fix apparmor profiles
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=142
This commit is contained in:
James Fehlig
Git OBS Bridge
parent
785bf3956a
commit
6e4eefb67c
@ -2,17 +2,270 @@ Index: libvirt-0.9.4/examples/apparmor/Makefile.am
|
||||
===================================================================
|
||||
--- libvirt-0.9.4.orig/examples/apparmor/Makefile.am
|
||||
+++ libvirt-0.9.4/examples/apparmor/Makefile.am
|
||||
@@ -6,3 +6,12 @@ EXTRA_DIST= \
|
||||
libvirt-qemu \
|
||||
usr.lib.libvirt.virt-aa-helper \
|
||||
usr.sbin.libvirtd
|
||||
@@ -1,8 +1,39 @@
|
||||
## Copyright (C) 2005-2011 Red Hat, Inc.
|
||||
## See COPYING.LIB for the License of this software
|
||||
|
||||
-EXTRA_DIST= \
|
||||
- TEMPLATE \
|
||||
- libvirt-qemu \
|
||||
- usr.lib.libvirt.virt-aa-helper \
|
||||
- usr.sbin.libvirtd
|
||||
+EXTRA_DIST= \
|
||||
+ TEMPLATE \
|
||||
+ libvirt-qemu \
|
||||
+ usr.lib.libvirt.virt-aa-helper.in \
|
||||
+ usr.sbin.libvirtd.in
|
||||
+
|
||||
+if WITH_SECDRIVER_APPARMOR
|
||||
+confdir = $(sysconfdir)/apparmor.d/libvirt
|
||||
+conf_DATA= \
|
||||
+ TEMPLATE \
|
||||
+ libvirt-qemu \
|
||||
+ usr.lib.libvirt.virt-aa-helper \
|
||||
+ usr.sbin.libvirtd
|
||||
+
|
||||
+usr.lib.libvirt.virt-aa-helper: usr.lib.libvirt.virt-aa-helper.in
|
||||
+ sed \
|
||||
+ -e 's![@]libdir[@]!$(libdir)!g' \
|
||||
+ < $< > $@-t
|
||||
+ mv $@-t $@
|
||||
+
|
||||
+usr.sbin.libvirtd: usr.sbin.libvirtd.in
|
||||
+ sed \
|
||||
+ -e 's![@]libdir[@]!$(libdir)!g' \
|
||||
+ < $< > $@-t
|
||||
+ mv $@-t $@
|
||||
+
|
||||
+install-data-local: usr.sbin.libvirtd usr.lib.libvirt.virt-aa-helper
|
||||
+ mkdir -p $(DESTDIR)$(sysconfdir)/apparmor.d/
|
||||
+ $(INSTALL_DATA) usr.lib.libvirt.virt-aa-helper $(DESTDIR)$(sysconfdir)/apparmor.d/usr.lib.libvirt.virt-aa-helper
|
||||
+ $(INSTALL_DATA) usr.sbin.libvirtd $(DESTDIR)$(sysconfdir)/apparmor.d/usr.sbin.libvirtd
|
||||
+ mkdir -p $(DESTDIR)$(sysconfdir)/apparmor.d/libvirt
|
||||
+ $(INSTALL_DATA) TEMPLATE $(DESTDIR)$(sysconfdir)/apparmor.d/libvirt/TEMPLATE
|
||||
+ mkdir -p $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions
|
||||
+ $(INSTALL_DATA) libvirt-qemu $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/libvirt-qemu
|
||||
+
|
||||
+uninstall-local::
|
||||
+ rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/usr.lib.libvirt.virt-aa-helper
|
||||
+ rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/usr.sbin.libvirtd
|
||||
+ rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/libvirt-qemu
|
||||
+ rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/libvirt/TEMPLATE
|
||||
+
|
||||
+endif
|
||||
\ No newline at end of file
|
||||
Index: libvirt-0.9.4/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ libvirt-0.9.4/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
|
||||
@@ -0,0 +1,40 @@
|
||||
+# Last Modified: Fri Aug 19 11:21:48 2011
|
||||
+#include <tunables/global>
|
||||
+
|
||||
+@libdir@/libvirt/virt-aa-helper {
|
||||
+ #include <abstractions/base>
|
||||
+
|
||||
+ # needed for searching directories
|
||||
+ capability dac_override,
|
||||
+ capability dac_read_search,
|
||||
+
|
||||
+ # needed for when disk is on a network filesystem
|
||||
+ network inet,
|
||||
+
|
||||
+ deny @{PROC}/[0-9]*/mounts r,
|
||||
+ @{PROC}/filesystems r,
|
||||
+
|
||||
+ # for hostdev
|
||||
+ /sys/devices/ r,
|
||||
+ /sys/devices/** r,
|
||||
+
|
||||
