From: Jim Fehlig <jfehlig@suse.com>
Date: Mon, 7 Jun 2021 22:21:28 +0000 (-0600)
Subject: apparmor: Permit new capabilities required by libvirtd
X-Git-Tag: v7.5.0-rc1~184
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4f2811eb816ed1da215b86778dfcf483917666a1;p=thirdparty%2Flibvirt.git

apparmor: Permit new capabilities required by libvirtd

The audit log contains the following denials from libvirtd

apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="daemon-init" capability=17  capname="sys_rawio"
apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="rpc-worker" capability=39  capname="bpf"
apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="rpc-worker" capability=38  capname="perfmon"

Squelch the denials and allow the capabilities in the libvirtd
apparmor profile.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Neal Gompa <ngompa13@gmail.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---

diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
index bf4563e1e8..928782b709 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -25,6 +25,9 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
   capability fsetid,
   capability audit_write,
   capability ipc_lock,
+  capability sys_rawio,
+  capability bpf,
+  capability perfmon,
 
   # Needed for vfio
   capability sys_resource,