Accepting request 279992 from Virtualization

1

OBS-URL: https://build.opensuse.org/request/show/279992
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvirt?expand=0&rev=169
This commit is contained in:
Dominique Leuenberger 2015-01-07 08:38:51 +00:00 committed by Git OBS Bridge
commit 45458ca8db
6 changed files with 428 additions and 930 deletions

View File

@ -0,0 +1,73 @@
From 30c6aecc449202e930249215c6514d6c13a46c83 Mon Sep 17 00:00:00 2001
From: Cedric Bosdonnat <cbosdonnat@suse.com>
Date: Mon, 15 Dec 2014 15:14:48 +0100
Subject: [PATCH] Teach AppArmor, that /usr/lib64 may exist.
The apparmor profiles forgot about /usr/lib64 folders, just add lib64
as a possible alternative to lib in the paths
---
examples/apparmor/libvirt-qemu | 2 +-
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++--
examples/apparmor/usr.sbin.libvirtd | 4 ++--
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index c6de6dd..7aad391 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -111,7 +111,7 @@
/usr/bin/qemu-sparc32plus rmix,
/usr/bin/qemu-sparc64 rmix,
/usr/bin/qemu-x86_64 rmix,
- /usr/lib/qemu/block-curl.so mr,
+ /usr/{lib,lib64}/qemu/block-curl.so mr,
# for save and resume
/bin/dash rmix,
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
index bceaaff..b34fb35 100644
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -1,7 +1,7 @@
# Last Modified: Mon Apr 5 15:10:27 2010
#include <tunables/global>
-/usr/lib/libvirt/virt-aa-helper {
+profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
#include <abstractions/base>
# needed for searching directories
@@ -20,7 +20,7 @@
/sys/devices/ r,
/sys/devices/** r,
- /usr/lib/libvirt/virt-aa-helper mr,
+ /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
/sbin/apparmor_parser Ux,
/etc/apparmor.d/libvirt/* r,
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index 3011eff..7151052 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -44,7 +44,7 @@
/usr/bin/* PUx,
/usr/sbin/* PUx,
/lib/udev/scsi_id PUx,
- /usr/lib/xen-common/bin/xen-toolstack PUx,
+ /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
# force the use of virt-aa-helper
audit deny /sbin/apparmor_parser rwxl,
@@ -53,7 +53,7 @@
audit deny /sys/kernel/security/apparmor/matching rwxl,
audit deny /sys/kernel/security/apparmor/.* rwxl,
/sys/kernel/security/apparmor/profiles r,
- /usr/lib/libvirt/* PUxr,
+ /usr/{lib,lib64}/libvirt/* PUxr,
/etc/libvirt/hooks/** rmix,
/etc/xen/scripts/** rmix,
--
2.1.2

View File

@ -1,583 +0,0 @@
Index: libvirt-1.2.10/examples/apparmor/Makefile.am
===================================================================
--- libvirt-1.2.10.orig/examples/apparmor/Makefile.am
+++ libvirt-1.2.10/examples/apparmor/Makefile.am
@@ -17,12 +17,30 @@
EXTRA_DIST= \
TEMPLATE.qemu \
TEMPLATE.lxc \
- libvirt-qemu \
+ libvirt-qemu.in \
libvirt-lxc \
- usr.lib.libvirt.virt-aa-helper \
- usr.sbin.libvirtd
+ usr.lib.libvirt.virt-aa-helper.in \
+ usr.sbin.libvirtd.in
if WITH_APPARMOR_PROFILES
