.
Ticket: https://bugzilla.redhat.com/show_bug.cgi?id=922495
Thanks for your work on libvirt!
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
--
libvir-list mailing list
-submitting.
What is missing to get these patches merged, then?
(Apart of porting them to the latest version again, of course :)
Regards,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
distro shipping
a different version writes the same kind of hacks.
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
]: Leaving directory '/tmp/buildd/libvirt-1.2.9/debian/build'
dh_auto_build: make -j5 returned exit code 2
debian/rules:126: recipe for target 'build' failed
make: *** [build] Error 2
Any hint?
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com
Hi Stefan and others,
Stefan Bader wrote (21 Oct 2014 11:50:24 GMT) :
On 20.10.2014 12:48, Stefan Bader wrote:
On 19.10.2014 17:07, intrigeri wrote:
Cool, I've tested this. I've imported these two patches in Debian's
1.2.9-3 quilt series, made the build system use dh-autoreconf (the
build
Hi Stefan,
any news on what follows? Now that Ubuntu 15.04 has been released,
perhaps you'll be able to allocate some cycles to it? :)
intrigeri wrote (11 Feb 2015 14:58:54 GMT) :
Hi Stefan and others,
Stefan Bader wrote (21 Oct 2014 11:50:24 GMT) :
On 20.10.2014 12:48, Stefan Bader wrote
will try to find my most recent proposal
again and try to get it moved into present state of packages.
Thanks!
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
, the proposed logic looks fine to me. I'm not skilled
enough at C to review the actual patch, though.
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Hi,
this patchset breaks the test suite for me once applied on top of the
debian/experimental branch (while the test suite passes fine without
these patches there). Sorry, no time to look into it further today.
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https
. Thanks!
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
in my environment (applied on top of 1.2.18)
so I'm forwarding it here.
[1] https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1483071
Cheers,
--
intrigeri
From 0b1f1318125a8f9d4460641b6d216d7657dc0d1e Mon Sep 17 00:00:00 2001
From: intrigeri intrig...@debian.org
Date: Wed, 12 Aug 2015 14:48:53
Hi,
> Stefan Bader wrote (20 May 2015 10:11:45 GMT) :
> intrigeri wrote (15 Jun 2015 15:09:11 GMT) :
> My (possibly incomplete) records say that I've tested the latest
> proposed patch set back in February (<85iof8v6j5@boum.org>).
>> Since I lost most context by no
better :)
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
https://bugzilla.redhat.com/show_bug.cgi?id=1369281
---
examples/apparmor/libvirt-qemu | 3 +++
1 file changed, 3 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 11381d4df0..fdb5a23291 100644
--- a/examples/apparmor/libvirt-qemu
+++
Hi,
Jamie Strandboge:
> Changes LGTM.
[Disclaimer: I'm new to submitting patches to libvirt.]
What's the process to get this merged, now that Jamie has ack'ed the
proposed changes?
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listi
https://bugzilla.redhat.com/show_bug.cgi?id=1369281
---
examples/apparmor/libvirt-qemu | 1 +
1 file changed, 1 insertion(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 11381d4df0..10d2ac958c 100644
--- a/examples/apparmor/libvirt-qemu
+++
Jamie Strandboge:
> This rule would allow any confined guest to change the 'comm' value of any
> task
> on the system, if the system otherwise allowed it.
Right. Fixed with the 'owner' prefix in my v2 patch, as suggested
by Christian.
Cheers,
--
intrigeri
--
libvir-list mailing li
anywhere in our docs, but it makes sense if
>> there is a need for anything related to attributions or copyrights.
> I just assumed "intrigeri" is a real name :-)
I have no ID with "intrigeri" written on it, so you may consider it's
not a "real name".
However,
From: intrigeri <intrig...@debian.org>
---
examples/apparmor/libvirt-qemu | 8
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 2 +-
examples/apparmor/usr.sbin.libvirtd | 4 ++--
3 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/ex
https://bugzilla.redhat.com/show_bug.cgi?id=1369281
---
examples/apparmor/libvirt-qemu | 1 +
1 file changed, 1 insertion(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 11381d4df0..a07291d583 100644
--- a/examples/apparmor/libvirt-qemu
+++
ot;open" info="Failed name lookup - disconnected
> path" error=-13 profile="/usr/sbin/libvirtd" name="" pid=1422 comm="libvirtd"
> requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> ---
> Thanks to intrigeri for the suggestion!
Te
-level AppArmor
perspective, the proposed change seems entirely harmless.
