1. Patchew
  2. Libvirt
  3. View series

[PATCH] apparmor: Allow access to /sys/devices/system/node/*/cpumap for libnuma

Sergio Durigan Junior posted 1 patch 3 months, 2 weeks ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20240111211741.1888945-1-sergio.durigan@canonical.com
src/security/apparmor/libvirt-qemu.in | 3 +++
1 file changed, 3 insertions(+)
[PATCH] apparmor: Allow access to /sys/devices/system/node/*/cpumap for libnuma
Posted by Sergio Durigan Junior 3 months, 2 weeks ago 
A QEMU change (10218ae6d006f76410804cc4dc690085b3d008b5) introduced
some libnuma calls that require read access to
/sys/devices/system/node/*/cpumap, which currently is forbidden by the
standard apparmor profile.

This commit allows read-only access to the file specified above.

Closes #515

Signed-off-by: Sergio Durigan Junior <sergio.durigan@canonical.com>
---
 src/security/apparmor/libvirt-qemu.in | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/libvirt-qemu.in
index 53f45c3a28..f40f471891 100644
--- a/src/security/apparmor/libvirt-qemu.in
+++ b/src/security/apparmor/libvirt-qemu.in
@@ -252,6 +252,9 @@
   /sys/devices/system/node/node[0-9]*/meminfo r,
   /sys/module/vhost/parameters/max_mem_regions r,
 
+   # Access to libnuma
+   /sys/devices/system/node/*/cpumap r,
+
   # silence refusals to open lttng files (see LP: #1432644)
   deny /dev/shm/lttng-ust-wait-* r,
   deny /run/shm/lttng-ust-wait-* r,
-- 
2.34.1
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org
Re: [PATCH] apparmor: Allow access to /sys/devices/system/node/*/cpumap for libnuma
Posted by Jim Fehlig 3 months, 2 weeks ago 
On 1/11/24 14:17, Sergio Durigan Junior wrote:
> A QEMU change (10218ae6d006f76410804cc4dc690085b3d008b5) introduced
> some libnuma calls that require read access to
> /sys/devices/system/node/*/cpumap, which currently is forbidden by the
> standard apparmor profile.
> 
> This commit allows read-only access to the file specified above.
> 
> Closes #515

I always forget, but looking at the git log it seems the full URL is preferred. E.g.

Closes: https://gitlab.com/libvirt/libvirt/-/issues/515

> Signed-off-by: Sergio Durigan Junior <sergio.durigan@canonical.com>

Reviewed-by: Jim Fehlig <jfehlig@suse.com>

It's a bug fix so should be safe for freeze. I'll make the above change to the 
commit message and push it.

Regards,
Jim

> ---
>   src/security/apparmor/libvirt-qemu.in | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/libvirt-qemu.in
> index 53f45c3a28..f40f471891 100644
> --- a/src/security/apparmor/libvirt-qemu.in
> +++ b/src/security/apparmor/libvirt-qemu.in
> @@ -252,6 +252,9 @@
>     /sys/devices/system/node/node[0-9]*/meminfo r,
>     /sys/module/vhost/parameters/max_mem_regions r,
>   
> +   # Access to libnuma
> +   /sys/devices/system/node/*/cpumap r,
> +
>     # silence refusals to open lttng files (see LP: #1432644)
>     deny /dev/shm/lttng-ust-wait-* r,
>     deny /run/shm/lttng-ust-wait-* r,
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org
Re: [PATCH] apparmor: Allow access to /sys/devices/system/node/*/cpumap for libnuma
Posted by Sergio Durigan Junior 3 months, 1 week ago 
On Thursday, January 11 2024, Jim Fehlig wrote:

> On 1/11/24 14:17, Sergio Durigan Junior wrote:
>> A QEMU change (10218ae6d006f76410804cc4dc690085b3d008b5) introduced
>> some libnuma calls that require read access to
>> /sys/devices/system/node/*/cpumap, which currently is forbidden by the
>> standard apparmor profile.
>> This commit allows read-only access to the file specified above.
>> Closes #515
>
> I always forget, but looking at the git log it seems the full URL is preferred. E.g.
>
> Closes: https://gitlab.com/libvirt/libvirt/-/issues/515
>
>> Signed-off-by: Sergio Durigan Junior <sergio.durigan@canonical.com>
>
> Reviewed-by: Jim Fehlig <jfehlig@suse.com>
>
> It's a bug fix so should be safe for freeze. I'll make the above
> change to the commit message and push it.

Thanks, Jim.

I'll use the correct notation next time.

Cheers,

-- 
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0  EB2F 106D A1C8 C3CB BF14
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org
Re: [PATCH] apparmor: Allow access to /sys/devices/system/node/*/cpumap for libnuma
Posted by Peter Krempa 3 months, 2 weeks ago 
On Thu, Jan 11, 2024 at 15:21:03 -0700, Jim Fehlig wrote:
> On 1/11/24 14:17, Sergio Durigan Junior wrote:
> > A QEMU change (10218ae6d006f76410804cc4dc690085b3d008b5) introduced
> > some libnuma calls that require read access to
> > /sys/devices/system/node/*/cpumap, which currently is forbidden by the
> > standard apparmor profile.
> > 
> > This commit allows read-only access to the file specified above.
> > 
> > Closes #515
> 
> I always forget, but looking at the git log it seems the full URL is preferred. E.g.
> 
> Closes: https://gitlab.com/libvirt/libvirt/-/issues/515

Full URL is mandated as "#515" is meaningless when looking at it from
e.g. the commandline.

Additionally it is misleading when looking at the commit from a fork of
the repository or a clone on another git forge, each of which try to
claim the issue is on their clone/fork/forge thus could e.g. point to a
different issue once the repo is migrated to another forge.

And in case full URI is used the web ui still shortens it to "#515"
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.