 4
1 file changed, 4 insertions(+)
From: Stefan Bader <stefan.ba...@canonical.com>
Prevent denial messages related to attempted reads on lttng
files from spamming the logs.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1432644
Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com>
Signed-off-by:
submit for your consideration into 3.11.
Christian Ehrhardt (3):
apparmor, libvirt-qemu: add default pki path of lbvirt-spice
apparmor, libvirt-qemu: add generic base vfio device
apparmor, libvirt-qemu: qemu won't call qemu-nbd
Jamie Strandboge (5):
apparmor, libvirt-qemu: Allow read
I beg your pardon - too much open edit's at once - should have been
"part 3" in the subject :-)
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
From: Jamie Strandboge
Required to generate correct profiles when using usb passthrough.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/565691
Signed-off-by: Stefan Bader
---
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 2 ++
1 file changed, 2
From: Serge Hallyn
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1393548
Signed-off-by: Stefan Bader
---
examples/apparmor/libvirt-qemu | 1 +
1 file changed, 1 insertion(+)
diff --git a/examples/apparmor/libvirt-qemu
While libvirtd might do so, qemu itself as a guest will not need
to call qemu-nbd so remove it from the profile.
Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com>
Signed-off-by: Stefan Bader <stefan.ba...@canonical.com>
---
examples/apparmor/libvirt-qemu | 1 -
1
From: Jamie Strandboge
Bug-Ubuntu: https://bugs.launchpad.net/bugs/591769
Signed-off-by: Stefan Bader
---
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 4
1 file changed, 4 insertions(+)
diff --git
id=64055 ouid=0
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1678322
Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com>
Signed-off-by: Stefan Bader <stefan.ba...@canonical.com>
---
examples/apparmor/libvirt-qemu | 3 +++
1 file changed, 3 insertions(+)
diff --git a/e
From: Serge Hallyn
Allows owner access to hugepage mounts (both, the old and
new systemd variant).
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1250216
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1524737
Signed-off-by: Stefan Bader
---
From: Jamie Strandboge <ja...@ubuntu.com>
Allows (multi-arch enabled) access to libraries under the
/usr/lib/@{multiarch}/qemu/*.so path in the Debian/Ubuntu
qemu-block-extra package.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1554761
Signed-off-by: Christian Ehrhardt <christ
://bugs.launchpad.net/bugs/1690140
Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com>
---
examples/apparmor/libvirt-qemu | 4
1 file changed, 4 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index bb30530..5d811f9 100644
--- a/examples/ap
he
road with "policy namespaces with scope and view control + stacking"
This is more a use-case addition than a fix to the following two changes:
- 3b1d19e6 AppArmor: add rules needed with additional mediation features
- b482925c apparmor: support ptrace checks
Signed-off-
On Tue, Dec 19, 2017 at 5:09 PM, Jamie Strandboge <ja...@canonical.com> wrote:
> On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote:
>> From: Jamie Strandboge <ja...@ubuntu.com>
>>
>> Allows (multi-arch enabled) access to libraries under the
>&g
554761
Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com>
---
examples/apparmor/libvirt-qemu | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 91d0e02..34a564f 100644
--- a/examp
From: Jamie Strandboge <ja...@ubuntu.com>
Required to generate correct profiles when using usb passthrough.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/565691
Signed-off-by: Stefan Bader <stefan.ba...@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrha...@canon
On Wed, Dec 20, 2017 at 10:35 AM, intrigeri <intrigeri+libv...@boum.org> wrote:
> Hi,
>
> Christian Ehrhardt:
>> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
>> index 651d841..b9e45bd 100644
>> --- a/examples/apparmor/libvirt-qemu
&
On Wed, Dec 20, 2017 at 10:45 AM, intrigeri wrote:
> Jamie Strandboge:
>>> + # for use by libvirt-spice (LP: #1690140)
>>> + /etc/pki/libvirt-spice/ r,
>>> + /etc/pki/libvirt-spice/** r,
>
>> +1 to apply
>
> +1 as well, although I'd prefer some minor refactoring to
On Wed, Dec 20, 2017 at 10:50 AM, intrigeri <intrigeri+libv...@boum.org> wrote:
> Jamie Strandboge:
>> On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote:
>>> + # Alow access to ecryptfs files (LP: #591769)
>>> + @{HOME}/.Private/** mrwlk,
>&g
On Wed, Dec 20, 2017 at 10:35 AM, intrigeri <intrig...@boum.org> wrote:
> Christian Ehrhardt:
>> Allows read access to /sys/module/vhost/parameters/max_mem_regions.
>
> Same as patch 03, already done back in August.
Yes, thank for doing so (also same reason)!
TL;
places we have to cover PKI access into
one.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1690140
Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com>
---
examples/apparmor/libvirt-qemu | 13 +
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/examples/ap
On Tue, Dec 19, 2017 at 5:26 PM, Jamie Strandboge <ja...@canonical.com> wrote:
> On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote:
>> vfio devices are generated on the fly, but the generic base is
>> missing.
>>
>> The base vfio has not much func
On Wed, Dec 20, 2017 at 10:30 AM, intrigeri <intrigeri+libv...@boum.org> wrote:
> Hi,
>
> Christian Ehrhardt:
>> --- a/examples/apparmor/libvirt-qemu
>> +++ b/examples/apparmor/libvirt-qemu
>> @@ -191,3 +191,7 @@
>>/sys/devices/system/node/ r,
>>
a symlink path we need to translate that for apparmor from
"/sys/dev/block/*/queue/max_segments" to
"/sys/devices/**/block/*/queue/max_segments"
Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com>
---
examples/apparmor/libvirt-qemu | 3 +++
1 file
://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1729626
Christian Ehrhardt (2):
apparmor: allow qemu to read max_segments
apparmor, virt-aa-helper: allow ipv6
examples/apparmor/libvirt-qemu | 3 +++
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 1 +
2 files changed, 4
1 - 100 of 482 matches
Mail list logo