Ok, with acks of last year and new ones in and no other feedback nor any Freeze atm I'm pushing these changes any minute. The qemu-smb related one will be dropped, the others pushed with the latest cleanups as discussed in the per-patch threads. Thanks everybody for your participation!
On Tue, Aug 14, 2018 at 8:18 AM Christian Ehrhardt < christian.ehrha...@canonical.com> wrote: > Hi, > this is a summary of things I had to touch recently for libvirt 4.6. > The first two patches are re-submissions and modifications of last > year which were never totally challenged, but also not pushed. > > The first was lost in a discussion about virt-aa-helper, whicih eventually > turned out to be clear that it could not help in that case. > - > https://www.redhat.com/archives/libvir-list/2017-February/msg01598.html > - https://www.redhat.com/archives/libvir-list/2017-March/msg00052.html > > The second even got a few Acks, but neither made it into upstream yet. > Parts of it where introduced already, in > 7edcbd02 apparmor: allow libvirt to send term signal to unconfined > b482925c apparmor: support ptrace checks > But there are still signals blocked with those rules, so I resubmit the > remaining bit. Also I added the Acks to the resubmission. > > The third&fourth change came in recently via various bug reports which I > finally wanted to adress - e.g. for ceph lib or smb. If we later on spot > more cases that have predictable safe paths under /tmp we can add those. > > Finally the fifth change was triggered by me testing libvirt 4.6 in > various conditions. Some of them were in containers, and the new libvirt > behavior to carry more mount points into the qemu namespace triggers the > need to rewrite the existing mount-moving rules that we added last year. > > *Updates in V2* > - added Acks to path #1 > - split former patch #3 into #3/#4 to discuss /tmp access and qemu-smd > individually > - rewrote reasoning and concerns as well as TODOs to improve later in > regard to the /tmp related commits #3/#4 > - Updated the rule since the trailing {,/} is not needed after ** > > Christian Ehrhardt (5): > apparmor: allow openGraphicsFD for virt manager >1.4 > apparmor: add mediation rules for unconfined guests > apparmor: allow expected /tmp access patterns > apparmor: allow qemu-smb access in /tmp > apparmor: allow to preserve /dev mountpoints into qemu namespaces > > examples/apparmor/libvirt-qemu | 20 ++++++++++++++++++++ > examples/apparmor/usr.sbin.libvirtd | 24 +++++++++++++----------- > 2 files changed, 33 insertions(+), 11 deletions(-) > > -- > 2.17.1 > > -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list