Allow libvirt to kill unconfined domains

89b8ab47 · intrigeri · Guido Günther · 22703439 · 89b8ab47 · 89b8ab47
Commit 89b8ab47 authored 7 years ago by intrigeri Committed by Guido Günther 7 years ago
--- a/debian/patches/Allow-libvirt-to-kill-unconfined-domaiens.patch
+++ b/debian/patches/Allow-libvirt-to-kill-unconfined-domaiens.patch
+From: intrigeri <intrigeri+libvirt@boum.org>
+Date: Mon, 15 Jan 2018 09:29:47 +0100
+Subject: Allow libvirt to kill unconfined domaiens
+
+On startup libvirtd runs a number of QEMU processes unconfined such as:
+
+  /usr/bin/qemu-system-x86_64 -S -no-user-config -nodefaults -nographic -machine none,accel=kvm:tcg -qmp unix:/var/lib/libvirt/qemu/capabilities.monitor.sock,server,nowait -pidfile /var/lib/libvirt/qemu/capabilities.pidfile -daemonize
+
+libvirtd needs to be allowed to kill these processes, otherwise they
+remain running.
+---
+ examples/apparmor/usr.sbin.libvirtd | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
+index bd7796c..4d220c2 100644
+--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
+@@ -63,6 +63,7 @@
+ 
+   signal (send) peer=/usr/sbin/dnsmasq,
+   signal (read, send) peer=libvirt-*,
+  signal (send) set=("kill") peer=unconfined,
+ 
+   # Very lenient profile for libvirtd since we want to first focus on confining
+   # the guests. Guests will have a very restricted profile.
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,3 +17,4 @@ debian/apparmor_profiles_local_include.patch
 Set-defaults-for-zfs-tools.patch
 Pass-GPG_TTY-env-var-to-the-ssh-binary.patch
 apparmor-Allow-virt-aa-helper-to-access-the-name-service-.patch
+Allow-libvirt-to-kill-unconfined-domaiens.patch