Accepting request 279992 from Virtualization
1 OBS-URL: https://build.opensuse.org/request/show/279992 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvirt?expand=0&rev=169
This commit is contained in:
commit
45458ca8db
73
30c6aecc-apparmor-lib64.patch
Normal file
73
30c6aecc-apparmor-lib64.patch
Normal file
@ -0,0 +1,73 @@
|
||||
From 30c6aecc449202e930249215c6514d6c13a46c83 Mon Sep 17 00:00:00 2001
|
||||
From: Cedric Bosdonnat <cbosdonnat@suse.com>
|
||||
Date: Mon, 15 Dec 2014 15:14:48 +0100
|
||||
Subject: [PATCH] Teach AppArmor, that /usr/lib64 may exist.
|
||||
|
||||
The apparmor profiles forgot about /usr/lib64 folders, just add lib64
|
||||
as a possible alternative to lib in the paths
|
||||
---
|
||||
examples/apparmor/libvirt-qemu | 2 +-
|
||||
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++--
|
||||
examples/apparmor/usr.sbin.libvirtd | 4 ++--
|
||||
3 files changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
|
||||
index c6de6dd..7aad391 100644
|
||||
--- a/examples/apparmor/libvirt-qemu
|
||||
+++ b/examples/apparmor/libvirt-qemu
|
||||
@@ -111,7 +111,7 @@
|
||||
/usr/bin/qemu-sparc32plus rmix,
|
||||
/usr/bin/qemu-sparc64 rmix,
|
||||
/usr/bin/qemu-x86_64 rmix,
|
||||
- /usr/lib/qemu/block-curl.so mr,
|
||||
+ /usr/{lib,lib64}/qemu/block-curl.so mr,
|
||||
|
||||
# for save and resume
|
||||
/bin/dash rmix,
|
||||
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
|
||||
index bceaaff..b34fb35 100644
|
||||
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
|
||||
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
|
||||
@@ -1,7 +1,7 @@
|
||||
# Last Modified: Mon Apr 5 15:10:27 2010
|
||||
#include <tunables/global>
|
||||
|
||||
-/usr/lib/libvirt/virt-aa-helper {
|
||||
+profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
|
||||
#include <abstractions/base>
|
||||
|
||||
# needed for searching directories
|
||||
@@ -20,7 +20,7 @@
|
||||
/sys/devices/ r,
|
||||
/sys/devices/** r,
|
||||
|
||||
- /usr/lib/libvirt/virt-aa-helper mr,
|
||||
+ /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
|
||||
/sbin/apparmor_parser Ux,
|
||||
|
||||
/etc/apparmor.d/libvirt/* r,
|
||||
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
|
||||
index 3011eff..7151052 100644
|
||||
--- a/examples/apparmor/usr.sbin.libvirtd
|
||||
+++ b/examples/apparmor/usr.sbin.libvirtd
|
||||
@@ -44,7 +44,7 @@
|
||||
/usr/bin/* PUx,
|
||||
/usr/sbin/* PUx,
|
||||
/lib/udev/scsi_id PUx,
|
||||
- /usr/lib/xen-common/bin/xen-toolstack PUx,
|
||||
+ /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
|
||||
|
||||
# force the use of virt-aa-helper
|
||||
audit deny /sbin/apparmor_parser rwxl,
|
||||
@@ -53,7 +53,7 @@
|
||||
audit deny /sys/kernel/security/apparmor/matching rwxl,
|
||||
audit deny /sys/kernel/security/apparmor/.* rwxl,
|
||||
/sys/kernel/security/apparmor/profiles r,
|
||||