+ @libdir@/libvirt/virt-aa-helper mr,
|
||||
+ /sbin/apparmor_parser Ux,
|
||||
+
|
||||
+ /etc/apparmor.d/libvirt/* r,
|
||||
+ /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
|
||||
+
|
||||
+ # for backingstore -- allow access to non-hidden files in @{HOME} as well
|
||||
+ # as storage pools
|
||||
+ audit deny @{HOME}/.* mrwkl,
|
||||
+ audit deny @{HOME}/.*/ rw,
|
||||
+ audit deny @{HOME}/.*/** mrwkl,
|
||||
+ audit deny @{HOME}/bin/ rw,
|
||||
+ audit deny @{HOME}/bin/** mrwkl,
|
||||
+ @{HOME}/ r,
|
||||
+ @{HOME}/** r,
|
||||
+ /var/lib/libvirt/images/ r,
|
||||
+ /var/lib/libvirt/images/** r,
|
||||
+ /var/lib/kvm/images/ r,
|
||||
+ /var/lib/kvm/images/** r,
|
||||
+}
|
||||
Index: libvirt-0.9.4/examples/apparmor/usr.lib.libvirt.virt-aa-helper
|
||||
===================================================================
|
||||
--- libvirt-0.9.4.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper
|
||||
+++ /dev/null
|
||||
@@ -1,38 +0,0 @@
|
||||
-# Last Modified: Mon Apr 5 15:10:27 2010
|
||||
-#include <tunables/global>
|
||||
-
|
||||
-/usr/lib/libvirt/virt-aa-helper {
|
||||
- #include <abstractions/base>
|
||||
-
|
||||
- # needed for searching directories
|
||||
- capability dac_override,
|
||||
- capability dac_read_search,
|
||||
-
|
||||
- # needed for when disk is on a network filesystem
|
||||
- network inet,
|
||||
-
|
||||
- deny @{PROC}/[0-9]*/mounts r,
|
||||
- @{PROC}/filesystems r,
|
||||
-
|
||||
- # for hostdev
|
||||
- /sys/devices/ r,
|
||||
- /sys/devices/** r,
|
||||
-
|
||||
- /usr/lib/libvirt/virt-aa-helper mr,
|
||||
- /sbin/apparmor_parser Ux,
|
||||
-
|
||||
- /etc/apparmor.d/libvirt/* r,
|
||||
- /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
|
||||
-
|
||||
- # for backingstore -- allow access to non-hidden files in @{HOME} as well
|
||||
- # as storage pools
|
||||
- audit deny @{HOME}/.* mrwkl,
|
||||
- audit deny @{HOME}/.*/ rw,
|
||||
- audit deny @{HOME}/.*/** mrwkl,
|
||||
- audit deny @{HOME}/bin/ rw,
|
||||
- audit deny @{HOME}/bin/** mrwkl,
|
||||
- @{HOME}/ r,
|
||||
- @{HOME}/** r,
|
||||
- /var/lib/libvirt/images/ r,
|
||||
- /var/lib/libvirt/images/** r,
|
||||
-}
|
||||
Index: libvirt-0.9.4/examples/apparmor/usr.sbin.libvirtd
|
||||
===================================================================
|
||||
--- libvirt-0.9.4.orig/examples/apparmor/usr.sbin.libvirtd
|
||||
+++ /dev/null
|
||||
@@ -1,52 +0,0 @@
|
||||
-# Last Modified: Mon Apr 5 15:03:58 2010
|
||||
-#include <tunables/global>
|
||||
-@{LIBVIRT}="libvirt"
|
||||
-
|
||||
-/usr/sbin/libvirtd {
|
||||
- #include <abstractions/base>
|
||||
-
|
||||
- capability kill,
|
||||
- capability net_admin,
|
||||
- capability net_raw,
|
||||
- capability setgid,
|
||||
- capability sys_admin,
|
||||
- capability sys_module,
|
||||
- capability sys_ptrace,
|
||||
- capability sys_nice,
|
||||
- capability sys_chroot,
|
||||
- capability setuid,
|
||||
- capability dac_override,
|
||||
- capability dac_read_search,
|
||||
- capability fowner,
|
||||
- capability chown,
|
||||
- capability setpcap,
|
||||
- capability mknod,
|
||||
- capability fsetid,
|
||||
-
|
||||
- network inet stream,
|
||||
- network inet dgram,
|
||||
- network inet6 stream,
|
||||
- network inet6 dgram,
|
||||
-
|
||||
- # Very lenient profile for libvirtd since we want to first focus on confining
|
||||
- # the guests. Guests will have a very restricted profile.
