The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/7878
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
From 17897af3809ca25e4320eff3be9b336df399d684 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Wed, 16 Sep 2020 11:59:53 -0400
Subject: [PATCH 1/2] doc/instance: raw.apparmor now implemented for VM
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
doc/instances.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/instances.md b/doc/instances.md
index 4884e2c8cd..31a25be210 100644
--- a/doc/instances.md
+++ b/doc/instances.md
@@ -66,7 +66,7 @@ nvidia.driver.capabilities | string |
compute,utility | no
nvidia.runtime | boolean | false |
no | container | Pass the host NVIDIA and CUDA
runtime libraries into the instance
nvidia.require.cuda | string | - |
no | container | Version expression for the required
CUDA version (sets libnvidia-container NVIDIA\_REQUIRE\_CUDA)
nvidia.require.driver | string | - |
no | container | Version expression for the required
driver version (sets libnvidia-container NVIDIA\_REQUIRE\_DRIVER)
-raw.apparmor | blob | - |
yes | container | Apparmor profile entries to be
appended to the generated profile
+raw.apparmor | blob | - |
yes | - | Apparmor profile entries to be
appended to the generated profile
raw.idmap | blob | - |
no | unprivileged container | Raw idmap configuration (e.g. "both
1000 1000")
raw.lxc | blob | - |
no | container | Raw LXC configuration to be
appended to the generated one
raw.qemu | blob | - |
no | virtual-machine | Raw Qemu configuration to be
appended to the generated command line
From bef93cba0e8ca2f22f7db514ad85c26d0c620fb7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Wed, 16 Sep 2020 12:00:05 -0400
Subject: [PATCH 2/2] lxd/apparmor: Tweak qemu profile for non-snap
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
lxd/apparmor/instance_qemu.go | 27 +++++++++++++++++----------
1 file changed, 17 insertions(+), 10 deletions(-)
diff --git a/lxd/apparmor/instance_qemu.go b/lxd/apparmor/instance_qemu.go
index 7ceb02dc52..c529e76ffc 100644
--- a/lxd/apparmor/instance_qemu.go
+++ b/lxd/apparmor/instance_qemu.go
@@ -12,27 +12,34 @@ profile "{{ .name }}"
flags=(attach_disconnected,mediate_deleted) {
capability dac_override,
capability dac_read_search,
+ capability ipc_lock,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
# Needed by qemu
- /{,usr/}bin/qemu* mrix,
- /dev/hugepages/** w,
- /dev/kvm w,
- /dev/net/tun w,
- /dev/ptmx w,
- /dev/vfio/** w,
- /dev/vhost-net w,
- /dev/vhost-vsock w,
+ /dev/hugepages/** rw,
+ /dev/kvm rw,
+ /dev/net/tun rw,
+ /dev/ptmx rw,
+ /dev/vfio/** rw,
+ /dev/vhost-net rw,
+ /dev/vhost-vsock rw,
/etc/ceph/** r,
+ /sys/bus/nd/devices/ r,
+ /sys/devices/system/node/ r,
+ /sys/devices/system/node/** r,
+ /sys/module/vhost/** r,
+ /{,usr/}bin/qemu* mrix,
/usr/share/OVMF/OVMF_CODE.fd kr,
+ /usr/share/qemu/** kr,
+ /usr/share/seabios/** kr,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
# Instance specific paths
{{ .logPath }}/** rwk,
- {{ .path }}/qemu.nvram rwk,
+ {{ .path }}/** rwk,
{{range $index, $element := .devPaths}}
{{$element}} rwk,
{{- end }}
@@ -52,7 +59,7 @@ profile "{{ .name }}"
flags=(attach_disconnected,mediate_deleted) {
/var/snap/lxd/common/lxd.debug mr,
/snap/lxd/*/bin/lxd mr,
/snap/lxd/*/bin/qemu* mrix,
- /snap/lxd/*/share/qemu/OVMF_CODE.fd kr,
+ /snap/lxd/*/share/qemu/** kr,
# Snap-specific libraries
/snap/lxd/*/lib/**.so* mr,
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
