From: @openeuler-sync-bot Reviewed-by: @kevinzhu1 Signed-off-by: @kevinzhu1
This commit is contained in:
openeuler-ci-bot
Gitee
commit
bddd51893e
38
apparmor-Permit-new-capabilities-required-by-libvirt.patch
Normal file
38
apparmor-Permit-new-capabilities-required-by-libvirt.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From 9abebfb36b2380829be4a901d7c9785a7a8f5f6a Mon Sep 17 00:00:00 2001
|
||||
From: Jim Fehlig <jfehlig@suse.com>
|
||||
Date: Mon, 7 Jun 2021 16:21:28 -0600
|
||||
Subject: [PATCH] apparmor: Permit new capabilities required by libvirtd
|
||||
|
||||
The audit log contains the following denials from libvirtd
|
||||
|
||||
apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="daemon-init" capability=17 capname="sys_rawio"
|
||||
apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="rpc-worker" capability=39 capname="bpf"
|
||||
apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="rpc-worker" capability=38 capname="perfmon"
|
||||
|
||||
Squelch the denials and allow the capabilities in the libvirtd
|
||||
apparmor profile.
|
||||
|
||||
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
|
||||
Reviewed-by: Neal Gompa <ngompa13@gmail.com>
|
||||
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
|
||||
---
|
||||
src/security/apparmor/usr.sbin.libvirtd.in | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
|
||||
index 1e137039e9..49266743f5 100644
|
||||
--- a/src/security/apparmor/usr.sbin.libvirtd.in
|
||||
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
|
||||
@@ -25,6 +25,9 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
|
||||
capability fsetid,
|
||||
capability audit_write,
|
||||
capability ipc_lock,
|
||||
+ capability sys_rawio,
|
||||
+ capability bpf,
|
||||
+ capability perfmon,
|
||||
|
||||
# Needed for vfio
|
||||
capability sys_resource,
|
||||
--
|
||||
2.27.0
|
||||
|
||||
@ -101,7 +101,7 @@
|
||||
Summary: Library providing a simple virtualization API
|
||||
Name: libvirt
|
||||
Version: 6.2.0
|
||||
Release: 35
|
||||
Release: 36
|
||||
License: LGPLv2+
|
||||
URL: https://libvirt.org/
|
||||
|
||||
@ -245,6 +245,7 @@ Patch0132: qemu-monitor-Don-t-add-props-wrapper-if-qemu-has-QEM.patch
|
||||
Patch0133: qemu-command-Use-JSON-for-QAPIfied-object-directly.patch
|
||||
Patch0134: tests-qemuxml2argv-Validate-generation-of-JSON-props.patch
|
||||
Patch0135: qemu-capabilities-Enable-detection-of-QEMU_CAPS_OBJE.patch
|
||||
Patch0136: apparmor-Permit-new-capabilities-required-by-libvirt.patch
|
||||
|
||||
Requires: libvirt-daemon = %{version}-%{release}
|
||||
Requires: libvirt-daemon-config-network = %{version}-%{release}
|
||||
@ -1979,6 +1980,9 @@ exit 0
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Mar 24 2022 yezengruan <yezengruan@huawei.com>
|
||||
- apparmor: Permit new capabilities required by libvirtd
|
||||
|
||||
* Thu Mar 24 2022 yezengruan <yezengruan@huawei.com>
|
||||
- qemuMonitorJSONSetMigrationParams: Take double pointer for @params
|
||||
- qemuMonitorJSONAddObject: Take double pointer for @props
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user