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
---
examples/apparmor/libvirt-qemu | 6 ++
1 file changed, 6 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index f462d7428c..dcfb1a5985 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -169,3 +169,9 @@
gt; +"/usr/share/qemu-efi/", /* for AAVMF images */
>> +"/usr/share/qemu-efi-aarch64/" /* for AAVMF images */
>> };
>> /* override the above with these */
>> const char * const override[] = {
> +1. LGTM
+1 too after verifyi
Hi,
Jamie Strandboge:
> On Fri, 2017-09-15 at 17:17 +0200, Guido Günther wrote:
>> Otherwise we fail to reconnect to /dev/net/tun opened by libvirtd
>> like
I confirm I see the bug on current Debian sid and Guido's patch
fixes it. Please commit :)
Cheers,
--
intrigeri
--
libv
l for :)
Take care,
cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
use, so I was wondering if we should allow this operation or
just ignore the denial & silence the logs. Now that we understand what
it is about, I agree we should allow it. Denying this access would
make it harder to debug issues in the future e.g. if QEMU ever starts
needing it for other, more cri
an mentioned, we
> discussed that this is the best option for the moment. +1 to apply.
> Thanks for the patch!
Same here, these rules are much less problematic than they look like
at first glance ⇒ +1
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.
Hi,
Cedric Bosdonnat:
> Has that one landed in abyssal depths of the mailing list?
Well, no, it's waiting for your comments about my feedback:
https://www.redhat.com/archives/libvir-list/2017-December/msg00389.html
Thanks for pinging!
(Sorry I did not put you in explicit copy, I assumed you
ugging, with these added rules it'll be hard to discover why it
does not work.
Thanks in advance!
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Jamie Strandboge:
>> --- a/examples/apparmor/libvirt-qemu
>> +++ b/examples/apparmor/libvirt-qemu
>> @@ -81,6 +81,7 @@
>>/usr/share/proll/** r,
>>/usr/share/vgabios/** r,
>>/usr/share/seabios/** r,
>> + /usr/share/misc/sgabios.bin r,
>>/usr/share/ovmf/** r,
>>
Christian Ehrhardt:
> Allows read access to /sys/module/vhost/parameters/max_mem_regions.
Same as patch 03, already done back in August.
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
s/devices/**/usb[0-9]*/** r,
I think I've already upstream'ed this 4 months ago: commit
e7f5d627f93c1c71260d2a795a1227b16b0d3186.
Maybe rebase your patch series on top of the current upstream
master branch? :)
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Christian Ehrhardt:
> From: Jamie Strandboge
> Allows (multi-arch enabled) access to libraries under the
> /usr/lib/@{multiarch}/qemu/*.so path in the Debian/Ubuntu
> qemu-block-extra package and all such libs for the paths
> of rpm qemu-block-* packages.
> Bug-Ubuntu:
140)
/etc/pki/CA/ r,
/etc/pki/CA/* r,
/etc/pki/libvirt{,-spice,-vnc}/ r,
/etc/pki/libvirt{,-spice,-vnc}/** r,
What do you think?
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Hi,
Jamie Strandboge:
> On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote:
>> examples/apparmor/usr.lib.libvirt.virt-aa-helper | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
>>
ese...
I concur with Jamie: I'd rather can avoid spreading copies of these
rules around if we can.
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Christian Ehrhardt:
> Adding the PKI path that is used as default suggestion in src/qemu/qemu.conf
> If people use non-default paths they should use local overrides but the
> suggested defaults we should open up.
> This is the default path as referenced by src/qemu/qemu.conf in libvirt.
> While
Hi,
thanks Jamie for this review. All your suggestions make sense to me,
I'll implement + test them and will re-submit as v3.
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Hi,
Cédric Bosdonnat:
> This commit helps users allowing access to their images by adding their
> own rules in apparmor.d/local/usr.lib.libvirt.virt-aa-helper.
> […]
> profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
>#include
> + #include
The packaging helper we use in
---
examples/apparmor/libvirt-qemu | 2 ++
examples/apparmor/usr.sbin.libvirtd | 9 +
2 files changed, 11 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index b341e31f42..5994a35042 100644
--- a/examples/apparmor/libvirt-qemu
+++
intrigeri:
> + network unix dgram,
> + network unix stream,
Hold on, these two rules are probably not needed (chances are that
they were needed due to a bug in the AppArmor parser, that got fixed
in 2.11.1). I'll double-check tomorrow. Sorry for the noise!
--
libvir-list mailing list
Christian Ehrhardt:
> Great point intrigeri!
> #1
> At least as far as my history analysis went this was triggered by ceph
> having the support for lttng enabled.
> Not by actually (trying to) enable the LTT-ng tracking.
> While being disabled in ceph package since the
Hi,
Cedric Bosdonnat:
> On Tue, 2017-12-12 at 15:01 +0100, intrigeri wrote:
>> Cédric Bosdonnat:
>> > This commit helps users allowing access to their images by adding their
>> > own rules in apparmor.d/local/usr.lib.libvirt.virt-aa-helper.
>> > […]
>>
t.
> And I'd ask for an opinion on the "other" paths I listed - I can only
> recommend adding as much as we can commonly agree to be useful.
