Accepting request 291048 from Virtualization

1 OBS-URL: https://build.opensuse.org/request/show/291048 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvirt?expand=0&rev=172
2015-03-18 12:06:03 +00:00 · 2015-03-18 12:06:03 +00:00 · 805aacfe40
commit 805aacfe40
parent 69ceff9ecc 44a71b3a3e
6 changed files with 93 additions and 17 deletions
--- a/apparmor-fixes.patch
+++ b/apparmor-fixes.patch
@ -0,0 +1,33 @@
+Index: libvirt-1.2.13/examples/apparmor/libvirt-qemu
+===================================================================
+--- libvirt-1.2.13.orig/examples/apparmor/libvirt-qemu
+++ libvirt-1.2.13/examples/apparmor/libvirt-qemu
+@@ -59,6 +59,7 @@
+   # access to firmware's etc
+   /usr/share/kvm/** r,
+   /usr/share/qemu/** r,
+  /usr/share/qemu-kvm/** r,
+   /usr/share/bochs/** r,
+   /usr/share/openbios/** r,
+   /usr/share/openhackware/** r,
+@@ -73,6 +74,7 @@
+   # the various binaries
+   /usr/bin/kvm rmix,
+   /usr/bin/qemu rmix,
+  /usr/bin/qemu-kvm rmix,
+   /usr/bin/qemu-system-arm rmix,
+   /usr/bin/qemu-system-cris rmix,
+   /usr/bin/qemu-system-i386 rmix,
+@@ -118,6 +120,12 @@
+   /bin/dd rmix,
+   /bin/cat rmix,
+ 
+  # for restore
+  /bin/bash rmix,
+
+  /run/nscd/passwd r,
+  /run/nscd/group r,
+
+   # for usb access
+   /dev/bus/usb/ r,
+   /etc/udev/udev.conf r,
--- a/libvirt.changes
+++ b/libvirt.changes
@ -1,3 +1,26 @@
+-------------------------------------------------------------------
+Thu Mar 12 07:48:35 UTC 2015 - fcastelli@suse.com
+
+- Instruct polkit to allow memebers of the 'libvirt' group to connect
+  to libvirt without providing any password (bnc#920804)
+- Added polkit-10-virt.rules to fix bnc#920804
+
+-------------------------------------------------------------------
+Wed Mar 11 09:29:29 MDT 2015 - jfehlig@suse.com
+
+- Change default setting of security_default_confined in
+  /etc/libvirt/qemu.conf instead of in code.  Making the change in
+  code changes the default behavior for all users, even those that
+  have a custom security setup in their /etc/libvirt/qemu.conf.
+  Modified suse-qemu-conf.patch
+  bsc#921586
+
+-------------------------------------------------------------------
+Mon Mar  9 16:51:08 UTC 2015 - cbosdonnat@suse.com
+
+- Fixed a number of QEMU apparmor abstraction problems. bsc#921355
+  apparmor-fixes.patch
+
 -------------------------------------------------------------------
 Mon Mar  2 12:05:43 MST 2015 - jfehlig@suse.com

--- a/libvirt.spec
+++ b/libvirt.spec
@ -363,6 +363,7 @@ BuildRequires:  cyrus-sasl-devel
 %endif
 %if %{with_polkit}
    %if 0%{?suse_version} > 1110
+BuildRequires:  polkit >= 0.9
 BuildRequires:  polkit-devel >= 0.9
    %else
 BuildRequires:  PolicyKit-devel >= 0.6
@ -432,6 +433,7 @@ Source1:        %{name}-%{version}.tar.gz.asc
 Source2:        %{name}.keyring
 Source3:        libvirtd.init
 Source4:        libvirtd-relocation-server.fw
+Source5:        polkit-10-virt.rules
 Source99:       baselibs.conf
 # Upstream patches
 # Patches pending upstream review
@ -441,6 +443,7 @@ Patch151:       xen-pv-cdrom.patch
 Patch152:       blockcopy-check-dst-identical-device.patch
 Patch153:       libvirt-power8-models.patch
 Patch154:       ppc64le-canonical-name.patch
+Patch155:       apparmor-fixes.patch
 # Our patches
 Patch200:       libvirtd-defaults.patch
 Patch201:       libvirtd-init-script.patch
@ -973,6 +976,7 @@ Provides a dissector for the libvirt RPC protocol to help debugging it.
 %patch152 -p1
 %patch153 -p1
 %patch154 -p1
+%patch155 -p1
 %patch200 -p1
 %patch201 -p1
 %patch202 -p1
@ -1336,6 +1340,12 @@ mkdir -p $RPM_BUILD_ROOT%{_sbindir}
 ln -s %{_sysconfdir}/init.d/libvirt-guests $RPM_BUILD_ROOT%{_sbindir}/rclibvirt-guests
 %endif
 mv $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/libvirt-guests $RPM_BUILD_ROOT%{_localstatedir}/adm/fillup-templates/sysconfig.libvirt-guests
+%if %{with_polkit}
+    %if 0%{?suse_version} > 1110
+install -d $RPM_BUILD_ROOT%{_sysconfdir}/polkit-1/rules.d/
+install %SOURCE5 $RPM_BUILD_ROOT%{_sysconfdir}/polkit-1/rules.d/10-virt.rules
+    %endif
+%endif
 %fdupes -s $RPM_BUILD_ROOT

