Accepting request 417046 from home:cbosdonnat:branches:Virtualization

- bsc#988279. Move the qemu-bridge-helper apparmor profile from the qemu abstraction to the usr.sbin.libvirtd profile. apparmor-qemu-bridge-helper.patch OBS-URL: https://build.opensuse.org/request/show/417046 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=559
2016-08-05 08:23:21 +00:00 · 2016-08-05 08:23:21 +00:00 · 0dfe303227
commit 0dfe303227
parent 24647409c0
4 changed files with 82 additions and 7 deletions
--- a/apparmor-qemu-bridge-helper.patch
+++ b/apparmor-qemu-bridge-helper.patch
@ -0,0 +1,69 @@
+From 430cd5a72cf1f5c3e56cf1b4b40385812477aef3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
+Date: Fri, 5 Aug 2016 09:32:54 +0200
+Subject: [PATCH] apparmor: move qemu-bridge-helper to libvirtd profile
+
+qemu-bridge-helper is only called from libvirtd, it has to be moved
+from the qemu domain abstraction to the usr.sbin.libvirtd profile.
+---
+ examples/apparmor/libvirt-qemu      | 19 -------------------
+ examples/apparmor/usr.sbin.libvirtd | 18 ++++++++++++++++++
+ 2 files changed, 18 insertions(+), 19 deletions(-)
+
+diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
+index efb4873..11381d4 100644
+--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
+@@ -148,22 +148,3 @@
+   /etc/udev/udev.conf r,
+   /sys/bus/ r,
+   /sys/class/ r,
+-
+-  /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
+-  # child profile for bridge helper process
+-  profile qemu_bridge_helper {
+-   #include <abstractions/base>
+-
+-   capability setuid,
+-   capability setgid,
+-   capability setpcap,
+-   capability net_admin,
+-
+-   network inet stream,
+-
+-   /dev/net/tun rw,
+-   /etc/qemu/** r,
+-   owner @{PROC}/*/status r,
+-
+-   /usr/{lib,libexec}/qemu-bridge-helper rmix,
+-  }
+diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
+index 23f70f5..48651b2 100644
+--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
+@@ -67,4 +67,22 @@
+   # allow changing to our UUID-based named profiles
+   change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+ 
+  /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
+  # child profile for bridge helper process
+  profile qemu_bridge_helper {
+   #include <abstractions/base>
+
+   capability setuid,
+   capability setgid,
+   capability setpcap,
+   capability net_admin,
+
+   network inet stream,
+
+   /dev/net/tun rw,
+   /etc/qemu/** r,
+   owner @{PROC}/*/status r,
+
+   /usr/{lib,libexec}/qemu-bridge-helper rmix,
+  }
+ }
+-- 
+2.6.6
+
--- a/libvirt.changes
+++ b/libvirt.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri Aug  5 08:05:39 UTC 2016 - cbosdonnat@suse.com
+
+- bsc#988279. Move the qemu-bridge-helper apparmor profile from the
+  qemu abstraction to the usr.sbin.libvirtd profile.
+  apparmor-qemu-bridge-helper.patch
+
 -------------------------------------------------------------------
 Wed Aug  3 19:31:11 UTC 2016 - jfehlig@suse.com

--- a/libvirt.spec
+++ b/libvirt.spec
@ -1,7 +1,7 @@
 #
 # spec file for package libvirt
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -325,6 +325,7 @@ Patch153:       ppc64le-canonical-name.patch
 Patch154:       libxl-set-migration-constraints.patch
 Patch155:       libxl-set-cach-mode.patch
 Patch156:       apparmor-fixes.patch
+Patch157:       apparmor-qemu-bridge-helper.patch
 # Our patches
 Patch200:       libvirtd-defaults.patch
 Patch201:       libvirtd-init-script.patch
@ -776,6 +777,7 @@ libvirt plugin for NSS for translating domain names into IP addresses.
 %patch154 -p1
 %patch155 -p1
 %patch156 -p1
+%patch157 -p1
 %patch200 -p1
 %patch201 -p1
 %patch202 -p1
--- a/qemu-apparmor-screenshot.patch
+++ b/qemu-apparmor-screenshot.patch
@ -2,13 +2,10 @@ Index: libvirt-2.0.0/examples/apparmor/libvirt-qemu
 ===================================================================
 --- libvirt-2.0.0.orig/examples/apparmor/libvirt-qemu
 +++ libvirt-2.0.0/examples/apparmor/libvirt-qemu
-@@ -152,6 +152,9 @@
+@@ -151,3 +151,6 @@
+   /etc/udev/udev.conf r,
   /sys/bus/ r,
   /sys/class/ r,
- 
+
 +  # Temporary screendump rule -- See bsc#904426
 +  /var/cache/libvirt/qemu/qemu.screendump.* rw,
-+
-   /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
-   # child profile for bridge helper process
-   profile qemu_bridge_helper {