diff --git a/2222123-virt-aa-helper-crash.patch b/2222123-virt-aa-helper-crash.patch new file mode 100644 index 0000000..07910d4 --- /dev/null +++ b/2222123-virt-aa-helper-crash.patch @@ -0,0 +1,27 @@ +From 22221233d0c2fd2c2d41b7527fe2bec13295a427 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= +Date: Thu, 20 Nov 2014 11:31:44 +0100 +Subject: [PATCH 1/5] virt-aa-helper wasn't running virErrorInitialize + +This turns out to be working by magic but needs to be fixed. +--- + src/security/virt-aa-helper.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +Index: libvirt-1.2.10/src/security/virt-aa-helper.c +=================================================================== +--- libvirt-1.2.10.orig/src/security/virt-aa-helper.c ++++ libvirt-1.2.10/src/security/virt-aa-helper.c +@@ -1251,6 +1251,12 @@ main(int argc, char **argv) + exit(EXIT_FAILURE); + } + ++ if (virThreadInitialize() < 0 || ++ virErrorInitialize() < 0) { ++ fprintf(stderr, _("%s: initialization failed\n"), argv[0]); ++ exit(EXIT_FAILURE); ++ } ++ + /* clear the environment */ + environ = NULL; + if (setenv("PATH", "/sbin:/usr/sbin", 1) != 0) { diff --git a/433b427-iplink-name.patch b/433b427-iplink-name.patch new file mode 100644 index 0000000..5aa0189 --- /dev/null +++ b/433b427-iplink-name.patch @@ -0,0 +1,40 @@ +From 433b427ff853ab72d32573d415e6ec569b77c7cb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= +Date: Thu, 20 Nov 2014 15:26:35 +0100 +Subject: [PATCH 3/5] ip link needs 'name' in 3.16 to create the veth pair + +Due to a change (or bug?) in ip link implementation, the command + 'ip link add vnet0...' +is forced into + 'ip link add name vnet0...' +The changed command also works on older versions of iproute2, just the +'name' parameter has been made mandatory. +--- + src/util/virnetdevveth.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/util/virnetdevveth.c b/src/util/virnetdevveth.c +index e9d6f9c..ad30e1d 100644 +--- a/src/util/virnetdevveth.c ++++ b/src/util/virnetdevveth.c +@@ -89,7 +89,7 @@ static int virNetDevVethGetFreeNum(int startDev) + * @veth2: pointer to return name for container end of veth pair + * + * Creates a veth device pair using the ip command: +- * ip link add veth1 type veth peer name veth2 ++ * ip link add name veth1 type veth peer name veth2 + * If veth1 points to NULL on entry, it will be a valid interface on + * return. veth2 should point to NULL on entry. + * +@@ -146,7 +146,7 @@ int virNetDevVethCreate(char** veth1, char** veth2) + } + + cmd = virCommandNew("ip"); +- virCommandAddArgList(cmd, "link", "add", ++ virCommandAddArgList(cmd, "link", "add", "name", + *veth1 ? *veth1 : veth1auto, + "type", "veth", "peer", "name", + *veth2 ? *veth2 : veth2auto, +-- +2.1.2 + diff --git a/72fecf1-lxc-resolve-symlinks.patch b/72fecf1-lxc-resolve-symlinks.patch new file mode 100644 index 0000000..3fbd53b --- /dev/null +++ b/72fecf1-lxc-resolve-symlinks.patch @@ -0,0 +1,158 @@ +From 72fecf1813b9e77a7f89bc1e708f91bdab7d9ad4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= +Date: Fri, 21 Nov 2014 17:45:55 +0100 +Subject: [PATCH 4/5] lxc: be more patient while resolving symlinks + +Resolving symlinks can fail before mounting any file system if one file +system depends on another being mounted. Symlinks are now resolved in +two passes: + + * Before any file system is mounted, but then we are more gentle if + the source path can't be accessed + * Right before mounting a file system, so that we are sure that we + have the resolved path... but then if it can't be accessed we raise + an error. +--- + src/conf/domain_conf.h | 1 + + src/lxc/lxc_container.c | 77 ++++++++++++++++++++++++++++++++++--------------- + 2 files changed, 54 insertions(+), 24 deletions(-) + +diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h +index d428451..dcb30bc 100644 +--- a/src/conf/domain_conf.h ++++ b/src/conf/domain_conf.h +@@ -821,6 +821,7 @@ struct _virDomainFSDef { + virDomainDeviceInfo info; + unsigned long long space_hard_limit; /* in bytes */ + unsigned long long space_soft_limit; /* in bytes */ ++ bool symlinksResolved; + }; + + +diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c +index db823d6..12f3a41 100644 +--- a/src/lxc/lxc_container.c ++++ b/src/lxc/lxc_container.c +@@ -608,6 +608,48 @@ static int lxcContainerUnmountSubtree(const char *prefix, + return ret; + } + ++static int lxcContainerResolveSymlinks(virDomainFSDefPtr fs, bool gentle) ++{ ++ char *newroot; ++ ++ if (!fs->src || fs->symlinksResolved) ++ return 0; ++ ++ if (access(fs->src, F_OK)) { ++ if (gentle) { ++ /* Just ignore the error for the while, we'll try again later */ ++ VIR_DEBUG("Skipped unaccessible '%s'", fs->src); ++ return 0; ++ } else { ++ virReportSystemError(errno, ++ _("Failed to access '%s'"), fs->src); ++ return -1; ++ } ++ } ++ ++ VIR_DEBUG("Resolving '%s'", fs->src); ++ if (virFileResolveAllLinks(fs->src, &newroot) < 0) { ++ if (gentle) { ++ VIR_DEBUG("Skipped non-resolvable '%s'", fs->src); ++ return 0; ++ } else { ++ virReportSystemError(errno, ++ _("Failed to resolve symlink at %s"), ++ fs->src); ++ } ++ return -1; ++ } ++ ++ /* Mark it resolved to skip it the next time */ ++ fs->symlinksResolved = true; ++ ++ VIR_DEBUG("Resolved '%s' to %s", fs->src, newroot); ++ ++ VIR_FREE(fs->src); ++ fs->src = newroot; ++ ++ return 0; ++} + + static int lxcContainerPrepareRoot(virDomainDefPtr def, + virDomainFSDefPtr root, +@@ -634,6 +676,9 @@ static int lxcContainerPrepareRoot(virDomainDefPtr def, + return -1; + } + ++ if (lxcContainerResolveSymlinks(root, false) < 0) ++ return -1; ++ + if (virAsprintf(&dst, "%s/%s.root", + LXC_STATE_DIR, def->name) < 0) + return -1; +@@ -1552,6 +1597,9 @@ static int lxcContainerMountAllFS(virDomainDefPtr vmDef, + if (STREQ(vmDef->fss[i]->dst, "/")) + continue; + ++ if (lxcContainerResolveSymlinks(vmDef->fss[i], false) < 0) ++ return -1; ++ + if (lxcContainerUnmountSubtree(vmDef->fss[i]->dst, + false) < 0) + return -1; +@@ -1735,37 +1783,18 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef, + return ret; + } + +- +-static int lxcContainerResolveSymlinks(virDomainDefPtr vmDef) ++static int lxcContainerResolveAllSymlinks(virDomainDefPtr vmDef) + { +- char *newroot; + size_t i; + + VIR_DEBUG("Resolving symlinks"); + + for (i = 0; i < vmDef->nfss; i++) { + virDomainFSDefPtr fs = vmDef->fss[i]; +- if (!fs->src) +- continue; +- +- if (access(fs->src, F_OK)) { +- virReportSystemError(errno, +- _("Failed to access '%s'"), fs->src); ++ /* In the first pass, be gentle as some files may ++ depend on other filesystems to be mounted */ ++ if (lxcContainerResolveSymlinks(fs, true) < 0) + return -1; +- } +- +- VIR_DEBUG("Resolving '%s'", fs->src); +- if (virFileResolveAllLinks(fs->src, &newroot) < 0) { +- virReportSystemError(errno, +- _("Failed to resolve symlink at %s"), +- fs->src); +- return -1; +- } +- +- VIR_DEBUG("Resolved '%s' to %s", fs->src, newroot); +- +- VIR_FREE(fs->src); +- fs->src = newroot; + } + VIR_DEBUG("Resolved all filesystem symlinks"); + +@@ -2106,7 +2135,7 @@ static int lxcContainerChild(void *data) + goto cleanup; + } + +- if (lxcContainerResolveSymlinks(vmDef) < 0) ++ if (lxcContainerResolveAllSymlinks(vmDef) < 0) + goto cleanup; + + VIR_DEBUG("Setting up pivot"); +-- +2.1.2 + diff --git a/c264eea-virt-aa-helper-sandbox.patch b/c264eea-virt-aa-helper-sandbox.patch new file mode 100644 index 0000000..f775aa5 --- /dev/null +++ b/c264eea-virt-aa-helper-sandbox.patch @@ -0,0 +1,29 @@ +From c264eeaa381a917f01ba74526bf202073358a9dc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= +Date: Thu, 20 Nov 2014 11:32:38 +0100 +Subject: [PATCH 2/5] virt-aa-helper: /etc/libvirt-sandbox/services isn't + restricted + +To get virt-sandbox-service working with AppArmor, virt-aa-helper +needs not to choke on path in /etc/libvirt-sandbox/services. +--- + src/security/virt-aa-helper.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c +index 81f9f40..f273e09 100644 +--- a/src/security/virt-aa-helper.c ++++ b/src/security/virt-aa-helper.c +@@ -571,7 +571,8 @@ valid_path(const char *path, const bool readonly) + }; + /* override the above with these */ + const char * const override[] = { +- "/sys/devices/pci" /* for hostdev pci devices */ ++ "/sys/devices/pci", /* for hostdev pci devices */ ++ "/etc/libvirt-sandbox/services/" /* for virt-sandbox service config */ + }; + + if (path == NULL) { +-- +2.1.2 + diff --git a/e50457d-lxc-unmount-check.patch b/e50457d-lxc-unmount-check.patch new file mode 100644 index 0000000..7e01520 --- /dev/null +++ b/e50457d-lxc-unmount-check.patch @@ -0,0 +1,45 @@ +From e50457dd4cc5d4ba1ac7b05734157524620d087f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= +Date: Mon, 24 Nov 2014 15:10:19 +0100 +Subject: [PATCH 5/5] lxc: don't unmount subtree if it contains the source of + the mount + +The typical case where we had a problem is with such a filesystem +definition as created by virt-sandbox-service: + + + + + + +In this case, we don't want to unmount the /var subtree or we may +loose the access to the source folder. +--- + src/lxc/lxc_container.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c +index 12f3a41..334a1df 100644 +--- a/src/lxc/lxc_container.c ++++ b/src/lxc/lxc_container.c +@@ -1597,11 +1597,15 @@ static int lxcContainerMountAllFS(virDomainDefPtr vmDef, + if (STREQ(vmDef->fss[i]->dst, "/")) + continue; + ++ VIR_DEBUG("Mounting '%s' -> '%s'", vmDef->fss[i]->src, vmDef->fss[i]->dst); ++ + if (lxcContainerResolveSymlinks(vmDef->fss[i], false) < 0) + return -1; + +- if (lxcContainerUnmountSubtree(vmDef->fss[i]->dst, +- false) < 0) ++ ++ if (!(vmDef->fss[i]->src && ++ STRPREFIX(vmDef->fss[i]->src, vmDef->fss[i]->dst)) && ++ lxcContainerUnmountSubtree(vmDef->fss[i]->dst, false) < 0) + return -1; + + if (lxcContainerMountFS(vmDef->fss[i], sec_mount_options) < 0) +-- +2.1.2 + diff --git a/libvirt.changes b/libvirt.changes index b49bf13..5ec201a 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,26 @@ +------------------------------------------------------------------- +Thu Nov 20 11:56:16 UTC 2014 - cbosdonnat@suse.com + +- Fix potential crasher in virt-aa-helper + 2222123-virt-aa-helper-crash.patch +- ip link add now needs the 'name' parameter. + 433b427-iplink-name.patch +- Fixes