]> xenbits.xensource.com Git - people/aperard/libvirt.git/commitdiff
projects / people / aperard / libvirt.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9e55569)
apparmor: Allow access to /sys/devices/system/node/*/cpumap for libnuma
authorSergio Durigan Junior <sergio.durigan@canonical.com>
Thu, 11 Jan 2024 21:17:41 +0000 (16:17 -0500)
committerJim Fehlig <jfehlig@suse.com>
Thu, 11 Jan 2024 22:15:23 +0000 (15:15 -0700)
A QEMU change (10218ae6d006f76410804cc4dc690085b3d008b5) introduced
some libnuma calls that require read access to
/sys/devices/system/node/*/cpumap, which currently is forbidden by the
standard apparmor profile.

This commit allows read-only access to the file specified above.

Closes: https://gitlab.com/libvirt/libvirt/-/issues/515
Signed-off-by: Sergio Durigan Junior <sergio.durigan@canonical.com>
Reviewed-by: Jim Fehlig <jfehlig@suse.com>
src/security/apparmor/libvirt-qemu.in patch | blob | blame | history

diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/libvirt-qemu.in
index 53f45c3a2867ccb3a5f9eeb31233fcbe9d91689e..f40f47189163f96f8617fefd58c9534b028b157c 100644 (file)
--- a/src/security/apparmor/libvirt-qemu.in
+++ b/src/security/apparmor/libvirt-qemu.in
@@ -252,6 +252,9 @@
   /sys/devices/system/node/node[0-9]*/meminfo r,
   /sys/module/vhost/parameters/max_mem_regions r,
 
+   # Access to libnuma
+   /sys/devices/system/node/*/cpumap r,
+
   # silence refusals to open lttng files (see LP: #1432644)
   deny /dev/shm/lttng-ust-wait-* r,
   deny /run/shm/lttng-ust-wait-* r,
Unnamed repository; edit this file 'description' to name the repository.