+usr.lib.libvirt.virt-aa-helper: usr.lib.libvirt.virt-aa-helper.in
+ sed \
+ -e 's![@]libdir[@]!$(libdir)!g' \
+ < $< > $@-t
+ mv $@-t $@
+
+usr.sbin.libvirtd: usr.sbin.libvirtd.in
+ sed \
+ -e 's![@]libdir[@]!$(libdir)!g' \
+ < $< > $@-t
+ mv $@-t $@
+
+libvirt-qemu: libvirt-qemu.in
+ sed \
+ -e 's![@]libdir[@]!$(libdir)!g' \
+ < $< > $@-t
+ mv $@-t $@
+
apparmordir = $(sysconfdir)/apparmor.d/
apparmor_DATA = \
usr.lib.libvirt.virt-aa-helper \
Index: libvirt-1.2.10/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
===================================================================
--- /dev/null
+++ libvirt-1.2.10/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -0,0 +1,48 @@
+# Last Modified: Mon Apr 5 15:10:27 2010
+#include <tunables/global>
+
+@libdir@/libvirt/virt-aa-helper {
+ #include <abstractions/base>
+
+ # needed for searching directories
+ capability dac_override,
+ capability dac_read_search,
+
+ # needed for when disk is on a network filesystem
+ network inet,
+
+ deny @{PROC}/[0-9]*/mounts r,
+ @{PROC}/[0-9]*/net/psched r,
+ owner @{PROC}/[0-9]*/status r,
+ @{PROC}/filesystems r,
+
+ # for hostdev
+ /sys/devices/ r,
+ /sys/devices/** r,
+
+ @libdir@/libvirt/virt-aa-helper mr,
+ /sbin/apparmor_parser Ux,
+
+ /etc/apparmor.d/libvirt/* r,
+ /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+
+ # for backingstore -- allow access to non-hidden files in @{HOME} as well
+ # as storage pools
+ audit deny @{HOME}/.* mrwkl,
+ audit deny @{HOME}/.*/ rw,
+ audit deny @{HOME}/.*/** mrwkl,
+ audit deny @{HOME}/bin/ rw,
+ audit deny @{HOME}/bin/** mrwkl,
+ @{HOME}/ r,
+ @{HOME}/** r,
+ /var/lib/libvirt/images/ r,
+ /var/lib/libvirt/images/** r,
+ /{media,mnt,opt,srv}/** r,
+
+ /**.img r,
+ /**.qcow{,2} r,
+ /**.qed r,
+ /**.vmdk r,
+ /**.[iI][sS][oO] r,
+ /**/disk{,.*} r,
+}
Index: libvirt-1.2.10/examples/apparmor/usr.sbin.libvirtd.in
===================================================================
--- /dev/null
+++ libvirt-1.2.10/examples/apparmor/usr.sbin.libvirtd.in
@@ -0,0 +1,68 @@
+# Last Modified: Mon Apr 5 15:03:58 2010
+#include <tunables/global>
+@{LIBVIRT}="libvirt"
+
+/usr/sbin/libvirtd {
+ #include <abstractions/base>
+ #include <abstractions/dbus>
+
+ capability kill,
+ capability net_admin,
+ capability net_raw,
+ capability setgid,
+ capability sys_admin,
+ capability sys_module,
+ capability sys_ptrace,
+ capability sys_nice,
+ capability sys_chroot,
+ capability setuid,
+ capability dac_override,
+ capability dac_read_search,
+ capability fowner,
+ capability chown,
+ capability setpcap,
+ capability mknod,
+ capability fsetid,
+ capability audit_write,
+
+ # Needed for vfio
+ capability sys_resource,
+
+ network inet stream,
+ network inet dgram,
+ network inet6 stream,
+ network inet6 dgram,
+ network packet dgram,
+ network packet raw,
+
+ # Very lenient profile for libvirtd since we want to first focus on confining
+ # the guests. Guests will have a very restricted profile.