for virt-sandbox-service to work: + - Allow adding virt-sandbox service config to apparmor rules. + c264eea-virt-aa-helper-sandbox.patch + - fix symlink resolving for containers to start. + 72fecf1-lxc-resolve-symlinks.patch + - fix unmounting file system if it contains the source to mount. + e50457d-lxc-unmount-check.patch + +------------------------------------------------------------------- +Tue Nov 18 17:21:55 UTC 2014 - cbosdonnat@suse.com + +- Remove security_driver = "none" in qemu config. This completely + disabled all security drivers instead of probing them. +- Changed default value of QEMU's security_default_confined to 0 to + keep QEMU domains unconfined by default. + ------------------------------------------------------------------- Mon Nov 10 22:01:31 MST 2014 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index b4bbe04..d495d7f 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -435,6 +435,11 @@ Source4: libvirtd-relocation-server.fw Source99: baselibs.conf # Upstream patches Patch0: b1674ad5-CVE-2014-7823.patch +Patch1: 2222123-virt-aa-helper-crash.patch +Patch2: c264eea-virt-aa-helper-sandbox.patch +Patch3: 433b427-iplink-name.patch +Patch4: 72fecf1-lxc-resolve-symlinks.patch +Patch5: e50457d-lxc-unmount-check.patch # Patches pending upstream review # Need to go upstream Patch150: xen-name-for-devid.patch @@ -968,6 +973,11 @@ Provides a dissector for the libvirt RPC protocol to help debugging it. %prep %setup -q %patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 %patch150 -p1 %patch151 -p1 %patch152 -p1 diff --git a/suse-qemu-conf.patch b/suse-qemu-conf.patch index aa761ea..fa32bb9 100644 --- a/suse-qemu-conf.patch +++ b/suse-qemu-conf.patch @@ -2,24 +2,16 @@ Index: libvirt-1.2.10/src/qemu/qemu.conf =================================================================== --- libvirt-1.2.10.orig/src/qemu/qemu.conf +++ libvirt-1.2.10/src/qemu/qemu.conf -@@ -200,7 +200,16 @@ - # a special value; security_driver can be set to that value in - # isolation, but it cannot appear in a list of drivers. - # -+# SUSE Note: -+# Currently, Apparmor is the default security framework in SUSE -+# distros. If Apparmor is enabled on the host, libvirtd is -+# generously confined but users must opt-in to confine qemu -+# instances. Change this to 'apparmor' to enable Apparmor -+# confinement of qemu instances. -+# - #security_driver = "selinux" -+# security_driver = "apparmor" -+security_driver = "none" +@@ -204,7 +204,7 @@ # If set to non-zero, then the default security labeling # will make guests confined. If set to zero, then guests -@@ -417,11 +426,22 @@ +-# will be unconfined by default. Defaults to 1. ++# will be unconfined by default. Defaults to 0. + #security_default_confined = 1 + + # If set to non-zero, then attempts to create unconfined +@@ -417,11 +417,22 @@ #allow_disk_format_probing = 1 @@ -47,3 +39,16 @@ Index: libvirt-1.2.10/src/qemu/qemu.conf # #lock_manager = "lockd" +Index: libvirt-1.2.10/src/qemu/qemu_conf.c +=================================================================== +--- libvirt-1.2.10.orig/src/qemu/qemu_conf.c ++++ libvirt-1.2.10/src/qemu/qemu_conf.c +@@ -249,7 +249,7 @@ virQEMUDriverConfigPtr virQEMUDriverConf + + cfg->clearEmulatorCapabilities = true; + +- cfg->securityDefaultConfined = true; ++ cfg->securityDefaultConfined = false; + cfg->securityRequireConfined = false; + + cfg->keepAliveInterval = 5;