Re: [libvirt] [PATCH 1/2] Don't output libvirt-UUID.files for LXC apparmor profiles
Quoting Cédric Bosdonnat (cbosdon...@suse.com): --- src/security/virt-aa-helper.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) Hi, I'm acking this anyway bc I think you're right, but I'm trying to think of a case where this would still be useful. What if we want to allow only a certain container to have access to its cgroups, for instance, for nesting containers. Would virt-aa-helper and the .files be a way this would be done? I suppose we coudl always re-introduce this in that case... Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index b5f66f3..d563b98 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1342,7 +1342,8 @@ main(int argc, char **argv) vah_info(include_file); vah_info(included_files); rc = 0; -} else if ((rc = update_include_file(include_file, +} else if (ctl-def-virtType != VIR_DOMAIN_VIRT_LXC + (rc = update_include_file(include_file, included_files, ctl-append)) != 0) goto cleanup; -- 1.8.4.5 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 1/2] Don't output libvirt-UUID.files for LXC apparmor profiles
On 07/11/2014 09:22 AM, Serge Hallyn wrote: Quoting Cédric Bosdonnat (cbosdon...@suse.com): --- src/security/virt-aa-helper.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) Hi, I'm acking this anyway bc I think you're right, but I'm trying to think of a case where this would still be useful. What if we want to allow only a certain container to have access to its cgroups, for instance, for nesting containers. Would virt-aa-helper and the .files be a way this would be done? I suppose we coudl always re-introduce this in that case... Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com I've pushed this one. -- Eric Blake eblake redhat com+1-919-301-3266 Libvirt virtualization library http://libvirt.org signature.asc Description: OpenPGP digital signature -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 1/2] Don't output libvirt-UUID.files for LXC apparmor profiles
On Fri, 2014-07-11 at 11:03 -0600, Eric Blake wrote: On 07/11/2014 09:22 AM, Serge Hallyn wrote: Quoting Cédric Bosdonnat (cbosdon...@suse.com): --- src/security/virt-aa-helper.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) Hi, I'm acking this anyway bc I think you're right, but I'm trying to think of a case where this would still be useful. What if we want to allow only a certain container to have access to its cgroups, for instance, for nesting containers. Would virt-aa-helper and the .files be a way this would be done? I suppose we coudl always re-introduce this in that case... Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com I've pushed this one. Huh, I found a regression with this one... sent a v2 earlier today. -- Cedric -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCH 1/2] Don't output libvirt-UUID.files for LXC apparmor profiles
--- src/security/virt-aa-helper.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index b5f66f3..d563b98 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1342,7 +1342,8 @@ main(int argc, char **argv) vah_info(include_file); vah_info(included_files); rc = 0; -} else if ((rc = update_include_file(include_file, +} else if (ctl-def-virtType != VIR_DOMAIN_VIRT_LXC + (rc = update_include_file(include_file, included_files, ctl-append)) != 0) goto cleanup; -- 1.8.4.5 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list