+ / r,
+ /** rwmkl,
+
+ /bin/* PUx,
+ /sbin/* PUx,
+ /usr/bin/* PUx,
+ /usr/sbin/* PUx,
+ /lib/udev/scsi_id PUx,
+ /usr/lib/xen/bin/* Ux,
+ /usr/lib64/xen/bin/* Ux,
+ /usr/lib/polkit-1/polkit-agent-helper Px,
+
+ # force the use of virt-aa-helper
+ audit deny /sbin/apparmor_parser rwxl,
+ audit deny /etc/apparmor.d/libvirt/** wxl,
+ audit deny /sys/kernel/security/apparmor/features rwxl,
+ audit deny /sys/kernel/security/apparmor/matching rwxl,
+ audit deny /sys/kernel/security/apparmor/.* rwxl,
+ /sys/kernel/security/apparmor/profiles r,
+ @libdir@/libvirt/* PUxr,
+ /etc/libvirt/hooks/** rmix,
+ /etc/xen/scripts/** rmix,
+ @libdir@/libvirt/libvirt_parthelper Ux,
+ @libdir@/libvirt/libvirt_iohelper Ux,
+
+ # allow changing to our UUID-based named profiles
+ change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+
+}
Index: libvirt-1.2.10/examples/apparmor/usr.lib.libvirt.virt-aa-helper
===================================================================
--- libvirt-1.2.10.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ /dev/null
@@ -1,48 +0,0 @@
-# Last Modified: Mon Apr 5 15:10:27 2010
-#include <tunables/global>
-
-/usr/lib/libvirt/virt-aa-helper {
- #include <abstractions/base>
-
- # needed for searching directories
- capability dac_override,
- capability dac_read_search,
-
- # needed for when disk is on a network filesystem
- network inet,
-
- deny @{PROC}/[0-9]*/mounts r,
- @{PROC}/[0-9]*/net/psched r,
- owner @{PROC}/[0-9]*/status r,
- @{PROC}/filesystems r,
-
- # for hostdev
- /sys/devices/ r,
- /sys/devices/** r,
-
- /usr/lib/libvirt/virt-aa-helper mr,
- /sbin/apparmor_parser Ux,
-
- /etc/apparmor.d/libvirt/* r,
- /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
-
- # for backingstore -- allow access to non-hidden files in @{HOME} as well
- # as storage pools
- audit deny @{HOME}/.* mrwkl,
- audit deny @{HOME}/.*/ rw,
- audit deny @{HOME}/.*/** mrwkl,
- audit deny @{HOME}/bin/ rw,
- audit deny @{HOME}/bin/** mrwkl,
- @{HOME}/ r,
- @{HOME}/** r,
- /var/lib/libvirt/images/ r,
- /var/lib/libvirt/images/** r,
- /{media,mnt,opt,srv}/** r,
-
- /**.img r,
- /**.qcow{,2} r,
- /**.qed r,
- /**.vmdk r,
- /**.[iI][sS][oO] r,
- /**/disk{,.*} r,
-}
Index: libvirt-1.2.10/examples/apparmor/usr.sbin.libvirtd
===================================================================
--- libvirt-1.2.10.orig/examples/apparmor/usr.sbin.libvirtd
+++ /dev/null
@@ -1,63 +0,0 @@
-# Last Modified: Mon Apr 5 15:03:58 2010
-#include <tunables/global>
-@{LIBVIRT}="libvirt"
-
-/usr/sbin/libvirtd {
- #include <abstractions/base>
- #include <abstractions/dbus>
-
- capability kill,
- capability net_admin,
- capability net_raw,
- capability setgid,
- capability sys_admin,
- capability sys_module,
- capability sys_ptrace,
- capability sys_nice,
- capability sys_chroot,
- capability setuid,
- capability dac_override,
- capability dac_read_search,
- capability fowner,
- capability chown,
- capability setpcap,
- capability mknod,
- capability fsetid,
- capability audit_write,
-
- # Needed for vfio
- capability sys_resource,
-
- network inet stream,
- network inet dgram,
- network inet6 stream,
- network inet6 dgram,
- network packet dgram,
-
- # Very lenient profile for libvirtd since we want to first focus on confining
- # the guests. Guests will have a very restricted profile.
