libvirt/apparmor-xen-fixup.patch

From b286f2c50bdea753c9c490687db90071dff137ad Mon Sep 17 00:00:00 2001
Message-Id: <b286f2c50bdea753c9c490687db90071dff137ad.1421716686.git.mlatimer@suse.com>
In-Reply-To: <cover.1421716686.git.mlatimer@suse.com>
References: <cover.1421716686.git.mlatimer@suse.com>
From: Mike Latimer <mlatimer@suse.com>
Date: Mon, 19 Jan 2015 16:48:59 -0700
Subject: [PATCH 1/3] Fix apparmor issues for Xen

In order for apparmor to work properly in Xen environments, the following
access rights need to be allowed:

 - Allow CAP_SYS_PACCT, which is required when resetting some multi-port
   Broadcom cards by writting to the PCI config space

 - Allow CAP_IPC_LOCK, which is required to lock/unlock memory. Without
   this setting, an error 'Resource temporarily unavailable' can be seen
   while attempting to mmap memory. At the same time, the following
   apparmor message is seen:

   apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/libvirtd"
   pid=2097 comm="libvirtd" pid=2097 comm="libvirtd" capability=14
   capname="ipc_lock"

 - Allow access to distribution specific directories:
     /usr/{lib,lib64}/xen/bin

---
 examples/apparmor/usr.sbin.libvirtd | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index 7151052..9917836 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -13,6 +13,7 @@
   capability sys_admin,
   capability sys_module,
   capability sys_ptrace,
+  capability sys_pacct,
   capability sys_nice,
   capability sys_chroot,
   capability setuid,
@@ -24,6 +25,7 @@
   capability mknod,
   capability fsetid,
   capability audit_write,
+  capability ipc_lock,
 
   # Needed for vfio
   capability sys_resource,
@@ -45,6 +47,7 @@
   /usr/sbin/* PUx,
   /lib/udev/scsi_id PUx,
   /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
+  /usr/{lib,lib64}/xen/bin/* Ux,
 
   # force the use of virt-aa-helper
   audit deny /sbin/apparmor_parser rwxl,
-- 
1.8.4.5