From nobody Tue May 14 13:14:01 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=canonical.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1705008375749851.5273226484454; Thu, 11 Jan 2024 13:26:15 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 996) id 5C6181CE4; Thu, 11 Jan 2024 16:26:14 -0500 (EST) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 3BDA11C9C; Thu, 11 Jan 2024 16:24:53 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 996) id 2E3A61C95; Thu, 11 Jan 2024 16:24:49 -0500 (EST) Received: from smtp-relay-internal-1.canonical.com (smtp-relay-internal-1.canonical.com [185.125.188.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 2C7381B70 for ; Thu, 11 Jan 2024 16:24:48 -0500 (EST) Received: from mail-oi1-f197.google.com (mail-oi1-f197.google.com [209.85.167.197]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id AB7454114C for ; Thu, 11 Jan 2024 21:17:55 +0000 (UTC) Received: by mail-oi1-f197.google.com with SMTP id 5614622812f47-3bd3eb9643dso5405312b6e.3 for ; Thu, 11 Jan 2024 13:17:55 -0800 (PST) Received: from localhost ([2607:f2c0:edc1:f700:4be0:6380:777:da42]) by smtp.gmail.com with ESMTPSA id k15-20020a05621414ef00b0067f339c0c16sm566955qvw.134.2024.01.11.13.17.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 11 Jan 2024 13:17:54 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.6 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_SORBS_WEB,SPF_HELO_NONE, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.4 X-Greylist: delayed 411 seconds by postgrey-1.37 at lists.libvirt.org; Thu, 11 Jan 2024 16:24:48 EST X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705007874; x=1705612674; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=KP5IokDP7CepSUj/6X9aKPwYAPlWT+Pz3/u1vdrZqsc=; b=Z5D8TcgFfe/zrbMu6C5Qi4nVYixZpK3IFAm2bndED2o90R3jXy2Md+zPktGMO9EtKa ZajO+8JN8aclzb1duU+Ppd0ptr+aXYoWvetGRkgXdpVUuZ+SBTTbFSmBOT3rU3Xv3doq Q6VZhNTQ1Rh1UG4MOdsjhN6ab+oYKW4U1MAzgv6OVU2Uo4Vf4D6tiEZoKhXotVNlmo9C UJgNLtX/uQJDvgaNytICGX4gbkzNcZ+l4AeiNybBmtfg11+6ckoGTp9wsnFR42dUx3gX eQ4g3ddjIoZjA/sPz9hkWPCnOOJsY94QSIixCJIK2UlsYj8aeJTUU+678K5ykp7DONxN LLkQ== X-Gm-Message-State: AOJu0YxepmiTbfjuMdI5hvC+SgsNOWT1Aqz7nBSgmIbDoVxSTCJacq4L y2g+JtNmOsKMxFqOdqz/71dGRwdEguKpIQa7dVaPMr86Wkjb0he/vy17E/hsXrwntjGFC75YVft aC8+CkeubmU56dO4hf1YR92DAchhA9mp0U4GZUIvus2qparU4uw== X-Received: by 2002:a05:6808:124d:b0:3bd:32e3:2400 with SMTP id o13-20020a056808124d00b003bd32e32400mr282539oiv.61.1705007874575; Thu, 11 Jan 2024 13:17:54 -0800 (PST) X-Google-Smtp-Source: AGHT+IH7Lxlkj0roFFSmRu/J5cIaBcQRJxB2oHE3eOl6aky/PWYISmHnhSh+KwHIZPEnHKh95XPs4A== X-Received: by 2002:a05:6808:124d:b0:3bd:32e3:2400 with SMTP id o13-20020a056808124d00b003bd32e32400mr282532oiv.61.1705007874319; Thu, 11 Jan 2024 13:17:54 -0800 (PST) From: Sergio Durigan Junior To: devel@lists.libvirt.org Subject: [PATCH] apparmor: Allow access to /sys/devices/system/node/*/cpumap for libnuma Date: Thu, 11 Jan 2024 16:17:41 -0500 Message-Id: <20240111211741.1888945-1-sergio.durigan@canonical.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Message-ID-Hash: Z3YAQOSTUNQ43D26QCWWCL6QBGB7OGGN X-Message-ID-Hash: Z3YAQOSTUNQ43D26QCWWCL6QBGB7OGGN X-MailFrom: sergiodj@canonical.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header CC: Christian Ehrhardt , Sergio Durigan Junior X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1705008378109100001 A QEMU change (10218ae6d006f76410804cc4dc690085b3d008b5) introduced some libnuma calls that require read access to /sys/devices/system/node/*/cpumap, which currently is forbidden by the standard apparmor profile. This commit allows read-only access to the file specified above. Closes #515 Signed-off-by: Sergio Durigan Junior Reviewed-by: Jim Fehlig --- src/security/apparmor/libvirt-qemu.in | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/= libvirt-qemu.in index 53f45c3a28..f40f471891 100644 --- a/src/security/apparmor/libvirt-qemu.in +++ b/src/security/apparmor/libvirt-qemu.in @@ -252,6 +252,9 @@ /sys/devices/system/node/node[0-9]*/meminfo r, /sys/module/vhost/parameters/max_mem_regions r, =20 + # Access to libnuma + /sys/devices/system/node/*/cpumap r, + # silence refusals to open lttng files (see LP: #1432644) deny /dev/shm/lttng-ust-wait-* r, deny /run/shm/lttng-ust-wait-* r, --=20 2.34.1 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org