- /usr/lib/libvirt/* PUxr,
|
||||
+ /usr/{lib,lib64}/libvirt/* PUxr,
|
||||
/etc/libvirt/hooks/** rmix,
|
||||
/etc/xen/scripts/** rmix,
|
||||
|
||||
--
|
||||
2.1.2
|
||||
|
@ -1,583 +0,0 @@
|
||||
Index: libvirt-1.2.10/examples/apparmor/Makefile.am
|
||||
===================================================================
|
||||
--- libvirt-1.2.10.orig/examples/apparmor/Makefile.am
|
||||
+++ libvirt-1.2.10/examples/apparmor/Makefile.am
|
||||
@@ -17,12 +17,30 @@
|
||||
EXTRA_DIST= \
|
||||
TEMPLATE.qemu \
|
||||
TEMPLATE.lxc \
|
||||
- libvirt-qemu \
|
||||
+ libvirt-qemu.in \
|
||||
libvirt-lxc \
|
||||
- usr.lib.libvirt.virt-aa-helper \
|
||||
- usr.sbin.libvirtd
|
||||
+ usr.lib.libvirt.virt-aa-helper.in \
|
||||
+ usr.sbin.libvirtd.in
|
||||
|
||||
if WITH_APPARMOR_PROFILES
|
||||
+usr.lib.libvirt.virt-aa-helper: usr.lib.libvirt.virt-aa-helper.in
|
||||
+ sed \
|
||||
+ -e 's![@]libdir[@]!$(libdir)!g' \
|
||||
+ < $< > $@-t
|
||||
+ mv $@-t $@
|
||||
+
|
||||
+usr.sbin.libvirtd: usr.sbin.libvirtd.in
|
||||
+ sed \
|
||||
+ -e 's![@]libdir[@]!$(libdir)!g' \
|
||||
+ < $< > $@-t
|
||||
+ mv $@-t $@
|
||||
+
|
||||
+libvirt-qemu: libvirt-qemu.in
|
||||
+ sed \
|
||||
+ -e 's![@]libdir[@]!$(libdir)!g' \
|
||||
+ < $< > $@-t
|
||||
+ mv $@-t $@
|
||||
+
|
||||
apparmordir = $(sysconfdir)/apparmor.d/
|
||||
apparmor_DATA = \
|
||||
usr.lib.libvirt.virt-aa-helper \
|
||||
Index: libvirt-1.2.10/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ libvirt-1.2.10/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
|
||||
@@ -0,0 +1,48 @@
|
||||
+# Last Modified: Mon Apr 5 15:10:27 2010
|
||||
+#include <tunables/global>
|
||||
+
|
||||
+@libdir@/libvirt/virt-aa-helper {
|
||||
+ #include <abstractions/base>
|
||||
+
|
||||
+ # needed for searching directories
|
||||
+ capability dac_override,
|
||||
+ capability dac_read_search,
|
||||
+
|
||||
+ # needed for when disk is on a network filesystem
|
||||
+ network inet,
|
||||
+
|
||||
+ deny @{PROC}/[0-9]*/mounts r,
|
||||
+ @{PROC}/[0-9]*/net/psched r,
|
||||
+ owner @{PROC}/[0-9]*/status r,
|
||||
+ @{PROC}/filesystems r,
|
||||
+
|
||||
+ # for hostdev
|
||||
+ /sys/devices/ r,
|
||||
+ /sys/devices/** r,
|
||||
+
|
||||
+ @libdir@/libvirt/virt-aa-helper mr,
|
||||
+ /sbin/apparmor_parser Ux,
|
||||
+
|
||||
+ /etc/apparmor.d/libvirt/* r,
|
||||
+ /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
|
||||
+
|
||||
+ # for backingstore -- allow access to non-hidden files in @{HOME} as well
|
||||
+ # as storage pools
|
||||
+ audit deny @{HOME}/.* mrwkl,
|
||||
+ audit deny @{HOME}/.*/ rw,
|
||||
+ audit deny @{HOME}/.*/** mrwkl,
|
||||
+ audit deny @{HOME}/bin/ rw,
|
||||
+ audit deny @{HOME}/bin/** mrwkl,
|
||||
+ @{HOME}/ r,
|
||||
+ @{HOME}/** r,
|
||||
+ /var/lib/libvirt/images/ r,
|
||||
+ /var/lib/libvirt/images/** r,
|
||||
+ /{media,mnt,opt,srv}/** r,
|
||||
+
|
||||
