39 lines
1.4 KiB
Diff
39 lines
1.4 KiB
Diff
From 9abebfb36b2380829be4a901d7c9785a7a8f5f6a Mon Sep 17 00:00:00 2001
|
|
From: Jim Fehlig <jfehlig@suse.com>
|
|
Date: Mon, 7 Jun 2021 16:21:28 -0600
|
|
Subject: [PATCH] apparmor: Permit new capabilities required by libvirtd
|
|
|
|
The audit log contains the following denials from libvirtd
|
|
|
|
apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="daemon-init" capability=17 capname="sys_rawio"
|
|
apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="rpc-worker" capability=39 capname="bpf"
|
|
apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="rpc-worker" capability=38 capname="perfmon"
|
|
|
|
Squelch the denials and allow the capabilities in the libvirtd
|
|
apparmor profile.
|
|
|
|
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
|
|
Reviewed-by: Neal Gompa <ngompa13@gmail.com>
|
|
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
|
|
---
|
|
src/security/apparmor/usr.sbin.libvirtd.in | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
|
|
index 1e137039e9..49266743f5 100644
|
|
--- a/src/security/apparmor/usr.sbin.libvirtd.in
|
|
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
|
|
@@ -25,6 +25,9 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
|
|
capability fsetid,
|
|
capability audit_write,
|
|
capability ipc_lock,
|
|
+ capability sys_rawio,
|
|
+ capability bpf,
|
|
+ capability perfmon,
|
|
|
|
# Needed for vfio
|
|
capability sys_resource,
|
|
--
|
|
2.27.0
|
|
|