> To avoid coming back every few months adding another such line :-)
Indeed. Perhaps next step is to c
usion of that discussion has been applied consistently
(although implicitly): 4 commits of mine have been applied to Git
since Daniel wrote that this was a valid exception, and nobody raised
this topic again until today.
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
lls so
it's out of my league.
> But until then the rule here is required to not get into awkward situations.
> +1 from me, thanks intrigeri
Thanks :)
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Cédric Bosdonnat:
> * to handle /var/run not being a symlink to /run
Does this still really exist in any distro that has chances to run
a recent libvirt?
If yes, then:
> - /run/libvirt/**/[sv]d[a-z] r
> + /{,var/}run/libvirt/**/[sv]d[a-z] r,
+1
And in any case, +1 the missing comma.
--
gt; + signal (send) set=("kill", "term") peer=unconfined,
+1
Reviewed-by: intrig...@boum.org
Cheers,
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Andrea Bolognani:
> Are you okay with changing the authorship email
> address so that it matches the S-o-b and pushing the patch?
If you don't mind doing it yourself, sure, go ahead :)
Thanks!
--
intrigeri
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/m
From: intrigeri <intrigeri+libv...@boum.org>
This set of rules was proposed by Christian Boltz <appar...@cboltz.de>
on https://bugzilla.opensuse.org/show_bug.cgi?id=1065123.
---
examples/apparmor/usr.sbin.libvirtd | 15 +++
1 file changed, 15 insertions(+)
diff --gi
From: intrigeri <intrigeri+libv...@boum.org>
---
examples/apparmor/libvirt-qemu | 4
examples/apparmor/usr.sbin.libvirtd | 4
2 files changed, 8 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 064501f08e..73bdbae872
Changes since v3:
- don't add in 1/2 blanket catch-all mount rule that 2/2 was replacing anyway
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
From: intrigeri <intrigeri+libv...@boum.org>
---
examples/apparmor/libvirt-qemu | 4
examples/apparmor/usr.sbin.libvirtd | 6 ++
2 files changed, 10 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 97dd2d45a9..9d487bf92f
Changes since v2:
- made signal rules broader, as suggested by Jamie Strandboge
and indeed my tests confirm v2 was too
strict;
- allowed libvirtd "ptrace (read)" on libvirt-* guests, as suggested
by Jamie Strandboge
- added fine-grained
From: intrigeri <intrigeri+libv...@boum.org>
This set of rules was proposed by Christian Boltz <appar...@cboltz.de>
on https://bugzilla.opensuse.org/show_bug.cgi?id=1065123.
---
examples/apparmor/usr.sbin.libvirtd | 15 ++-
1 file changed, 14 insertions(+), 1 deletion(-)
[PATCH v2] AppArmor: add rules needed with additional mediation features
Changes since v1:
- remove unneeded "network unix" rules added by v1: they were only
needed due to a bug in apparmor_parser, that was fixed in AppArmor
2.11.1 since then;
- move the "network netlink raw" rule to
From: intrigeri <intrigeri+libv...@boum.org>
---
examples/apparmor/libvirt-qemu | 2 ++
examples/apparmor/usr.sbin.libvirtd | 6 ++
2 files changed, 8 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index b341e31f42..5994a35042
From: intrigeri
As reported on https://bugs.debian.org/892431, without this rule, when launching
a QEMU KVM instance, an error occurs immediately upon launching the QEMU
process such as:
Could not open backing file: Could not open
'/var/lib/nova/instances/_base
From: intrigeri <intrigeri+libv...@boum.org>
On startup libvirtd runs a number of QEMU processes unconfined such as:
/usr/bin/qemu-system-x86_64 -S -no-user-config -nodefaults -nographic
-machine none,accel=kvm:tcg -qmp
unix:/var/lib/libvirt/qemu/capabilities.monitor.sock,server,
From: intrigeri
Fixes: https://bugs.debian.org/914940
---
src/security/apparmor/libvirt-qemu | 5 +
1 file changed, 5 insertions(+)
diff --git a/src/security/apparmor/libvirt-qemu
b/src/security/apparmor/libvirt-qemu
index 474aaefdf8..165558fe83 100644
--- a/src/security/apparmor/libvirt
v2 following up to Andrea Bolognani's review (thanks!)
- Adds missing Signed-off-by tag
- Improves commit message
- Adds Reviewed-by Andrea Bolognani
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
From: intrigeri
Add hppa, nios2, or1k, riscv32 and riscv64 to the profile.
Fixes: https://bugs.debian.org/914940
Signed-off-by: intrigeri
Reviewed-by: Andrea Bolognani
---
src/security/apparmor/libvirt-qemu | 5 +
1 file changed, 5 insertions(+)
diff --git a/src/security/apparmor
64 matches
Mail list logo