+ /**.img r,
|
||||
+ /**.qcow{,2} r,
|
||||
+ /**.qed r,
|
||||
+ /**.vmdk r,
|
||||
+ /**.[iI][sS][oO] r,
|
||||
+ /**/disk{,.*} r,
|
||||
+}
|
||||
Index: libvirt-1.2.10/examples/apparmor/usr.sbin.libvirtd.in
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ libvirt-1.2.10/examples/apparmor/usr.sbin.libvirtd.in
|
||||
@@ -0,0 +1,68 @@
|
||||
+# Last Modified: Mon Apr 5 15:03:58 2010
|
||||
+#include <tunables/global>
|
||||
+@{LIBVIRT}="libvirt"
|
||||
+
|
||||
+/usr/sbin/libvirtd {
|
||||
+ #include <abstractions/base>
|
||||
+ #include <abstractions/dbus>
|
||||
+
|
||||
+ capability kill,
|
||||
+ capability net_admin,
|
||||
+ capability net_raw,
|
||||
+ capability setgid,
|
||||
+ capability sys_admin,
|
||||
+ capability sys_module,
|
||||
+ capability sys_ptrace,
|
||||
+ capability sys_nice,
|
||||
+ capability sys_chroot,
|
||||
+ capability setuid,
|
||||
+ capability dac_override,
|
||||
+ capability dac_read_search,
|
||||
+ capability fowner,
|
||||
+ capability chown,
|
||||
+ capability setpcap,
|
||||
+ capability mknod,
|
||||
+ capability fsetid,
|
||||
+ capability audit_write,
|
||||
+
|
||||
+ # Needed for vfio
|
||||
+ capability sys_resource,
|
||||
+
|
||||
+ network inet stream,
|
||||
+ network inet dgram,
|
||||
+ network inet6 stream,
|
||||
+ network inet6 dgram,
|
||||
+ network packet dgram,
|
||||
+ network packet raw,
|
||||
+
|
||||
+ # Very lenient profile for libvirtd since we want to first focus on confining
|
||||
+ # the guests. Guests will have a very restricted profile.
|
||||
+ / r,
|
||||
+ /** rwmkl,
|
||||
+
|
||||
+ /bin/* PUx,
|
||||
+ /sbin/* PUx,
|
||||
+ /usr/bin/* PUx,
|
||||
+ /usr/sbin/* PUx,
|
||||
+ /lib/udev/scsi_id PUx,
|
||||
+ /usr/lib/xen/bin/* Ux,
|
||||
+ /usr/lib64/xen/bin/* Ux,
|
||||
+ /usr/lib/polkit-1/polkit-agent-helper Px,
|
||||
+
|
||||
+ # force the use of virt-aa-helper
|
||||
+ audit deny /sbin/apparmor_parser rwxl,
|
||||
+ audit deny /etc/apparmor.d/libvirt/** wxl,
|
||||
+ audit deny /sys/kernel/security/apparmor/features rwxl,
|
||||
+ audit deny /sys/kernel/security/apparmor/matching rwxl,
|
||||
+ audit deny /sys/kernel/security/apparmor/.* rwxl,
|
||||
+ /sys/kernel/security/apparmor/profiles r,
|
||||
+ @libdir@/libvirt/* PUxr,
|
||||
+ /etc/libvirt/hooks/** rmix,
|
||||
+ /etc/xen/scripts/** rmix,
|
||||
+ @libdir@/libvirt/libvirt_parthelper Ux,
|
||||
+ @libdir@/libvirt/libvirt_iohelper Ux,
|
||||
+
|
||||
+ # allow changing to our UUID-based named profiles
|
||||
+ change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
|
||||
+
|
||||
+}
|
||||
Index: libvirt-1.2.10/examples/apparmor/usr.lib.libvirt.virt-aa-helper
|
||||
===================================================================
|
||||
--- libvirt-1.2.10.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper
|
||||
+++ /dev/null
|
||||
@@ -1,48 +0,0 @@
|
||||
