Hello, Ok, thx for explanations :) Yep, I know that best is to restart qemu process but this makes that I can now sleep littlebit more peacefully :)
-- Best regards / Pozdrawiam Sławek Kapłoński sla...@kaplonski.pl On Thu, May 14, 2015 at 05:38:56PM -0400, Favyen Bastani wrote: > On 05/14/2015 05:23 PM, Sławek Kapłoński wrote: > > Hello, > > > > So if I understand You correct, it is not so dangeorus if I'm using > > ibvirt with apparmor and this libvirt is adding apparmor rules for > > every qemu process, yes? > > > > > > You should certainly verify that apparmor rules are enabled for the qemu > processes. > > Apparmor reduces the danger of the vulnerability. However, if you are > assuming that virtual machines are untrusted, then you should also > assume that an attacker can execute whatever operations permitted by the > apparmor rules (mostly built based on abstraction usually at > /etc/apparmor.d/libvirt-qemu); so you should check that you have > reasonable limits on those permissions. Best is to restart the processes > by way of live migration or otherwise. > > Best, > Favyen _______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators