From 7eedb34aa289326a9f365731d4bcb42e85c53efa8beac85e53ee319861481d9a Mon Sep 17 00:00:00 2001
From: James Fehlig <jfehlig@suse.com>
Date: Wed, 11 Mar 2015 04:41:55 +0000
Subject: [PATCH 1/4] - Fixed a number of QEMU apparmor abstraction problems.
 bsc#921355   apparmor-fixes.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=441
---
 apparmor-fixes.patch           | 33 +++++++++++++++++++++++++++++++++
 libvirt.changes                |  6 ++++++
 libvirt.spec                   |  4 +++-
 qemu-apparmor-screenshot.patch |  2 +-
 4 files changed, 43 insertions(+), 2 deletions(-)
 create mode 100644 apparmor-fixes.patch

diff --git a/apparmor-fixes.patch b/apparmor-fixes.patch
new file mode 100644
index 0000000..c7a33ea
--- /dev/null
+++ b/apparmor-fixes.patch
@@ -0,0 +1,33 @@
+Index: libvirt-1.2.13/examples/apparmor/libvirt-qemu
+===================================================================
+--- libvirt-1.2.13.orig/examples/apparmor/libvirt-qemu
++++ libvirt-1.2.13/examples/apparmor/libvirt-qemu
+@@ -59,6 +59,7 @@
+   # access to firmware's etc
+   /usr/share/kvm/** r,
+   /usr/share/qemu/** r,
++  /usr/share/qemu-kvm/** r,
+   /usr/share/bochs/** r,
+   /usr/share/openbios/** r,
+   /usr/share/openhackware/** r,
+@@ -73,6 +74,7 @@
+   # the various binaries
+   /usr/bin/kvm rmix,
+   /usr/bin/qemu rmix,
++  /usr/bin/qemu-kvm rmix,
+   /usr/bin/qemu-system-arm rmix,
+   /usr/bin/qemu-system-cris rmix,
+   /usr/bin/qemu-system-i386 rmix,
+@@ -118,6 +120,12 @@
+   /bin/dd rmix,
+   /bin/cat rmix,
+ 
++  # for restore
++  /bin/bash rmix,
++
++  /run/nscd/passwd r,
++  /run/nscd/group r,
++
+   # for usb access
+   /dev/bus/usb/ r,
+   /etc/udev/udev.conf r,
diff --git a/libvirt.changes b/libvirt.changes
index a30a8a8..eeb3339 100644
--- a/libvirt.changes
+++ b/libvirt.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Mar  9 16:51:08 UTC 2015 - cbosdonnat@suse.com
+
+- Fixed a number of QEMU apparmor abstraction problems. bsc#921355
+  apparmor-fixes.patch
+
 -------------------------------------------------------------------
 Mon Mar  2 12:05:43 MST 2015 - jfehlig@suse.com
 
diff --git a/libvirt.spec b/libvirt.spec
index e66738f..dec842d 100644
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package libvirt
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -441,6 +441,7 @@ Patch151:       xen-pv-cdrom.patch
 Patch152:       blockcopy-check-dst-identical-device.patch
 Patch153:       libvirt-power8-models.patch
 Patch154:       ppc64le-canonical-name.patch
+Patch155:       apparmor-fixes.patch
 # Our patches
 Patch200:       libvirtd-defaults.patch
 Patch201:       libvirtd-init-script.patch
@@ -973,6 +974,7 @@ Provides a dissector for the libvirt RPC protocol to help debugging it.
 %patch152 -p1
 %patch153 -p1
 %patch154 -p1
+%patch155 -p1
 %patch200 -p1
 %patch201 -p1
 %patch202 -p1
diff --git a/qemu-apparmor-screenshot.patch b/qemu-apparmor-screenshot.patch
index 45c8d8f..392780c 100644
--- a/qemu-apparmor-screenshot.patch
+++ b/qemu-apparmor-screenshot.patch
@@ -2,7 +2,7 @@ Index: libvirt-1.2.13/examples/apparmor/libvirt-qemu
 ===================================================================
 --- libvirt-1.2.13.orig/examples/apparmor/libvirt-qemu
 +++ libvirt-1.2.13/examples/apparmor/libvirt-qemu
-@@ -124,6 +124,9 @@
+@@ -132,6 +132,9 @@
    /sys/bus/ r,
    /sys/class/ r,
  

