Skip to content

L
libvirt

openeuler / libvirt

通知 3
Star 0
Fork 0
L
libvirt

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

提交 b61fb8e8 编写于 作者: M Mike Latimer 提交者: Cédric Bosdonnat
浏览文件
操作

Fix apparmor issues for Xen 

In order for apparmor to work properly in Xen environments, the following
access rights need to be allowed:

 - Allow CAP_SYS_PACCT, which is required when resetting some multi-port
   Broadcom cards by writting to the PCI config space

 - Allow CAP_IPC_LOCK, which is required to lock/unlock memory. Without
   this setting, an error 'Resource temporarily unavailable' can be seen
   while attempting to mmap memory. At the same time, the following
   apparmor message is seen:

   apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/libvirtd"
   pid=2097 comm="libvirtd" pid=2097 comm="libvirtd" capability=14
   capname="ipc_lock"

 - Allow access to distribution specific directories:
     /usr/{lib,lib64}/xen/bin
上级 852cea52
隐藏空白更改
内联 并排
Showing with 3 addition and 0 deletion
examples/apparmor/usr.sbin.libvirtd
浏览文件 @ b61fb8e8
......@@ -13,6 +13,7 @@
capability sys_admin,
capability sys_module,
capability sys_ptrace,
capability sys_pacct,
capability sys_nice,
capability sys_chroot,
capability setuid,
......@@ -24,6 +25,7 @@
capability mknod,
capability fsetid,
capability audit_write,
capability ipc_lock,
# Needed for vfio
capability sys_resource,
......@@ -45,6 +47,7 @@
/usr/sbin/* PUx,
/lib/udev/scsi_id PUx,
/usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
/usr/{lib,lib64}/xen/bin/* Ux,
# force the use of virt-aa-helper
audit deny /sbin/apparmor_parser rwxl,
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册