Overview

File 4f2811eb-apparmor-new-libvirtd-caps.patch of Package libvirt.22881

commit 4f2811eb816ed1da215b86778dfcf483917666a1
Author: Jim Fehlig <jfehlig@suse.com>
Date:   Mon Jun 7 16:21:28 2021 -0600

    apparmor: Permit new capabilities required by libvirtd
    
    The audit log contains the following denials from libvirtd
    
    apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="daemon-init" capability=17  capname="sys_rawio"
    apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="rpc-worker" capability=39  capname="bpf"
    apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="rpc-worker" capability=38  capname="perfmon"
    
    Squelch the denials and allow the capabilities in the libvirtd
    apparmor profile.
    
    Signed-off-by: Jim Fehlig <jfehlig@suse.com>
    Reviewed-by: Neal Gompa <ngompa13@gmail.com>
    Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

Index: libvirt-7.1.0/src/security/apparmor/usr.sbin.libvirtd.in
===================================================================
--- libvirt-7.1.0.orig/src/security/apparmor/usr.sbin.libvirtd.in
+++ libvirt-7.1.0/src/security/apparmor/usr.sbin.libvirtd.in
@@ -25,6 +25,9 @@ profile libvirtd @sbindir@/libvirtd flag
   capability fsetid,
   capability audit_write,
   capability ipc_lock,
+  capability sys_rawio,
+  capability bpf,
+  capability perfmon,
 
   # Needed for vfio
   capability sys_resource,
openSUSE Build Service is sponsored by
Places