------- Comment From <email address hidden> 2019-01-21 10:45 EDT-------
(In reply to comment #21)
> There are two ways to allow qemu to access something.
> 1. globally through the abstraction in
> /etc7apparmor.d/abstractions/libvirt-qemu
> That is for paths ALL qemu/geusts are supposed to use like /dev/kvm
> 2. per guest files generated based on the XML description in
> /etc/apparmor.d/libvirt/libvirt-<uuid>.files
> If you need paths like /sys/bus/pci/devices/0009:03:00.0/devspec to be
> accessible you should consider if you can derive the path from the XML and
> then let virt-aa-helper write a rule for it so that the guest can do so.
>
> Finally later in the guest lifecycle further rules will be added via the
> labeling calls in the security code. E.g. if you add a device libvirt calls
> a set label function and this will add the new ruls (like for hotplug).
> For the latter see virAppArmorSecurityDriver in
> src/security/security_apparmor.c
Leonardo, please help libvirt development to assess and decide if this can be implemented.
------- Comment From <email address hidden> 2019-01-21 10:45 EDT------- d/abstractions/ libvirt- qemu d/libvirt/ libvirt- <uuid>. files pci/devices/ 0009:03: 00.0/devspec to be rityDriver in security_ apparmor. c
(In reply to comment #21)
> There are two ways to allow qemu to access something.
> 1. globally through the abstraction in
> /etc7apparmor.
> That is for paths ALL qemu/geusts are supposed to use like /dev/kvm
> 2. per guest files generated based on the XML description in
> /etc/apparmor.
> If you need paths like /sys/bus/
> accessible you should consider if you can derive the path from the XML and
> then let virt-aa-helper write a rule for it so that the guest can do so.
>
> Finally later in the guest lifecycle further rules will be added via the
> labeling calls in the security code. E.g. if you add a device libvirt calls
> a set label function and this will add the new ruls (like for hotplug).
> For the latter see virAppArmorSecu
> src/security/
Leonardo, please help libvirt development to assess and decide if this can be implemented.