[Bug 646706] [NEW] NWFilter support broken due to Apparmour restrictions
Soren Hansen
soren at ubuntu.com
Fri Sep 24 11:09:41 BST 2010
Public bug reported:
Somewhere in the code path to instantiate nwfilters, libvirt fetches the
relevant network interface's index. This is done through a ioctl on a a
socket fd. This socket fd is created with socket(PF_SOCKET, SOCK_DGRAM,
0). Apparmour blocks this socket() call. According to netdevice(7):
Linux supports some standard ioctls to configure network devices.
They can be used on any socket's file descriptor regardless of the family or type.
Changing PF_SOCKET to PF_INET works as expected. However, given how
close we are to release, I'm not super comfortable making this change,
so I'm proposing we add "network socket dgram" to
/etc/apparmor.d/usr.sbin.libvirtd instead and revisit this for natty.
Comments?
** Affects: libvirt (Ubuntu)
Importance: Undecided
Status: New
--
NWFilter support broken due to Apparmour restrictions
https://bugs.launchpad.net/bugs/646706
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
More information about the Ubuntu-server-bugs
mailing list