New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
interfaces/builtin/libvirt: add /run/libvirt/libvirt-sock-ro #13602
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## master #13602 +/- ##
=======================================
Coverage 78.86% 78.87%
=======================================
Files 1033 1033
Lines 132065 132065
=======================================
+ Hits 104159 104161 +2
+ Misses 21404 21403 -1
+ Partials 6502 6501 -1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@@ -30,6 +30,7 @@ const libvirtBaseDeclarationSlots = ` | |||
` | |||
|
|||
const libvirtConnectedPlugAppArmor = ` | |||
/run/libvirt/libvirt-sock-ro rw, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
from the manual:
/var/run/libvirt/libvirt-sock-ro - the secondary socket for accessing libvirt APIs, with limited read-only privileges. A connection to this socket gives the ability to query the existence of objects and monitor some aspects of their operation. This is the socket that most management applications connect to when requesting read only mode. Typically this is what a monitoring app would use.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM - the existing libvirt-sock
is already more privileged than the proposed libvirt-sock-ro
so this does not increase the security attack surface etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, will just let tests run
virt-viewer requires read/write access to /run/libvirt/libvirt-sock-ro to work properly. This PR adds the required rule to libvirt interface.