- / r,
- /** rwmkl,
-
- /bin/* PUx,
- /sbin/* PUx,
- /usr/bin/* PUx,
- /usr/sbin/* PUx,
- /lib/udev/scsi_id PUx,
- /usr/lib/xen-common/bin/xen-toolstack PUx,
-
- # force the use of virt-aa-helper
- audit deny /sbin/apparmor_parser rwxl,
- audit deny /etc/apparmor.d/libvirt/** wxl,
- audit deny /sys/kernel/security/apparmor/features rwxl,
- audit deny /sys/kernel/security/apparmor/matching rwxl,
- audit deny /sys/kernel/security/apparmor/.* rwxl,
- /sys/kernel/security/apparmor/profiles r,
- /usr/lib/libvirt/* PUxr,
- /etc/libvirt/hooks/** rmix,
- /etc/xen/scripts/** rmix,
-
- # allow changing to our UUID-based named profiles
- change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
-
-}
Index: libvirt-1.2.10/examples/apparmor/libvirt-qemu
===================================================================
--- libvirt-1.2.10.orig/examples/apparmor/libvirt-qemu
+++ /dev/null
@@ -1,144 +0,0 @@
-# Last Modified: Wed Sep 3 21:52:03 2014
-
- #include <abstractions/base>
- #include <abstractions/consoles>
- #include <abstractions/nameservice>
-
- # required for reading disk images
- capability dac_override,
- capability dac_read_search,
- capability chown,
-
- # needed to drop privileges
- capability setgid,
- capability setuid,
-
- network inet stream,
- network inet6 stream,
-
- /dev/net/tun rw,
- /dev/kvm rw,
- /dev/ptmx rw,
- /dev/kqemu rw,
- @{PROC}/*/status r,
- @{PROC}/sys/kernel/cap_last_cap r,
-
- # For hostdev access. The actual devices will be added dynamically
- /sys/bus/usb/devices/ r,
- /sys/devices/**/usb[0-9]*/** r,
-
- # WARNING: this gives the guest direct access to host hardware and specific
- # portions of shared memory. This is required for sound using ALSA with kvm,
- # but may constitute a security risk. If your environment does not require
- # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
- # the rules for files in /dev.
- /{dev,run}/shm r,
- /{dev,run}/shmpulse-shm* r,
- /{dev,run}/shmpulse-shm* rwk,
- /dev/snd/* rw,
- capability ipc_lock,
- # spice
- owner /{dev,run}/shm/spice.* rw,
- # 'kill' is not required for sound and is a security risk. Do not enable
- # unless you absolutely need it.
- deny capability kill,
-
- # Uncomment the following if you need access to /dev/fb*
- #/dev/fb* rw,
-
- /etc/pulse/client.conf r,
- @{HOME}/.pulse-cookie rwk,
- owner /root/.pulse-cookie rwk,
- owner /root/.pulse/ rw,
- owner /root/.pulse/* rw,
- /usr/share/alsa/** r,
- owner /tmp/pulse-*/ rw,
- owner /tmp/pulse-*/* rw,
- /var/lib/dbus/machine-id r,
-
- # access to firmware's etc
- /usr/share/kvm/** r,
- /usr/share/qemu/** r,
- /usr/share/bochs/** r,
- /usr/share/openbios/** r,
- /usr/share/openhackware/** r,
- /usr/share/proll/** r,
- /usr/share/vgabios/** r,
- /usr/share/seabios/** r,
- /usr/share/ovmf/** r,
-
- # access PKI infrastructure
- /etc/pki/libvirt-vnc/** r,
-
- # the various binaries
- /usr/bin/kvm rmix,
- /usr/bin/qemu rmix,
- /usr/bin/qemu-system-arm rmix,
- /usr/bin/qemu-system-cris rmix,
- /usr/bin/qemu-system-i386 rmix,
- /usr/bin/qemu-system-m68k rmix,
- /usr/bin/qemu-system-microblaze rmix,