-# Last Modified: Mon Apr 5 15:10:27 2010
|
||||
-#include <tunables/global>
|
||||
-
|
||||
-/usr/lib/libvirt/virt-aa-helper {
|
||||
- #include <abstractions/base>
|
||||
-
|
||||
- # needed for searching directories
|
||||
- capability dac_override,
|
||||
- capability dac_read_search,
|
||||
-
|
||||
- # needed for when disk is on a network filesystem
|
||||
- network inet,
|
||||
-
|
||||
- deny @{PROC}/[0-9]*/mounts r,
|
||||
- @{PROC}/[0-9]*/net/psched r,
|
||||
- owner @{PROC}/[0-9]*/status r,
|
||||
- @{PROC}/filesystems r,
|
||||
-
|
||||
- # for hostdev
|
||||
- /sys/devices/ r,
|
||||
- /sys/devices/** r,
|
||||
-
|
||||
- /usr/lib/libvirt/virt-aa-helper mr,
|
||||
- /sbin/apparmor_parser Ux,
|
||||
-
|
||||
- /etc/apparmor.d/libvirt/* r,
|
||||
- /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
|
||||
-
|
||||
- # for backingstore -- allow access to non-hidden files in @{HOME} as well
|
||||
- # as storage pools
|
||||
- audit deny @{HOME}/.* mrwkl,
|
||||
- audit deny @{HOME}/.*/ rw,
|
||||
- audit deny @{HOME}/.*/** mrwkl,
|
||||
- audit deny @{HOME}/bin/ rw,
|
||||
- audit deny @{HOME}/bin/** mrwkl,
|
||||
- @{HOME}/ r,
|
||||
- @{HOME}/** r,
|
||||
- /var/lib/libvirt/images/ r,
|
||||
- /var/lib/libvirt/images/** r,
|
||||
- /{media,mnt,opt,srv}/** r,
|
||||
-
|
||||
- /**.img r,
|
||||
- /**.qcow{,2} r,
|
||||
- /**.qed r,
|
||||
- /**.vmdk r,
|
||||
- /**.[iI][sS][oO] r,
|
||||
- /**/disk{,.*} r,
|
||||
-}
|
||||
Index: libvirt-1.2.10/examples/apparmor/usr.sbin.libvirtd
|
||||
===================================================================
|
||||
--- libvirt-1.2.10.orig/examples/apparmor/usr.sbin.libvirtd
|
||||
+++ /dev/null
|
||||
@@ -1,63 +0,0 @@
|
||||
-# Last Modified: Mon Apr 5 15:03:58 2010
|
||||
-#include <tunables/global>
|
||||
-@{LIBVIRT}="libvirt"
|
||||
-
|
||||
-/usr/sbin/libvirtd {
|
||||
- #include <abstractions/base>
|
||||
- #include <abstractions/dbus>
|
||||
-
|
||||
- capability kill,
|
||||
- capability net_admin,
|
||||
- capability net_raw,
|
||||
- capability setgid,
|
||||
- capability sys_admin,
|
||||
- capability sys_module,
|
||||
- capability sys_ptrace,
|
||||
- capability sys_nice,
|
||||
- capability sys_chroot,
|
||||
- capability setuid,
|
||||
- capability dac_override,
|
||||
- capability dac_read_search,
|
||||
- capability fowner,
|
||||
- capability chown,
|
||||
- capability setpcap,
|
||||
- capability mknod,
|
||||
- capability fsetid,
|
||||
- capability audit_write,
|
||||
-
|
||||
- # Needed for vfio
|
||||
- capability sys_resource,
|
||||
-
|
||||
- network inet stream,
|
||||
- network inet dgram,
|
||||
- network inet6 stream,
|
||||
- network inet6 dgram,
|
||||
- network packet dgram,
|
||||
-
|
||||
- # Very lenient profile for libvirtd since we want to first focus on confining
|
||||
- # the guests. Guests will have a very restricted profile.