 %clean
@ -1502,6 +1512,7 @@ fi
    %if %{with_polkit}
        %if 0%{?suse_version} > 1110
 %{_datadir}/polkit-1/actions/org.libvirt.unix.policy
+%{_sysconfdir}/polkit-1/rules.d/10-virt.rules
        %else
 %{_datadir}/PolicyKit/policy/org.libvirt.unix.policy
        %endif
--- a/polkit-10-virt.rules
+++ b/polkit-10-virt.rules
@ -0,0 +1,8 @@
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.libvirt.unix.manage"
+            && subject.local
+            && subject.active
+            && subject.isInGroup("libvirt")) {
+        return polkit.Result.YES;
+    }
+});
--- a/qemu-apparmor-screenshot.patch
+++ b/qemu-apparmor-screenshot.patch
@ -2,7 +2,7 @@ Index: libvirt-1.2.13/examples/apparmor/libvirt-qemu
 ===================================================================
 --- libvirt-1.2.13.orig/examples/apparmor/libvirt-qemu
 +++ libvirt-1.2.13/examples/apparmor/libvirt-qemu
-@@ -124,6 +124,9 @@
+@@ -132,6 +132,9 @@
   /sys/bus/ r,
   /sys/class/ r,
 
--- a/suse-qemu-conf.patch
+++ b/suse-qemu-conf.patch
@ -2,16 +2,30 @@ Index: libvirt-1.2.13/src/qemu/qemu.conf
 ===================================================================
 --- libvirt-1.2.13.orig/src/qemu/qemu.conf
 +++ libvirt-1.2.13/src/qemu/qemu.conf
-@@ -204,7 +204,7 @@
+@@ -201,11 +201,20 @@
+ # isolation, but it cannot appear in a list of drivers.
+ #
+ #security_driver = "selinux"
+#security_driver = "apparmor"
 
 # If set to non-zero, then the default security labeling
 # will make guests confined. If set to zero, then guests
 -# will be unconfined by default. Defaults to 1.
+-#security_default_confined = 1
 +# will be unconfined by default. Defaults to 0.
- #security_default_confined = 1
+#
+# SUSE Note:
+# Currently, Apparmor is the default security framework in SUSE
+# distros.  If Apparmor is enabled on the host, libvirtd is
+# generously confined but users must opt-in to confine qemu
+# instances.  Change this to a non-zero value to enable default
+# Apparmor confinement of qemu instances.
+#
+security_default_confined = 0
 
 # If set to non-zero, then attempts to create unconfined
-@@ -417,11 +417,22 @@
+ # guests will be blocked. Defaults to 0.
+@@ -417,11 +426,22 @@
 #allow_disk_format_probing = 1
 
 
@ -39,16 +53,3 @@ Index: libvirt-1.2.13/src/qemu/qemu.conf
 #
 #lock_manager = "lockd"
 
-Index: libvirt-1.2.13/src/qemu/qemu_conf.c
-===================================================================
--- libvirt-1.2.13.orig/src/qemu/qemu_conf.c
-+++ libvirt-1.2.13/src/qemu/qemu_conf.c
-@@ -293,7 +293,7 @@ virQEMUDriverConfigPtr virQEMUDriverConf
- 
-     cfg->clearEmulatorCapabilities = true;
- 
-    cfg->securityDefaultConfined = true;
-+    cfg->securityDefaultConfined = false;
-     cfg->securityRequireConfined = false;
- 
-     cfg->keepAliveInterval = 5;