Ubuntu
libvirt package

  1. Bug #1680386
  2. Comment #10

Comment 10 for bug 1680386

Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2019-01-21 10:45 EDT-------
(In reply to comment #21)
> There are two ways to allow qemu to access something.
> 1. globally through the abstraction in
> /etc7apparmor.d/abstractions/libvirt-qemu
> That is for paths ALL qemu/geusts are supposed to use like /dev/kvm
> 2. per guest files generated based on the XML description in
> /etc/apparmor.d/libvirt/libvirt-<uuid>.files
> If you need paths like /sys/bus/pci/devices/0009:03:00.0/devspec to be
> accessible you should consider if you can derive the path from the XML and
> then let virt-aa-helper write a rule for it so that the guest can do so.
>
> Finally later in the guest lifecycle further rules will be added via the
> labeling calls in the security code. E.g. if you add a device libvirt calls
> a set label function and this will add the new ruls (like for hotplug).
> For the latter see virAppArmorSecurityDriver in
> src/security/security_apparmor.c

Leonardo, please help libvirt development to assess and decide if this can be implemented.