|
||||
- / r,
|
||||
- /** rwmkl,
|
||||
-
|
||||
- /bin/* PUx,
|
||||
- /sbin/* PUx,
|
||||
- /usr/bin/* PUx,
|
||||
- /usr/sbin/* PUx,
|
||||
- /lib/udev/scsi_id PUx,
|
||||
- /usr/lib/xen-common/bin/xen-toolstack PUx,
|
||||
-
|
||||
- # force the use of virt-aa-helper
|
||||
- audit deny /sbin/apparmor_parser rwxl,
|
||||
- audit deny /etc/apparmor.d/libvirt/** wxl,
|
||||
- audit deny /sys/kernel/security/apparmor/features rwxl,
|
||||
- audit deny /sys/kernel/security/apparmor/matching rwxl,
|
||||
- audit deny /sys/kernel/security/apparmor/.* rwxl,
|
||||
- /sys/kernel/security/apparmor/profiles r,
|
||||
- /usr/lib/libvirt/* PUxr,
|
||||
- /etc/libvirt/hooks/** rmix,
|
||||
- /etc/xen/scripts/** rmix,
|
||||
-
|
||||
- # allow changing to our UUID-based named profiles
|
||||
- change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
|
||||
-
|
||||
-}
|
||||
Index: libvirt-1.2.10/examples/apparmor/libvirt-qemu
|
||||
===================================================================
|
||||
--- libvirt-1.2.10.orig/examples/apparmor/libvirt-qemu
|
||||
+++ /dev/null
|
||||
@@ -1,144 +0,0 @@
|
||||
-# Last Modified: Wed Sep 3 21:52:03 2014
|
||||
-
|
||||
- #include <abstractions/base>
|
||||
- #include <abstractions/consoles>
|
||||
- #include <abstractions/nameservice>
|
||||
-
|
||||
- # required for reading disk images
|
||||
- capability dac_override,
|
||||
- capability dac_read_search,
|
||||
- capability chown,
|
||||
-
|
||||
- # needed to drop privileges
|
||||
- capability setgid,
|
||||
- capability setuid,
|
||||
-
|
||||
- network inet stream,
|
||||
- network inet6 stream,
|
||||
-
|
||||
- /dev/net/tun rw,
|
||||
- /dev/kvm rw,
|
||||
- /dev/ptmx rw,
|
||||
- /dev/kqemu rw,
|
||||
- @{PROC}/*/status r,
|
||||
- @{PROC}/sys/kernel/cap_last_cap r,
|
||||
-
|
||||
- # For hostdev access. The actual devices will be added dynamically
|
||||
- /sys/bus/usb/devices/ r,
|
||||
- /sys/devices/**/usb[0-9]*/** r,
|
||||
-
|
||||
- # WARNING: this gives the guest direct access to host hardware and specific
|
||||
- # portions of shared memory. This is required for sound using ALSA with kvm,
|
||||
- # but may constitute a security risk. If your environment does not require
|
||||
- # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
|
||||
- # the rules for files in /dev.
|
||||
- /{dev,run}/shm r,
|
||||
- /{dev,run}/shmpulse-shm* r,
|
||||
- /{dev,run}/shmpulse-shm* rwk,
|
||||
- /dev/snd/* rw,
|
||||
- capability ipc_lock,
|
||||
- # spice
|
||||
- owner /{dev,run}/shm/spice.* rw,
|
||||
- # 'kill' is not required for sound and is a security risk. Do not enable
|
||||
- # unless you absolutely need it.
|
||||
- deny capability kill,
|
||||
-
|
||||
- # Uncomment the following if you need access to /dev/fb*
|
||||
- #/dev/fb* rw,
|
||||
-
|
||||
- /etc/pulse/client.conf r,
|
||||
- @{HOME}/.pulse-cookie rwk,
|
||||
- owner /root/.pulse-cookie rwk,
|
||||
- owner /root/.pulse/ rw,
|
||||
- owner /root/.pulse/* rw,
|
||||
- /usr/share/alsa/** r,
|
||||
- owner /tmp/pulse-*/ rw,
|
||||
- owner /tmp/pulse-*/* rw,
|
||||
- /var/lib/dbus/machine-id r,
|
||||
-
|
||||
- # access to firmware's etc
|
||||
- /usr/share/kvm/** r,
|
||||
- /usr/share/qemu/** r,
|
||||
- /usr/share/bochs/** r,
|
||||
- /usr/share/openbios/** r,
|
||||
- /usr/share/openhackware/** r,
|
||||
- /usr/share/proll/** r,
|
||||
- /usr/share/vgabios/** r,
|
||||
- /usr/share/seabios/** r,
|
||||
- /usr/share/ovmf/** r,
|
||||
-
|
||||
- # access PKI infrastructure
|
||||
- /etc/pki/libvirt-vnc/** r,
|
||||
-
|
||||
- # the various binaries
|
||||
- /usr/bin/kvm rmix,
|
||||
- /usr/bin/qemu rmix,
|
||||
- /usr/bin/qemu-system-arm rmix,
