From nobody Mon May  6 10:23:03 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1509698831298612.2285948084997;
 Fri, 3 Nov 2017 01:47:11 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com
 [10.5.11.12])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id AD21C5F7BC;
	Fri,  3 Nov 2017 08:47:09 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 86D6A60C80;
	Fri,  3 Nov 2017 08:47:09 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 4B9904BB79;
	Fri,  3 Nov 2017 08:47:09 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com
	[10.5.11.12])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id vA38l8Yj006642 for <libvir-list@listman.util.phx.redhat.com>;
	Fri, 3 Nov 2017 04:47:08 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 86E9C60C80; Fri,  3 Nov 2017 08:47:08 +0000 (UTC)
Received: from mx1.redhat.com (ext-mx05.extmail.prod.ext.phx2.redhat.com
	[10.5.110.29])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 7CF1D60BE5
	for <libvir-list@redhat.com>; Fri,  3 Nov 2017 08:47:06 +0000 (UTC)
Received: from youngberry.canonical.com (youngberry.canonical.com
	[91.189.89.112]) (using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 5B6C4629
	for <libvir-list@redhat.com>; Fri,  3 Nov 2017 08:47:04 +0000 (UTC)
Received: from 1.general.paelzer.uk.vpn ([10.172.196.172]
	helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa
	(TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76)
	(envelope-from <christian.ehrhardt@canonical.com>)
	id 1eAXd1-0007pa-0c; Fri, 03 Nov 2017 08:47:03 +0000
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com AD21C5F7BC
Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com;
 dmarc=fail (p=none dis=none) header.from=canonical.com
Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com;
 spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com AD21C5F7BC
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 5B6C4629
Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com;
	dmarc=fail (p=none dis=none) header.from=canonical.com
Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; spf=none
	smtp.mailfrom=christian.ehrhardt@canonical.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 5B6C4629
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
To: Libvirt Devel <libvir-list@redhat.com>
Date: Fri,  3 Nov 2017 09:46:58 +0100
Message-Id: 
 <1509698819-25769-2-git-send-email-christian.ehrhardt@canonical.com>
In-Reply-To: 
 <1509698819-25769-1-git-send-email-christian.ehrhardt@canonical.com>
References: 
 <1509698819-25769-1-git-send-email-christian.ehrhardt@canonical.com>
X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 205
	matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com
	[10.5.110.29]); Fri, 03 Nov 2017 08:47:04 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com
 [10.5.110.29]);
	Fri, 03 Nov 2017 08:47:04 +0000 (UTC) for IP:'91.189.89.112'
	DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com'
	FROM:'christian.ehrhardt@canonical.com' RCPT:''
X-RedHat-Spam-Score: -2.301  (RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD) 91.189.89.112 youngberry.canonical.com
	91.189.89.112 youngberry.canonical.com
	<christian.ehrhardt@canonical.com>
X-Scanned-By: MIMEDefang 2.78 on 10.5.110.29
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-loop: libvir-list@redhat.com
Cc: Jamie Strandboge <jamie.strandboge@canonical.com>,
	Guido Guenther <agx@sigxcpu.org>,
	Christian Ehrhardt <christian.ehrhardt@canonical.com>
Subject: [libvirt] [PATCH 1/2] apparmor: allow qemu to read max_segments
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]);
 Fri, 03 Nov 2017 08:47:10 +0000 (UTC)
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

Since qemu 2.9 via 9103f1ce "file-posix: Consider max_segments for
BlockLimits.max_transfer" this is a new access that is denied by the
qemu profile.

It is non fatal, but prevents the fix mentioned to actually work.
It should be safe to allow reading from that path.