|
||||
- /** rwmkl,
|
||||
-
|
||||
- /bin/* Ux,
|
||||
- /sbin/* Ux,
|
||||
- /usr/bin/* Ux,
|
||||
- /usr/sbin/* Ux,
|
||||
-
|
||||
- # force the use of virt-aa-helper
|
||||
- audit deny /sbin/apparmor_parser rwxl,
|
||||
- audit deny /etc/apparmor.d/libvirt/** wxl,
|
||||
- audit deny /sys/kernel/security/apparmor/features rwxl,
|
||||
- audit deny /sys/kernel/security/apparmor/matching rwxl,
|
||||
- audit deny /sys/kernel/security/apparmor/.* rwxl,
|
||||
- /sys/kernel/security/apparmor/profiles r,
|
||||
- /usr/lib/libvirt/* PUxr,
|
||||
-
|
||||
- # allow changing to our UUID-based named profiles
|
||||
- change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
|
||||
-
|
||||
-}
|
||||
Index: libvirt-0.9.4/examples/apparmor/usr.sbin.libvirtd.in
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ libvirt-0.9.4/examples/apparmor/usr.sbin.libvirtd.in
|
||||
@@ -0,0 +1,52 @@
|
||||
+# Last Modified: Fri Aug 19 11:20:36 2011
|
||||
+#include <tunables/global>
|
||||
+@{LIBVIRT}="libvirt"
|
||||
+
|
||||
+/usr/sbin/libvirtd {
|
||||
+ #include <abstractions/base>
|
||||
+
|
||||
+ capability kill,
|
||||
+ capability net_admin,
|
||||
+ capability net_raw,
|
||||
+ capability setgid,
|
||||
+ capability sys_admin,
|
||||
+ capability sys_module,
|
||||
+ capability sys_ptrace,
|
||||
+ capability sys_nice,
|
||||
+ capability sys_chroot,
|
||||
+ capability setuid,
|
||||
+ capability dac_override,
|
||||
+ capability dac_read_search,
|
||||
+ capability fowner,
|
||||
+ capability chown,
|
||||
+ capability setpcap,
|
||||
+ capability mknod,
|
||||
+ capability fsetid,
|
||||
+
|
||||
+ network inet stream,
|
||||
+ network inet dgram,
|
||||
+ network inet6 stream,
|
||||
+ network inet6 dgram,
|
||||
+
|
||||
+ # Very lenient profile for libvirtd since we want to first focus on confining
|
||||
+ # the guests. Guests will have a very restricted profile.
