]> git.ipfire.org Git - thirdparty/libvirt.git/commitdiff
projects / thirdparty / libvirt.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e16967f)
apparmor: qemu access to @{PROC}/*/auxv for hw_cap
authorStefan Bader <stefan.bader@canonical.com>
Mon, 3 Aug 2020 11:44:27 +0000 (13:44 +0200)
committerChristian Ehrhardt <christian.ehrhardt@canonical.com>
Mon, 10 Aug 2020 05:32:06 +0000 (07:32 +0200)
On some architectures (ppc, s390x, sparc, arm) qemu will read auxv
to detect hardware capabilities via qemu_getauxval.

Allow that access read-only for the entry owned by the current
qemu process.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Acked-by: Jamie Strandboge <jamie@canonical.com>
src/security/apparmor/libvirt-qemu patch | blob | blame | history

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index b132cf02262606fb0719096ba2b994631a924a53..ae3db68f82460a8b3f7ad84f9c16ea22202be9b6 100644 (file)
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -33,6 +33,8 @@
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
   @{PROC}/sys/kernel/cap_last_cap r,
   @{PROC}/sys/vm/overcommit_memory r,
+  # detect hardware capabilities via qemu_getauxval
+  owner @{PROC}/*/auxv r,
 
   # For hostdev access. The actual devices will be added dynamically
   /sys/bus/usb/devices/ r,
Mirror of https://github.com/libvirt/libvirt.git