On 6/26/23 14:46, Christian Boltz wrote:
[Please CC me, I'm not subscribed to the mailinglist]
Hello,
regarding the initial patch in this thread: The patch looks good and
should go upstream IMHO. (Maybe except creating the dummy local/* files
for AppArmor 3.x - see below for details.)
A note a
On 6/29/23 07:14, Andrea Bolognani wrote:
An alternative to Jim's attempt[1]. See [2] for the discussion
leading up to these changes.
[1] https://listman.redhat.com/archives/libvir-list/2023-June/240531.html
[2] https://listman.redhat.com/archives/libvir-list/2023-June/240251.html
Andrea Bologn
On 6/29/23 07:14, Andrea Bolognani wrote:
For AppArmor 3.x we can use 'include if exists', which frees us
from having to create a dummy override. For AppArmor 2.x we keep
things as they are to avoid introducing regressions.
Signed-off-by: Andrea Bolognani
---
src/security/apparmor/meson.build
Hello,
Am Dienstag, 27. Juni 2023, 18:49:04 CEST schrieb Andrea Bolognani:
> On Mon, Jun 26, 2023 at 10:46:40PM +0200, Christian Boltz wrote:
[...]
> > See above - IMHO the current upstream behaviour is not perfect, and
> > will hopefully change to not creating the local/ files by default
> > in 4
Hello,
Am Donnerstag, 29. Juni 2023, 19:05:09 CEST schrieb Jim Fehlig:
[...]
> I was going down the same path until I thought of the more brute force
> approach, which I admit to be fond of due to ease of ripping out the
> 2.x stuff when no longer needed. But yeah, two copies of the profiles
> is
On 6/29/23 07:21, Andrea Bolognani wrote:
On Wed, Jun 28, 2023 at 05:15:26PM -0600, Jim Fehlig wrote:
This is a stab at a V2 of
https://listman.redhat.com/archives/libvir-list/2023-June/240219.html
That patch was ACKed and committed, but reverted before the 9.5.0 release
since it could be prob
On Thu, Jun 29, 2023 at 06:27:10AM -0700, Andrea Bolognani wrote:
> On Wed, Jun 28, 2023 at 03:25:49PM -0600, Jim Fehlig wrote:
> > On 6/23/23 07:11, Andrea Bolognani wrote:
> > > The catch is that apparently the "include if exists" statement
> > > doesn't work well before 3.0, and our support matr
On Wed, Jun 28, 2023 at 03:25:49PM -0600, Jim Fehlig wrote:
> On 6/23/23 07:11, Andrea Bolognani wrote:
> > The catch is that apparently the "include if exists" statement
> > doesn't work well before 3.0, and our support matrix will include
> > distros that are still on AppArmor 2.x for a couple mo
On Wed, Jun 28, 2023 at 05:15:26PM -0600, Jim Fehlig wrote:
> This is a stab at a V2 of
>
> https://listman.redhat.com/archives/libvir-list/2023-June/240219.html
>
> That patch was ACKed and committed, but reverted before the 9.5.0 release
> since it could be problematic with older apparmor 2.x ver
Do for all other profiles what we already do for the
virt-aa-helper one. In this case we limit the feature to AppArmor
3.x, as it was never implemented for 2.x.
Signed-off-by: Andrea Bolognani
---
src/security/apparmor/usr.sbin.libvirtd.in | 4
src/security/apparmor/usr.sbin.virtqemud.in |
Signed-off-by: Andrea Bolognani
---
NEWS.rst | 8
1 file changed, 8 insertions(+)
diff --git a/NEWS.rst b/NEWS.rst
index 950b188a8b..92596d6088 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -33,6 +33,14 @@ v9.5.0 (unreleased)
image on discard requests. Disabling cluster unrefing decrease
For AppArmor 3.x we can use 'include if exists', which frees us
from having to create a dummy override. For AppArmor 2.x we keep
things as they are to avoid introducing regressions.
