From: Felix Geyer <debfx@fobos.de>
Date: Wed, 3 Sep 2014 19:52:03 +0000 (+0200)
Subject: apparmor: allow reading cap_last_cap
X-Git-Tag: CVE-2014-3633~168
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2311e5c4eab2db129508e72d6962dddf101744b7;p=thirdparty%2Flibvirt.git

apparmor: allow reading cap_last_cap

libcap-ng >= 0.7.4 fails when it can't read /sys/kernel/cap_last_cap
and thus running a qemu guest fails.

Allow reading cap_last_cap in the libvirt-qemu apparmor abstraction.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 83814ecf56..c6de6dd77c 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -1,4 +1,4 @@
-# Last Modified: Fri Mar 9 14:43:22 2012
+# Last Modified: Wed Sep 3 21:52:03 2014
 
   #include <abstractions/base>
   #include <abstractions/consoles>
@@ -21,6 +21,7 @@
   /dev/ptmx rw,
   /dev/kqemu rw,
   @{PROC}/*/status r,
+  @{PROC}/sys/kernel/cap_last_cap r,
 
   # For hostdev access. The actual devices will be added dynamically
   /sys/bus/usb/devices/ r,