Since qemu opens a symlink path we need to translate that for apparmor from
"/sys/dev/block/*/queue/max_segments" to
"/sys/devices/**/block/*/queue/max_segments"

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
 examples/apparmor/libvirt-qemu | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 97dd2d4..064501f 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -169,6 +169,9 @@
   # for rbd
   /etc/ceph/ceph.conf r,
=20
+  # for file-posix getting limits since 9103f1ce
+  /sys/devices/**/block/*/queue/max_segments r,
+
   # for ppc device-tree access
   @{PROC}/device-tree/ r,
   @{PROC}/device-tree/** r,
--=20
2.7.4

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
From nobody Mon May  6 10:23:03 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1509698844095640.6387442463479;
 Fri, 3 Nov 2017 01:47:24 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
 [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 9EB0C85376;
	Fri,  3 Nov 2017 08:47:22 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 7221C5D972;
	Fri,  3 Nov 2017 08:47:22 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 38154247C0;
	Fri,  3 Nov 2017 08:47:22 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com
	[10.5.11.16])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id vA38l889006647 for <libvir-list@listman.util.phx.redhat.com>;
	Fri, 3 Nov 2017 04:47:08 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 99B225C883; Fri,  3 Nov 2017 08:47:08 +0000 (UTC)
Received: from mx1.redhat.com (ext-mx03.extmail.prod.ext.phx2.redhat.com
	[10.5.110.27])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 8DB195C54C
	for <libvir-list@redhat.com>; Fri,  3 Nov 2017 08:47:06 +0000 (UTC)
Received: from youngberry.canonical.com (youngberry.canonical.com
	[91.189.89.112]) (using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 033137E42F
	for <libvir-list@redhat.com>; Fri,  3 Nov 2017 08:47:05 +0000 (UTC)
Received: from 1.general.paelzer.uk.vpn ([10.172.196.172]
	helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa
	(TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76)
	(envelope-from <christian.ehrhardt@canonical.com>)
	id 1eAXd1-0007pa-QP; Fri, 03 Nov 2017 08:47:03 +0000
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 9EB0C85376
Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com;
 dmarc=fail (p=none dis=none) header.from=canonical.com
Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com;
 spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 9EB0C85376
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 033137E42F
Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com;
	dmarc=fail (p=none dis=none) header.from=canonical.com
Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; spf=none
	smtp.mailfrom=christian.ehrhardt@canonical.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 033137E42F
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
To: Libvirt Devel <libvir-list@redhat.com>
Date: Fri,  3 Nov 2017 09:46:59 +0100
Message-Id: 
 <1509698819-25769-3-git-send-email-christian.ehrhardt@canonical.com>
In-Reply-To: 
 <1509698819-25769-1-git-send-email-christian.ehrhardt@canonical.com>
References: 
 <1509698819-25769-1-git-send-email-christian.ehrhardt@canonical.com>
X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 205
	matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com
	[10.5.110.27]); Fri, 03 Nov 2017 08:47:05 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com
 [10.5.110.27]);
	Fri, 03 Nov 2017 08:47:05 +0000 (UTC) for IP:'91.189.89.112'
	DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com'
	FROM:'christian.ehrhardt@canonical.com' RCPT:''
X-RedHat-Spam-Score: -2.301  (RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD) 91.189.89.112 youngberry.canonical.com
	91.189.89.112 youngberry.canonical.com
	<christian.ehrhardt@canonical.com>
X-Scanned-By: MIMEDefang 2.78 on 10.5.110.27
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
X-loop: libvir-list@redhat.com
Cc: Jamie Strandboge <jamie.strandboge@canonical.com>,
	Guido Guenther <agx@sigxcpu.org>,
	Christian Ehrhardt <christian.ehrhardt@canonical.com>
Subject: [libvirt] [PATCH 2/2] apparmor, virt-aa-helper: allow ipv6
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]);
 Fri, 03 Nov 2017 08:47:23 +0000 (UTC)
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

In case ipv6 is used the network inet6 permission is required for
virt-aa-helper.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
 examples/apparmor/usr.lib.libvirt.virt-aa-helper | 1 +
 1 file changed, 1 insertion(+)

diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/ap=
parmor/usr.lib.libvirt.virt-aa-helper
index 012080c..bd6181d 100644
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -10,6 +10,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-h=
elper {
=20
   # needed for when disk is on a network filesystem
   network inet,
+  network inet6,
=20
   deny @{PROC}/[0-9]*/mounts r,
   @{PROC}/[0-9]*/net/psched r,
--=20
2.7.4

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list