1 Star 0 Fork 71

ccxiaop/libvirt

forked from src-openEuler/libvirt 
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
克隆/下载
apparmor-Permit-new-capabilities-required-by-libvirt.patch 1.43 KB
一键复制 编辑 原始数据 按行查看 历史
yezengruan 提交于 2022-03-24 16:27 . update patch with openeuler !59
From 9abebfb36b2380829be4a901d7c9785a7a8f5f6a Mon Sep 17 00:00:00 2001
From: Jim Fehlig <jfehlig@suse.com>
Date: Mon, 7 Jun 2021 16:21:28 -0600
Subject: [PATCH] apparmor: Permit new capabilities required by libvirtd
The audit log contains the following denials from libvirtd
apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="daemon-init" capability=17 capname="sys_rawio"
apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="rpc-worker" capability=39 capname="bpf"
apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="rpc-worker" capability=38 capname="perfmon"
Squelch the denials and allow the capabilities in the libvirtd
apparmor profile.
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Neal Gompa <ngompa13@gmail.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---
src/security/apparmor/usr.sbin.libvirtd.in | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
index 1e137039e9..49266743f5 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -25,6 +25,9 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
capability fsetid,
capability audit_write,
capability ipc_lock,
+ capability sys_rawio,
+ capability bpf,
+ capability perfmon,
# Needed for vfio
capability sys_resource,
--
2.27.0
Loading...
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/ccxiaop/libvirt.git
git@gitee.com:ccxiaop/libvirt.git
ccxiaop
libvirt
libvirt
master

搜索帮助

0d507c66 1850385 C8b1a773 1850385