Signed-off-by: Andrea Bolognani
---
src/security/apparmor/meson.build | 15 ++-
.../ap
The subprofile can only work by including the abstraction shipped
in the passt package, which we can't assume is present, and
'include if exists' doesn't work well on 2.x.
No distro that's stuck on AppArmor 2.x is likely to be shipping
passt anyway.
Signed-off-by: Andrea Bolognani
---
src/secur
We will soon need to base some decisions on whether AppArmor 3.x
or 2.x is present on the system.
Signed-off-by: Andrea Bolognani
---
meson.build | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meson.build b/meson.build
index aa391e7178..060eafc344 100644
--- a/meson.build
+++ b/meson.bui
Implement the standard AppArmor 3.x abstraction extension
approach.
Signed-off-by: Andrea Bolognani
---
src/security/apparmor/libvirt-lxc.in | 4
src/security/apparmor/libvirt-qemu.in | 4
2 files changed, 8 insertions(+)
diff --git a/src/security/apparmor/libvirt-lxc.in
b/src/secur
Perform an additional preprocessing step before the existing
variable substitution. This is the same approach that we already
use to customize systemd unit files based on whether the service
supports TCP connections.
Signed-off-by: Andrea Bolognani
---
src/security/apparmor/meson.build | 34
Compared to profiles, we only need a single preprocessing step
here, as there is no variable substitution happening.
Signed-off-by: Andrea Bolognani
---
.../apparmor/{libvirt-lxc => libvirt-lxc.in} | 0
.../{libvirt-qemu => libvirt-qemu.in} | 0
src/security/apparmor/meson.build
An alternative to Jim's attempt[1]. See [2] for the discussion
leading up to these changes.
[1] https://listman.redhat.com/archives/libvir-list/2023-June/240531.html
[2] https://listman.redhat.com/archives/libvir-list/2023-June/240251.html
Andrea Bolognani (8):
meson: Detect AppArmor 3.x
appa
On Tue, Jun 27, 2023 at 17:51:26 +0200, Boris Fiuczynski wrote:
> From: Shalini Chellathurai Saroja
>
> Let us introduce the xml and reply files for QEMU 8.1.0 on s390x.
>
> Signed-off-by: Boris Fiuczynski
> Signed-off-by: Shalini Chellathurai Saroja
> ---
> 68 files changed, 38786 insertions
On 6/28/23 7:22 PM, Jonathon Jongsma wrote:
On 6/28/23 3:40 AM, Boris Fiuczynski wrote:
On 6/28/23 12:03 AM, Jonathon Jongsma wrote:
On 6/23/23 5:43 AM, Boris Fiuczynski wrote:
Update the optional mdev attributes on the new created nodedev
object as
they otherwise would not get set until the
On a Thursday in 2023, Michal Privoznik wrote:
After v8.1.0-61-g030faee28d it is no longer necessary to make the
/proc/meminfo file nonseekable as our code that fills the file
with spoofed values can handle seeking just fine.
Previously, `free(1)` was okay with failed lseek(), but this was
ages
On 6/5/23 07:07, Han Han wrote:
> Allow //disk/target@removable for scsi disk devices, since QEMU has support
> the removable attribute for scsi-hd device from v0.14.0[1].
>
> [1]: 419e691f8e: scsi-disk: Allow overriding SCSI INQUIRY removable bit
>
> Signed-off-by: Han Han
> ---
> docs/formatd
On 6/5/23 09:40, Han Han wrote:
> Fix the syntax-check failures with the help of isort[1]:
> 289/316 libvirt:syntax-check / flake8 FAIL 5.24s exit status 2
>
> [1]: https://pycqa.github.io/isort/
>
> Signed-off-by: Han Han
> ---
> ci/util.py | 3 +--
> run.in
After v8.1.0-61-g030faee28d it is no longer necessary to make the
/proc/meminfo file nonseekable as our code that fills the file
with spoofed values can handle seeking just fine.
Previously, `free(1)` was okay with failed lseek(), but this was
ages ago and meanwhile the procps project moved to cre
24 matches
Mail list logo