Accepting request 568385 from home:jfehlig:branches:Virtualization

Inadvertently removed suse-apparmor-signal.patch. Add it back.

OBS-URL: https://build.opensuse.org/request/show/568385
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=663

libvirt.changes

@@ -13,7 +13,6 @@ Fri Jan 19 16:31:53 UTC 2018 - jfehlig@suse.com
     faec1958-lxc-set-hostname-based-on-container-name.patch,
     2089ab21-netserver-close-clients-before-stopping-all-drivers.patch,
     fix-virt-aa-helper-profile.patch,
-    suse-apparmor-signal.patch
   - Patches added to fix upstream bugs:
     72adaf2f-revert-qemu-monitor-error-report.patch,
     71d56a39-nodedev-fix-parse-PCI-address.patch

libvirt.spec

@@ -340,14 +340,15 @@ Patch205:       suse-libvirtd-service-xen.patch
 Patch206:       suse-qemu-conf.patch
 Patch207:       suse-ovmf-paths.patch
 Patch208:       suse-apparmor-libnl-paths.patch
-Patch209:       support-managed-pci-xen-driver.patch
-Patch210:       xen-sxpr-disk-type.patch
-Patch211:       libxl-support-block-script.patch
-Patch212:       apparmor-no-mount.patch
-Patch213:       qemu-apparmor-screenshot.patch
-Patch214:       libvirt-suse-netcontrol.patch
-Patch215:       lxc-wait-after-eth-del.patch
-Patch216:       libxl-qemu-emulator-caps.patch
+Patch209:       suse-apparmor-signal.patch
+Patch210:       support-managed-pci-xen-driver.patch
+Patch211:       xen-sxpr-disk-type.patch
+Patch212:       libxl-support-block-script.patch
+Patch213:       apparmor-no-mount.patch
+Patch214:       qemu-apparmor-screenshot.patch
+Patch215:       libvirt-suse-netcontrol.patch
+Patch216:       lxc-wait-after-eth-del.patch
+Patch217:       libxl-qemu-emulator-caps.patch
 # SLES-Only patches
 %if ! 0%{?is_opensuse}
 Patch400:       virt-create-rootfs.patch
@@ -930,6 +931,7 @@ libvirt plugin for NSS for translating domain names into IP addresses.
 %patch214 -p1
 %patch215 -p1
 %patch216 -p1
+%patch217 -p1
 %if ! 0%{?is_opensuse}
 %patch400 -p1
 %endif

suse-apparmor-signal.patch

@@ -0,0 +1,25 @@
+apparmor: allow libvirtd to send signals to unconfined processes
+
+When confinement of QEMU/KVM domains is not enforced (security_default_confined = 0),
+qemu processes run unconfined. Add a rule to the libvirtd apparmor profile allowing
+sending signals to unconfined processes. Without the rule, libvirtd
+is unable to signal QEMU/KVM domains. E.g. 'virsh destroy dom' results in the
+following denial in audit.log
+
+type=AVC msg=audit(1510951646.581:939): apparmor="DENIED" operation="signal"
+profile="/usr/sbin/libvirtd" pid=18891 comm="libvirtd" requested_mask="send"
+denied_mask="send" signal=term peer="unconfined"
+
+Index: libvirt-4.0.0/examples/apparmor/usr.sbin.libvirtd
+===================================================================
+--- libvirt-4.0.0.orig/examples/apparmor/usr.sbin.libvirtd
++++ libvirt-4.0.0/examples/apparmor/usr.sbin.libvirtd
+@@ -63,7 +63,7 @@
+ 
+   signal (send) peer=/usr/sbin/dnsmasq,
+   signal (read, send) peer=libvirt-*,
+-  signal (send) set=("kill") peer=unconfined,
++  signal (send) set=("kill", "term", "hup") peer=unconfined,
+ 
+   # Very lenient profile for libvirtd since we want to first focus on confining
+   # the guests. Guests will have a very restricted profile.

virt-create-rootfs.patch

@@ -1,7 +1,7 @@
-Index: libvirt-3.10.0/tools/Makefile.am
+Index: libvirt-4.0.0/tools/Makefile.am
 ===================================================================
---- libvirt-3.10.0.orig/tools/Makefile.am
-+++ libvirt-3.10.0/tools/Makefile.am
+--- libvirt-4.0.0.orig/tools/Makefile.am
++++ libvirt-4.0.0/tools/Makefile.am
 @@ -52,6 +52,7 @@ PODFILES = \
  	virt-sanlock-cleanup.pod \
  	virt-xml-validate.pod \
@@ -10,7 +10,7 @@ Index: libvirt-3.10.0/tools/Makefile.am
  	$(NULL)
  
  MANINFILES = \
-@@ -85,7 +86,7 @@ MAINTAINERCLEANFILES =
+@@ -86,7 +87,7 @@ MAINTAINERCLEANFILES =
  confdir = $(sysconfdir)/libvirt
  conf_DATA =
  
@@ -19,7 +19,7 @@ Index: libvirt-3.10.0/tools/Makefile.am
  bin_PROGRAMS = virsh virt-admin
  libexec_SCRIPTS = libvirt-guests.sh
  man1_MANS = \
-@@ -111,6 +112,8 @@ bin_PROGRAMS += virt-host-validate
+@@ -112,6 +113,8 @@ bin_PROGRAMS += virt-host-validate
  man1_MANS += virt-host-validate.1
  endif WITH_HOST_VALIDATE
  
@@ -28,10 +28,10 @@ Index: libvirt-3.10.0/tools/Makefile.am
  virt-xml-validate: virt-xml-validate.in Makefile
  	$(AM_V_GEN)sed -e 's|[@]schemadir@|$(pkgdatadir)/schemas|g' \
  		       -e 's|[@]VERSION@|$(VERSION)|g' \
-Index: libvirt-3.10.0/tools/virt-create-rootfs
+Index: libvirt-4.0.0/tools/virt-create-rootfs
 ===================================================================
 --- /dev/null
-+++ libvirt-3.10.0/tools/virt-create-rootfs
++++ libvirt-4.0.0/tools/virt-create-rootfs
 @@ -0,0 +1,214 @@
 +#!/bin/sh
 +set -e
@@ -247,10 +247,10 @@ Index: libvirt-3.10.0/tools/virt-create-rootfs
 +    echo "pts/0" >> "$ROOT/etc/securetty"
 +    chroot "$ROOT" /usr/bin/passwd
 +fi
-Index: libvirt-3.10.0/tools/virt-create-rootfs.pod
+Index: libvirt-4.0.0/tools/virt-create-rootfs.pod
 ===================================================================
 --- /dev/null
-+++ libvirt-3.10.0/tools/virt-create-rootfs.pod
++++ libvirt-4.0.0/tools/virt-create-rootfs.pod
 @@ -0,0 +1,77 @@
 +=head1 NAME
 +