|
||||
- /usr/bin/qemu-system-cris rmix,
|
||||
- /usr/bin/qemu-system-i386 rmix,
|
||||
- /usr/bin/qemu-system-m68k rmix,
|
||||
- /usr/bin/qemu-system-microblaze rmix,
|
||||
- /usr/bin/qemu-system-microblazeel rmix,
|
||||
- /usr/bin/qemu-system-mips rmix,
|
||||
- /usr/bin/qemu-system-mips64 rmix,
|
||||
- /usr/bin/qemu-system-mips64el rmix,
|
||||
- /usr/bin/qemu-system-mipsel rmix,
|
||||
- /usr/bin/qemu-system-ppc rmix,
|
||||
- /usr/bin/qemu-system-ppc64 rmix,
|
||||
- /usr/bin/qemu-system-ppcemb rmix,
|
||||
- /usr/bin/qemu-system-sh4 rmix,
|
||||
- /usr/bin/qemu-system-sh4eb rmix,
|
||||
- /usr/bin/qemu-system-sparc rmix,
|
||||
- /usr/bin/qemu-system-sparc64 rmix,
|
||||
- /usr/bin/qemu-system-x86_64 rmix,
|
||||
- /usr/bin/qemu-alpha rmix,
|
||||
- /usr/bin/qemu-arm rmix,
|
||||
- /usr/bin/qemu-armeb rmix,
|
||||
- /usr/bin/qemu-cris rmix,
|
||||
- /usr/bin/qemu-i386 rmix,
|
||||
- /usr/bin/qemu-m68k rmix,
|
||||
- /usr/bin/qemu-microblaze rmix,
|
||||
- /usr/bin/qemu-microblazeel rmix,
|
||||
- /usr/bin/qemu-mips rmix,
|
||||
- /usr/bin/qemu-mipsel rmix,
|
||||
- /usr/bin/qemu-ppc rmix,
|
||||
- /usr/bin/qemu-ppc64 rmix,
|
||||
- /usr/bin/qemu-ppc64abi32 rmix,
|
||||
- /usr/bin/qemu-sh4 rmix,
|
||||
- /usr/bin/qemu-sh4eb rmix,
|
||||
- /usr/bin/qemu-sparc rmix,
|
||||
- /usr/bin/qemu-sparc64 rmix,
|
||||
- /usr/bin/qemu-sparc32plus rmix,
|
||||
- /usr/bin/qemu-sparc64 rmix,
|
||||
- /usr/bin/qemu-x86_64 rmix,
|
||||
- /usr/lib/qemu/block-curl.so mr,
|
||||
-
|
||||
- # for save and resume
|
||||
- /bin/dash rmix,
|
||||
- /bin/dd rmix,
|
||||
- /bin/cat rmix,
|
||||
-
|
||||
- # for usb access
|
||||
- /dev/bus/usb/ r,
|
||||
- /etc/udev/udev.conf r,
|
||||
- /sys/bus/ r,
|
||||
- /sys/class/ r,
|
||||
-
|
||||
- /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
|
||||
- # child profile for bridge helper process
|
||||
- profile qemu_bridge_helper {
|
||||
- #include <abstractions/base>
|
||||
-
|
||||
- capability setuid,
|
||||
- capability setgid,
|
||||
- capability setpcap,
|
||||
- capability net_admin,
|
||||
-
|
||||
- network inet stream,
|
||||
-
|
||||
- /dev/net/tun rw,
|
||||
- /etc/qemu/** r,
|
||||
- owner @{PROC}/*/status r,
|
||||
-
|
||||
- /usr/{lib,libexec}/qemu-bridge-helper rmix,
|
||||
- }
|
||||
Index: libvirt-1.2.10/examples/apparmor/libvirt-qemu.in
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ libvirt-1.2.10/examples/apparmor/libvirt-qemu.in
|
||||
@@ -0,0 +1,144 @@
|
||||
+# Last Modified: Wed Sep 3 21:52:03 2014
|
||||
+
|
||||
+ #include <abstractions/base>
|
||||
+ #include <abstractions/consoles>
|
||||
+ #include <abstractions/nameservice>
|
||||
+
|
||||
+ # required for reading disk images
|
||||
+ capability dac_override,
|
||||
+ capability dac_read_search,
|
||||
+ capability chown,
|
||||
+
|
||||
+ # needed to drop privileges
|
||||
+ capability setgid,
|
||||
+ capability setuid,
|
||||
+
|
||||
+ network inet stream,
|
||||
+ network inet6 stream,
|
||||
+
|
||||
+ /dev/net/tun rw,
|
||||
+ /dev/kvm rw,
|
||||
+ /dev/ptmx rw,
|
||||
+ /dev/kqemu rw,
|
||||
+ @{PROC}/*/status r,
|
||||
+ @{PROC}/sys/kernel/cap_last_cap r,
|
||||
+
|
||||
+ # For hostdev access. The actual devices will be added dynamically
|
||||
+ /sys/bus/usb/devices/ r,
|
||||
+ /sys/devices/**/usb[0-9]*/** r,
|
||||
+
|
||||
+ # WARNING: this gives the guest direct access to host hardware and specific
|
||||
+ # portions of shared memory. This is required for sound using ALSA with kvm,
|
||||
+ # but may constitute a security risk. If your environment does not require
|
||||
+ # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
|
||||
+ # the rules for files in /dev.