- /usr/bin/qemu-system-microblazeel rmix,
- /usr/bin/qemu-system-mips rmix,
- /usr/bin/qemu-system-mips64 rmix,
- /usr/bin/qemu-system-mips64el rmix,
- /usr/bin/qemu-system-mipsel rmix,
- /usr/bin/qemu-system-ppc rmix,
- /usr/bin/qemu-system-ppc64 rmix,
- /usr/bin/qemu-system-ppcemb rmix,
- /usr/bin/qemu-system-sh4 rmix,
- /usr/bin/qemu-system-sh4eb rmix,
- /usr/bin/qemu-system-sparc rmix,
- /usr/bin/qemu-system-sparc64 rmix,
- /usr/bin/qemu-system-x86_64 rmix,
- /usr/bin/qemu-alpha rmix,
- /usr/bin/qemu-arm rmix,
- /usr/bin/qemu-armeb rmix,
- /usr/bin/qemu-cris rmix,
- /usr/bin/qemu-i386 rmix,
- /usr/bin/qemu-m68k rmix,
- /usr/bin/qemu-microblaze rmix,
- /usr/bin/qemu-microblazeel rmix,
- /usr/bin/qemu-mips rmix,
- /usr/bin/qemu-mipsel rmix,
- /usr/bin/qemu-ppc rmix,
- /usr/bin/qemu-ppc64 rmix,
- /usr/bin/qemu-ppc64abi32 rmix,
- /usr/bin/qemu-sh4 rmix,
- /usr/bin/qemu-sh4eb rmix,
- /usr/bin/qemu-sparc rmix,
- /usr/bin/qemu-sparc64 rmix,
- /usr/bin/qemu-sparc32plus rmix,
- /usr/bin/qemu-sparc64 rmix,
- /usr/bin/qemu-x86_64 rmix,
- /usr/lib/qemu/block-curl.so mr,
-
- # for save and resume
- /bin/dash rmix,
- /bin/dd rmix,
- /bin/cat rmix,
-
- # for usb access
- /dev/bus/usb/ r,
- /etc/udev/udev.conf r,
- /sys/bus/ r,
- /sys/class/ r,
-
- /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
- # child profile for bridge helper process
- profile qemu_bridge_helper {
- #include <abstractions/base>
-
- capability setuid,
- capability setgid,
- capability setpcap,
- capability net_admin,
-
- network inet stream,
-
- /dev/net/tun rw,
- /etc/qemu/** r,
- owner @{PROC}/*/status r,
-
- /usr/{lib,libexec}/qemu-bridge-helper rmix,
- }
Index: libvirt-1.2.10/examples/apparmor/libvirt-qemu.in
===================================================================
--- /dev/null
+++ libvirt-1.2.10/examples/apparmor/libvirt-qemu.in
@@ -0,0 +1,144 @@
+# Last Modified: Wed Sep 3 21:52:03 2014
+
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+
+ # required for reading disk images
+ capability dac_override,
+ capability dac_read_search,
+ capability chown,
+
+ # needed to drop privileges
+ capability setgid,
+ capability setuid,
+
+ network inet stream,
+ network inet6 stream,
+
+ /dev/net/tun rw,
+ /dev/kvm rw,
+ /dev/ptmx rw,
+ /dev/kqemu rw,
+ @{PROC}/*/status r,
+ @{PROC}/sys/kernel/cap_last_cap r,
+
+ # For hostdev access. The actual devices will be added dynamically
+ /sys/bus/usb/devices/ r,
+ /sys/devices/**/usb[0-9]*/** r,
+
+ # WARNING: this gives the guest direct access to host hardware and specific
+ # portions of shared memory. This is required for sound using ALSA with kvm,
+ # but may constitute a security risk. If your environment does not require
+ # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
+ # the rules for files in /dev.
+ /{dev,run}/shm r,
+ /{dev,run}/shmpulse-shm* r,
+ /{dev,run}/shmpulse-shm* rwk,
+ /dev/snd/* rw,
+ capability ipc_lock,
+ # spice
+ owner /{dev,run}/shm/spice.* rw,
+ # 'kill' is not required for sound and is a security risk. Do not enable
+ # unless you absolutely need it.
