A QEMU change (10218ae6d006f76410804cc4dc690085b3d008b5) introduced
some libnuma calls that require read access to
/sys/devices/system/node/*/cpumap, which currently is forbidden by the
standard apparmor profile.
This commit allows read-only access to the file specified above.
Closes #515
Signed-off-by: Sergio Durigan Junior <sergio.durigan@canonical.com>
---
src/security/apparmor/libvirt-qemu.in | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/libvirt-qemu.in
index 53f45c3a28..f40f471891 100644
--- a/src/security/apparmor/libvirt-qemu.in
+++ b/src/security/apparmor/libvirt-qemu.in
@@ -252,6 +252,9 @@
/sys/devices/system/node/node[0-9]*/meminfo r,
/sys/module/vhost/parameters/max_mem_regions r,
+ # Access to libnuma
+ /sys/devices/system/node/*/cpumap r,
+
# silence refusals to open lttng files (see LP: #1432644)
deny /dev/shm/lttng-ust-wait-* r,
deny /run/shm/lttng-ust-wait-* r,
--
2.34.1
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org
On 1/11/24 14:17, Sergio Durigan Junior wrote: > A QEMU change (10218ae6d006f76410804cc4dc690085b3d008b5) introduced > some libnuma calls that require read access to > /sys/devices/system/node/*/cpumap, which currently is forbidden by the > standard apparmor profile. > > This commit allows read-only access to the file specified above. > > Closes #515 I always forget, but looking at the git log it seems the full URL is preferred. E.g. Closes: https://gitlab.com/libvirt/libvirt/-/issues/515 > Signed-off-by: Sergio Durigan Junior <sergio.durigan@canonical.com> Reviewed-by: Jim Fehlig <jfehlig@suse.com> It's a bug fix so should be safe for freeze. I'll make the above change to the commit message and push it. Regards, Jim > --- > src/security/apparmor/libvirt-qemu.in | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/libvirt-qemu.in > index 53f45c3a28..f40f471891 100644 > --- a/src/security/apparmor/libvirt-qemu.in > +++ b/src/security/apparmor/libvirt-qemu.in > @@ -252,6 +252,9 @@ > /sys/devices/system/node/node[0-9]*/meminfo r, > /sys/module/vhost/parameters/max_mem_regions r, > > + # Access to libnuma > + /sys/devices/system/node/*/cpumap r, > + > # silence refusals to open lttng files (see LP: #1432644) > deny /dev/shm/lttng-ust-wait-* r, > deny /run/shm/lttng-ust-wait-* r, _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org
On Thursday, January 11 2024, Jim Fehlig wrote: > On 1/11/24 14:17, Sergio Durigan Junior wrote: >> A QEMU change (10218ae6d006f76410804cc4dc690085b3d008b5) introduced >> some libnuma calls that require read access to >> /sys/devices/system/node/*/cpumap, which currently is forbidden by the >> standard apparmor profile. >> This commit allows read-only access to the file specified above. >> Closes #515 > > I always forget, but looking at the git log it seems the full URL is preferred. E.g. > > Closes: https://gitlab.com/libvirt/libvirt/-/issues/515 > >> Signed-off-by: Sergio Durigan Junior <sergio.durigan@canonical.com> > > Reviewed-by: Jim Fehlig <jfehlig@suse.com> > > It's a bug fix so should be safe for freeze. I'll make the above > change to the commit message and push it. Thanks, Jim. I'll use the correct notation next time. Cheers, -- Sergio GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org
On Thu, Jan 11, 2024 at 15:21:03 -0700, Jim Fehlig wrote: > On 1/11/24 14:17, Sergio Durigan Junior wrote: > > A QEMU change (10218ae6d006f76410804cc4dc690085b3d008b5) introduced > > some libnuma calls that require read access to > > /sys/devices/system/node/*/cpumap, which currently is forbidden by the > > standard apparmor profile. > > > > This commit allows read-only access to the file specified above. > > > > Closes #515 > > I always forget, but looking at the git log it seems the full URL is preferred. E.g. > > Closes: https://gitlab.com/libvirt/libvirt/-/issues/515 Full URL is mandated as "#515" is meaningless when looking at it from e.g. the commandline. Additionally it is misleading when looking at the commit from a fork of the repository or a clone on another git forge, each of which try to claim the issue is on their clone/fork/forge thus could e.g. point to a different issue once the repo is migrated to another forge. And in case full URI is used the web ui still shortens it to "#515" _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org
© 2016 - 2024 Red Hat, Inc.