|
||||
+ /{dev,run}/shm r,
|
||||
+ /{dev,run}/shmpulse-shm* r,
|
||||
+ /{dev,run}/shmpulse-shm* rwk,
|
||||
+ /dev/snd/* rw,
|
||||
+ capability ipc_lock,
|
||||
+ # spice
|
||||
+ owner /{dev,run}/shm/spice.* rw,
|
||||
+ # 'kill' is not required for sound and is a security risk. Do not enable
|
||||
+ # unless you absolutely need it.
|
||||
+ deny capability kill,
|
||||
+
|
||||
+ # Uncomment the following if you need access to /dev/fb*
|
||||
+ #/dev/fb* rw,
|
||||
+
|
||||
+ /etc/pulse/client.conf r,
|
||||
+ @{HOME}/.pulse-cookie rwk,
|
||||
+ owner /root/.pulse-cookie rwk,
|
||||
+ owner /root/.pulse/ rw,
|
||||
+ owner /root/.pulse/* rw,
|
||||
+ /usr/share/alsa/** r,
|
||||
+ owner /tmp/pulse-*/ rw,
|
||||
+ owner /tmp/pulse-*/* rw,
|
||||
+ /var/lib/dbus/machine-id r,
|
||||
+
|
||||
+ # access to firmware's etc
|
||||
+ /usr/share/kvm/** r,
|
||||
+ /usr/share/qemu/** r,
|
||||
+ /usr/share/bochs/** r,
|
||||
+ /usr/share/openbios/** r,
|
||||
+ /usr/share/openhackware/** r,
|
||||
+ /usr/share/proll/** r,
|
||||
+ /usr/share/vgabios/** r,
|
||||
+ /usr/share/seabios/** r,
|
||||
+ /usr/share/ovmf/** r,
|
||||
+
|
||||
+ # access PKI infrastructure
|
||||
+ /etc/pki/libvirt-vnc/** r,
|
||||
+
|
||||
+ # the various binaries
|
||||
+ /usr/bin/kvm rmix,
|
||||
+ /usr/bin/qemu rmix,
|
||||
+ /usr/bin/qemu-system-arm rmix,
|
||||
+ /usr/bin/qemu-system-cris rmix,
|
||||
+ /usr/bin/qemu-system-i386 rmix,
|
||||
+ /usr/bin/qemu-system-m68k rmix,
|
||||
+ /usr/bin/qemu-system-microblaze rmix,
|
||||
+ /usr/bin/qemu-system-microblazeel rmix,
|
||||
+ /usr/bin/qemu-system-mips rmix,
|
||||
+ /usr/bin/qemu-system-mips64 rmix,
|
||||
+ /usr/bin/qemu-system-mips64el rmix,
|
||||
+ /usr/bin/qemu-system-mipsel rmix,
|
||||
+ /usr/bin/qemu-system-ppc rmix,
|
||||
+ /usr/bin/qemu-system-ppc64 rmix,
|
||||
+ /usr/bin/qemu-system-ppcemb rmix,
|
||||
+ /usr/bin/qemu-system-sh4 rmix,
|
||||
+ /usr/bin/qemu-system-sh4eb rmix,
|
||||
+ /usr/bin/qemu-system-sparc rmix,
|
||||
+ /usr/bin/qemu-system-sparc64 rmix,
|
||||
+ /usr/bin/qemu-system-x86_64 rmix,
|
||||
+ /usr/bin/qemu-alpha rmix,
|
||||
+ /usr/bin/qemu-arm rmix,
|
||||
+ /usr/bin/qemu-armeb rmix,
|
||||
+ /usr/bin/qemu-cris rmix,
|
||||
+ /usr/bin/qemu-i386 rmix,
|
||||
+ /usr/bin/qemu-m68k rmix,
|
||||
+ /usr/bin/qemu-microblaze rmix,
|
||||
+ /usr/bin/qemu-microblazeel rmix,
|
