[lxc-devel] [lxd/master] Update qemu profile
stgraber on Github
lxc-bot at linuxcontainers.org
Wed Sep 16 16:00:29 UTC 2020
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200916/347dd35e/attachment.bin>
-------------- next part --------------
From 17897af3809ca25e4320eff3be9b336df399d684 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 16 Sep 2020 11:59:53 -0400
Subject: [PATCH 1/2] doc/instance: raw.apparmor now implemented for VM
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
doc/instances.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/instances.md b/doc/instances.md
index 4884e2c8cd..31a25be210 100644
--- a/doc/instances.md
+++ b/doc/instances.md
@@ -66,7 +66,7 @@ nvidia.driver.capabilities | string | compute,utility | no
nvidia.runtime | boolean | false | no | container | Pass the host NVIDIA and CUDA runtime libraries into the instance
nvidia.require.cuda | string | - | no | container | Version expression for the required CUDA version (sets libnvidia-container NVIDIA\_REQUIRE\_CUDA)
nvidia.require.driver | string | - | no | container | Version expression for the required driver version (sets libnvidia-container NVIDIA\_REQUIRE\_DRIVER)
-raw.apparmor | blob | - | yes | container | Apparmor profile entries to be appended to the generated profile
+raw.apparmor | blob | - | yes | - | Apparmor profile entries to be appended to the generated profile
raw.idmap | blob | - | no | unprivileged container | Raw idmap configuration (e.g. "both 1000 1000")
raw.lxc | blob | - | no | container | Raw LXC configuration to be appended to the generated one
raw.qemu | blob | - | no | virtual-machine | Raw Qemu configuration to be appended to the generated command line
From bef93cba0e8ca2f22f7db514ad85c26d0c620fb7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 16 Sep 2020 12:00:05 -0400
Subject: [PATCH 2/2] lxd/apparmor: Tweak qemu profile for non-snap
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
lxd/apparmor/instance_qemu.go | 27 +++++++++++++++++----------
1 file changed, 17 insertions(+), 10 deletions(-)
diff --git a/lxd/apparmor/instance_qemu.go b/lxd/apparmor/instance_qemu.go
index 7ceb02dc52..c529e76ffc 100644
--- a/lxd/apparmor/instance_qemu.go
+++ b/lxd/apparmor/instance_qemu.go
@@ -12,27 +12,34 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
capability dac_override,
capability dac_read_search,
+ capability ipc_lock,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
# Needed by qemu
- /{,usr/}bin/qemu* mrix,
- /dev/hugepages/** w,
- /dev/kvm w,
- /dev/net/tun w,
- /dev/ptmx w,
- /dev/vfio/** w,
- /dev/vhost-net w,
- /dev/vhost-vsock w,
+ /dev/hugepages/** rw,
+ /dev/kvm rw,
+ /dev/net/tun rw,
+ /dev/ptmx rw,
+ /dev/vfio/** rw,
+ /dev/vhost-net rw,
+ /dev/vhost-vsock rw,
/etc/ceph/** r,
+ /sys/bus/nd/devices/ r,
+ /sys/devices/system/node/ r,
+ /sys/devices/system/node/** r,
+ /sys/module/vhost/** r,
+ /{,usr/}bin/qemu* mrix,
/usr/share/OVMF/OVMF_CODE.fd kr,
+ /usr/share/qemu/** kr,
+ /usr/share/seabios/** kr,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
# Instance specific paths
{{ .logPath }}/** rwk,
- {{ .path }}/qemu.nvram rwk,
+ {{ .path }}/** rwk,
{{range $index, $element := .devPaths}}
{{$element}} rwk,
{{- end }}
@@ -52,7 +59,7 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
/var/snap/lxd/common/lxd.debug mr,
/snap/lxd/*/bin/lxd mr,
/snap/lxd/*/bin/qemu* mrix,
- /snap/lxd/*/share/qemu/OVMF_CODE.fd kr,
+ /snap/lxd/*/share/qemu/** kr,
# Snap-specific libraries
/snap/lxd/*/lib/**.so* mr,
More information about the lxc-devel
mailing list