|
||||
+ /** rwmkl,
|
||||
+
|
||||
+ /bin/* Ux,
|
||||
+ /sbin/* Ux,
|
||||
+ /usr/bin/* Ux,
|
||||
+ /usr/sbin/* Ux,
|
||||
+
|
||||
+ # force the use of virt-aa-helper
|
||||
+ audit deny /sbin/apparmor_parser rwxl,
|
||||
+ audit deny /etc/apparmor.d/libvirt/** wxl,
|
||||
+ audit deny /sys/kernel/security/apparmor/features rwxl,
|
||||
+ audit deny /sys/kernel/security/apparmor/matching rwxl,
|
||||
+ audit deny /sys/kernel/security/apparmor/.* rwxl,
|
||||
+ /sys/kernel/security/apparmor/profiles r,
|
||||
+ @libdir@/libvirt/* Pxr,
|
||||
+
|
||||
+ # allow changing to our UUID-based named profiles
|
||||
+ change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
|
||||
+
|
||||
+}
|
||||
Index: libvirt-0.9.4/examples/apparmor/libvirt-qemu
|
||||
===================================================================
|
||||
--- libvirt-0.9.4.orig/examples/apparmor/libvirt-qemu
|
||||
+++ libvirt-0.9.4/examples/apparmor/libvirt-qemu
|
||||
@@ -52,6 +52,7 @@
|
||||
# access to firmware's etc
|
||||
/usr/share/kvm/** r,
|
||||
/usr/share/qemu/** r,
|
||||
+ /usr/share/qemu-kvm/** r,
|
||||
/usr/share/bochs/** r,
|
||||
/usr/share/openbios/** r,
|
||||
/usr/share/openhackware/** r,
|
||||
@@ -65,6 +66,7 @@
|
||||
# the various binaries
|
||||
/usr/bin/kvm rmix,
|
||||
/usr/bin/qemu rmix,
|
||||
+ /usr/bin/qemu-kvm rmix,
|
||||
/usr/bin/qemu-system-arm rmix,
|
||||
/usr/bin/qemu-system-cris rmix,
|
||||
/usr/bin/qemu-system-i386 rmix,
|
||||
|
||||
@ -1,9 +1,21 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Aug 19 15:21:39 MDT 2011 - jfehlig@suse.com
|
||||
|
||||
- Fix apparmor profile location and content
|
||||
update install-apparmor-profiles.patch
|
||||
bnc#705668
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Aug 17 16:24:17 MDT 2011 - jfehlig@suse.com
|
||||
|
||||
- Fix libvirtd SIGHUP handler
|
||||
9e093f0b-libvirtd-sighup.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Aug 17 09:13:41 CEST 2011 - dmueller@suse.de
|
||||
|
||||
- add baselibs.conf to sources
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Aug 8 15:21:42 MDT 2011 - jfehlig@suse.com
|
||||
|
||||
|
||||
12
libvirt.spec
12
libvirt.spec
@ -359,6 +359,7 @@ Recommends: device-mapper
|
||||
Source0: %{name}-%{version}.tar.bz2
|
||||
Source1: libvirtd.init
|
||||
Source2: libvirtd-relocation-server.fw
|
||||
Source99: baselibs.conf
|
||||
# Upstream patches
|
||||
Patch0: 9e093f0b-libvirtd-sighup.patch
|
||||
# Need to go upstream
|
||||
@ -370,7 +371,7 @@ Patch103: xend-disk-order.patch
|
||||
Patch200: libvirtd-defaults.patch
|
||||
Patch201: use-init-script-redhat.patch
|
||||
%if %{with_apparmor}
|
||||
Patch202: install-apparmor-profiles.patch
|
||||
Patch250: install-apparmor-profiles.patch
|
||||
%endif
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
|
||||
@ -487,7 +488,7 @@ Authors:
|
||||
%patch200 -p1
|
||||
%patch201 -p1
|
||||
%if %{with_apparmor}
|
||||
%patch202 -p1
|
||||
%patch250 -p1
|
||||
%endif
|
||||
|
||||
%build
|
||||
@ -820,11 +821,12 @@ fi
|
||||
%endif
|
||||
%if %{with_apparmor}
|
||||
%dir %{_sysconfdir}/apparmor.d
|
||||
%dir %{_sysconfdir}/apparmor.d/abstractions
|
||||
%dir %{_sysconfdir}/apparmor.d/libvirt
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/usr.sbin.libvirtd
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/usr.lib.libvirt.virt-aa-helper
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/libvirt-qemu
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/libvirt/TEMPLATE
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/libvirt/libvirt-qemu
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/libvirt/usr.lib.libvirt.virt-aa-helper
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/libvirt/usr.sbin.libvirtd
|
||||
%{_libdir}/%{name}/virt-aa-helper
|
||||
%endif
|
||||
%config %{_fwdefdir}/libvirtd-relocation-server
|
||||
|
||||
Loading…
Reference in New Issue
Block a user