||||
+ /usr/bin/qemu-mips rmix,
|
||||
+ /usr/bin/qemu-mipsel rmix,
|
||||
+ /usr/bin/qemu-ppc rmix,
|
||||
+ /usr/bin/qemu-ppc64 rmix,
|
||||
+ /usr/bin/qemu-ppc64abi32 rmix,
|
||||
+ /usr/bin/qemu-sh4 rmix,
|
||||
+ /usr/bin/qemu-sh4eb rmix,
|
||||
+ /usr/bin/qemu-sparc rmix,
|
||||
+ /usr/bin/qemu-sparc64 rmix,
|
||||
+ /usr/bin/qemu-sparc32plus rmix,
|
||||
+ /usr/bin/qemu-sparc64 rmix,
|
||||
+ /usr/bin/qemu-x86_64 rmix,
|
||||
+ @libdir@/qemu/block-curl.so mr,
|
||||
+
|
||||
+ # for save and resume
|
||||
+ /bin/dash rmix,
|
||||
+ /bin/dd rmix,
|
||||
+ /bin/cat rmix,
|
||||
+
|
||||
+ # for usb access
|
||||
+ /dev/bus/usb/ r,
|
||||
+ /etc/udev/udev.conf r,
|
||||
+ /sys/bus/ r,
|
||||
+ /sys/class/ r,
|
||||
+
|
||||
+ /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
|
||||
+ # child profile for bridge helper process
|
||||
+ profile qemu_bridge_helper {
|
||||
+ #include <abstractions/base>
|
||||
+
|
||||
+ capability setuid,
|
||||
+ capability setgid,
|
||||
+ capability setpcap,
|
||||
+ capability net_admin,
|
||||
+
|
||||
+ network inet stream,
|
||||
+
|
||||
+ /dev/net/tun rw,
|
||||
+ /etc/qemu/** r,
|
||||
+ owner @{PROC}/*/status r,
|
||||
+
|
||||
+ /usr/{lib,libexec}/qemu-bridge-helper rmix,
|
||||
+ }
|
@ -1,3 +1,11 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 5 09:44:12 UTC 2015 - cbosdonnat@suse.com
|
||||
|
||||
- Replaced hard to maintain install-apparmor-profiles.patch
|
||||
by upstreamed 30c6aecc-apparmor-lib64.patch.
|
||||
- Reformatted libvirt.spec and libvirtd.init to pass upstream make
|
||||
syntax-check
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Dec 27 22:08:00 UTC 2014 - Led <ledest@gmail.com>
|
||||
|
||||
|
676
libvirt.spec
676
libvirt.spec
File diff suppressed because it is too large
Load Diff
@ -1,7 +1,7 @@
|
||||
Index: libvirt-1.2.10/examples/apparmor/libvirt-qemu.in
|
||||
Index: libvirt-1.2.11/examples/apparmor/libvirt-qemu
|
||||
===================================================================
|
||||
--- libvirt-1.2.10.orig/examples/apparmor/libvirt-qemu.in
|
||||
+++ libvirt-1.2.10/examples/apparmor/libvirt-qemu.in
|
||||
--- libvirt-1.2.11.orig/examples/apparmor/libvirt-qemu
|
||||
+++ libvirt-1.2.11/examples/apparmor/libvirt-qemu
|
||||
@@ -124,6 +124,9 @@
|
||||
/sys/bus/ r,
|
||||
/sys/class/ r,
|
||||
|
Loading…
Reference in New Issue
Block a user