+ deny capability kill,
+
+ # Uncomment the following if you need access to /dev/fb*
+ #/dev/fb* rw,
+
+ /etc/pulse/client.conf r,
+ @{HOME}/.pulse-cookie rwk,
+ owner /root/.pulse-cookie rwk,
+ owner /root/.pulse/ rw,
+ owner /root/.pulse/* rw,
+ /usr/share/alsa/** r,
+ owner /tmp/pulse-*/ rw,
+ owner /tmp/pulse-*/* rw,
+ /var/lib/dbus/machine-id r,
+
+ # access to firmware's etc
+ /usr/share/kvm/** r,
+ /usr/share/qemu/** r,
+ /usr/share/bochs/** r,
+ /usr/share/openbios/** r,
+ /usr/share/openhackware/** r,
+ /usr/share/proll/** r,
+ /usr/share/vgabios/** r,
+ /usr/share/seabios/** r,
+ /usr/share/ovmf/** r,
+
+ # access PKI infrastructure
+ /etc/pki/libvirt-vnc/** r,
+
+ # the various binaries
+ /usr/bin/kvm rmix,
+ /usr/bin/qemu rmix,
+ /usr/bin/qemu-system-arm rmix,
+ /usr/bin/qemu-system-cris rmix,
+ /usr/bin/qemu-system-i386 rmix,
+ /usr/bin/qemu-system-m68k rmix,
+ /usr/bin/qemu-system-microblaze rmix,
+ /usr/bin/qemu-system-microblazeel rmix,
+ /usr/bin/qemu-system-mips rmix,
+ /usr/bin/qemu-system-mips64 rmix,
+ /usr/bin/qemu-system-mips64el rmix,
+ /usr/bin/qemu-system-mipsel rmix,
+ /usr/bin/qemu-system-ppc rmix,
+ /usr/bin/qemu-system-ppc64 rmix,
+ /usr/bin/qemu-system-ppcemb rmix,
+ /usr/bin/qemu-system-sh4 rmix,
+ /usr/bin/qemu-system-sh4eb rmix,
+ /usr/bin/qemu-system-sparc rmix,
+ /usr/bin/qemu-system-sparc64 rmix,
+ /usr/bin/qemu-system-x86_64 rmix,
+ /usr/bin/qemu-alpha rmix,
+ /usr/bin/qemu-arm rmix,
+ /usr/bin/qemu-armeb rmix,
+ /usr/bin/qemu-cris rmix,
+ /usr/bin/qemu-i386 rmix,
+ /usr/bin/qemu-m68k rmix,
+ /usr/bin/qemu-microblaze rmix,
+ /usr/bin/qemu-microblazeel rmix,
+ /usr/bin/qemu-mips rmix,
+ /usr/bin/qemu-mipsel rmix,
+ /usr/bin/qemu-ppc rmix,
+ /usr/bin/qemu-ppc64 rmix,
+ /usr/bin/qemu-ppc64abi32 rmix,
+ /usr/bin/qemu-sh4 rmix,
+ /usr/bin/qemu-sh4eb rmix,
+ /usr/bin/qemu-sparc rmix,
+ /usr/bin/qemu-sparc64 rmix,
+ /usr/bin/qemu-sparc32plus rmix,
+ /usr/bin/qemu-sparc64 rmix,
+ /usr/bin/qemu-x86_64 rmix,
+ @libdir@/qemu/block-curl.so mr,
+
+ # for save and resume
+ /bin/dash rmix,
+ /bin/dd rmix,
+ /bin/cat rmix,
+
+ # for usb access
+ /dev/bus/usb/ r,
+ /etc/udev/udev.conf r,
+ /sys/bus/ r,
+ /sys/class/ r,
+
+ /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
+ # child profile for bridge helper process
+ profile qemu_bridge_helper {
+ #include <abstractions/base>
+
+ capability setuid,
+ capability setgid,
+ capability setpcap,
+ capability net_admin,
+
+ network inet stream,
+
+ /dev/net/tun rw,
+ /etc/qemu/** r,
+ owner @{PROC}/*/status r,
+
+ /usr/{lib,libexec}/qemu-bridge-helper rmix,
+ }

View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Mon Jan 5 09:44:12 UTC 2015 - cbosdonnat@suse.com
- Replaced hard to maintain install-apparmor-profiles.patch
by upstreamed 30c6aecc-apparmor-lib64.patch.
- Reformatted libvirt.spec and libvirtd.init to pass upstream make
syntax-check
-------------------------------------------------------------------
Sat Dec 27 22:08:00 UTC 2014 - Led <ledest@gmail.com>

File diff suppressed because it is too large Load Diff

View File

@ -1,7 +1,7 @@
Index: libvirt-1.2.10/examples/apparmor/libvirt-qemu.in
Index: libvirt-1.2.11/examples/apparmor/libvirt-qemu
===================================================================
--- libvirt-1.2.10.orig/examples/apparmor/libvirt-qemu.in
+++ libvirt-1.2.10/examples/apparmor/libvirt-qemu.in
--- libvirt-1.2.11.orig/examples/apparmor/libvirt-qemu
+++ libvirt-1.2.11/examples/apparmor/libvirt-qemu
@@ -124,6 +124,9 @@
/sys/bus/ r,
/sys/class/ r,