From 168a353639a837d866d35822b0b667a5a4f150893a3ef0e83cc8cbfb96cd7c35 Mon Sep 17 00:00:00 2001
From: James Fehlig <jfehlig@suse.com>
Date: Wed, 11 Mar 2015 15:35:20 +0000
Subject: [PATCH 2/4] - Change default setting of security_default_confined in 
  /etc/libvirt/qemu.conf instead of in code.  Making the change in   code
 changes the default behavior for all users, even those that   have a custom
 security setup in their /etc/libvirt/qemu.conf.   Modified
 suse-qemu-conf.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=442
---
 libvirt.changes      |  9 +++++++++
 libvirt.spec         |  2 +-
 suse-qemu-conf.patch | 33 +++++++++++++++++----------------
 3 files changed, 27 insertions(+), 17 deletions(-)

diff --git a/libvirt.changes b/libvirt.changes
index eeb3339..f08bf68 100644
--- a/libvirt.changes
+++ b/libvirt.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed Mar 11 09:29:29 MDT 2015 - jfehlig@suse.com
+
+- Change default setting of security_default_confined in
+  /etc/libvirt/qemu.conf instead of in code.  Making the change in
+  code changes the default behavior for all users, even those that
+  have a custom security setup in their /etc/libvirt/qemu.conf.
+  Modified suse-qemu-conf.patch
+
 -------------------------------------------------------------------
 Mon Mar  9 16:51:08 UTC 2015 - cbosdonnat@suse.com
 
diff --git a/libvirt.spec b/libvirt.spec
index dec842d..aa89a51 100644
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package libvirt
 #
-# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
diff --git a/suse-qemu-conf.patch b/suse-qemu-conf.patch
index 85da369..89eadd4 100644
--- a/suse-qemu-conf.patch
+++ b/suse-qemu-conf.patch
@@ -2,16 +2,30 @@ Index: libvirt-1.2.13/src/qemu/qemu.conf
 ===================================================================
 --- libvirt-1.2.13.orig/src/qemu/qemu.conf
 +++ libvirt-1.2.13/src/qemu/qemu.conf
-@@ -204,7 +204,7 @@
+@@ -201,11 +201,20 @@
+ # isolation, but it cannot appear in a list of drivers.
+ #
+ #security_driver = "selinux"
++#security_driver = "apparmor"
  
  # If set to non-zero, then the default security labeling
  # will make guests confined. If set to zero, then guests
 -# will be unconfined by default. Defaults to 1.
+-#security_default_confined = 1
 +# will be unconfined by default. Defaults to 0.
- #security_default_confined = 1
++#
++# SUSE Note:
++# Currently, Apparmor is the default security framework in SUSE
++# distros.  If Apparmor is enabled on the host, libvirtd is
++# generously confined but users must opt-in to confine qemu
++# instances.  Change this to a non-zero value to enable default
++# Apparmor confinement of qemu instances.
++#
++security_default_confined = 0
  
  # If set to non-zero, then attempts to create unconfined
-@@ -417,11 +417,22 @@
+ # guests will be blocked. Defaults to 0.
+@@ -417,11 +426,22 @@
  #allow_disk_format_probing = 1
  
  
@@ -39,16 +53,3 @@ Index: libvirt-1.2.13/src/qemu/qemu.conf
  #
  #lock_manager = "lockd"
  
-Index: libvirt-1.2.13/src/qemu/qemu_conf.c
-===================================================================
---- libvirt-1.2.13.orig/src/qemu/qemu_conf.c
-+++ libvirt-1.2.13/src/qemu/qemu_conf.c
-@@ -293,7 +293,7 @@ virQEMUDriverConfigPtr virQEMUDriverConf
- 
-     cfg->clearEmulatorCapabilities = true;
- 
--    cfg->securityDefaultConfined = true;
-+    cfg->securityDefaultConfined = false;
-     cfg->securityRequireConfined = false;
- 
-     cfg->keepAliveInterval = 5;

From 06af732b93f1d180aac347288bf2ff577631813f750a2b005d8bed17a4f46408 Mon Sep 17 00:00:00 2001
From: James Fehlig <jfehlig@suse.com>
Date: Wed, 11 Mar 2015 15:44:09 +0000
Subject: [PATCH 3/4] add bug number to last changelog entry

OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=443
---
 libvirt.changes | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libvirt.changes b/libvirt.changes
index f08bf68..7bdea3e 100644
--- a/libvirt.changes
+++ b/libvirt.changes
@@ -6,6 +6,7 @@ Wed Mar 11 09:29:29 MDT 2015 - jfehlig@suse.com
   code changes the default behavior for all users, even those that
   have a custom security setup in their /etc/libvirt/qemu.conf.
   Modified suse-qemu-conf.patch
+  bsc#921586
 
 -------------------------------------------------------------------
 Mon Mar  9 16:51:08 UTC 2015 - cbosdonnat@suse.com

From 44a71b3a3e8ca79f1300e7e2f444c49eb3a54175dfc0b70743684a2f64f620ad Mon Sep 17 00:00:00 2001
From: James Fehlig <jfehlig@suse.com>
Date: Mon, 16 Mar 2015 16:59:15 +0000
Subject: [PATCH 4/4] Accepting request 291007 from
 home:flavio_castelli:branches:Virtualization

- Instruct polkit to allow memebers of the 'libvirt' group to connect
  to libvirt without providing any password (bnc#920804)
- Added polkit-10-virt.rules to fix bnc#920804

OBS-URL: https://build.opensuse.org/request/show/291007
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=444
---
 libvirt.changes      | 7 +++++++
 libvirt.spec         | 9 +++++++++
 polkit-10-virt.rules | 8 ++++++++
 3 files changed, 24 insertions(+)
 create mode 100644 polkit-10-virt.rules

diff --git a/libvirt.changes b/libvirt.changes
index 7bdea3e..97c91f3 100644
--- a/libvirt.changes
+++ b/libvirt.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Mar 12 07:48:35 UTC 2015 - fcastelli@suse.com
+
+- Instruct polkit to allow memebers of the 'libvirt' group to connect
+  to libvirt without providing any password (bnc#920804)
+- Added polkit-10-virt.rules to fix bnc#920804
+
 -------------------------------------------------------------------
 Wed Mar 11 09:29:29 MDT 2015 - jfehlig@suse.com
 
diff --git a/libvirt.spec b/libvirt.spec
index aa89a51..9c75f93 100644
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -363,6 +363,7 @@ BuildRequires:  cyrus-sasl-devel
 %endif
 %if %{with_polkit}
     %if 0%{?suse_version} > 1110
+BuildRequires:  polkit >= 0.9
 BuildRequires:  polkit-devel >= 0.9
     %else
 BuildRequires:  PolicyKit-devel >= 0.6
@@ -432,6 +433,7 @@ Source1:        %{name}-%{version}.tar.gz.asc
 Source2:        %{name}.keyring
 Source3:        libvirtd.init
 Source4:        libvirtd-relocation-server.fw
+Source5:        polkit-10-virt.rules
 Source99:       baselibs.conf
 # Upstream patches
 # Patches pending upstream review
@@ -1338,6 +1340,12 @@ mkdir -p $RPM_BUILD_ROOT%{_sbindir}
 ln -s %{_sysconfdir}/init.d/libvirt-guests $RPM_BUILD_ROOT%{_sbindir}/rclibvirt-guests
 %endif
 mv $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/libvirt-guests $RPM_BUILD_ROOT%{_localstatedir}/adm/fillup-templates/sysconfig.libvirt-guests
+%if %{with_polkit}
+    %if 0%{?suse_version} > 1110
+install -d $RPM_BUILD_ROOT%{_sysconfdir}/polkit-1/rules.d/
+install %SOURCE5 $RPM_BUILD_ROOT%{_sysconfdir}/polkit-1/rules.d/10-virt.rules
+    %endif
+%endif
 %fdupes -s $RPM_BUILD_ROOT
 
 %clean
@@ -1504,6 +1512,7 @@ fi
     %if %{with_polkit}
         %if 0%{?suse_version} > 1110
 %{_datadir}/polkit-1/actions/org.libvirt.unix.policy
+%{_sysconfdir}/polkit-1/rules.d/10-virt.rules
         %else
 %{_datadir}/PolicyKit/policy/org.libvirt.unix.policy
         %endif
diff --git a/polkit-10-virt.rules b/polkit-10-virt.rules
new file mode 100644
index 0000000..0fcb521
--- /dev/null
+++ b/polkit-10-virt.rules
@@ -0,0 +1,8 @@
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.libvirt.unix.manage"
+            && subject.local
+            && subject.active
+            && subject.isInGroup("libvirt")) {
+        return polkit.Result.YES;
+    }
+});