Accepting request 540060 from home:jfehlig:branches:Virtualization

- apparmor: add rules for new mediation features
  apparmor-rules-for-new-mediation-features.patch,
  apparmor-fine-grained-mount-rules.patch
  bsc#1066124, boo#1065123
- spec: unconditionally enable the wireshark dissector

OBS-URL: https://build.opensuse.org/request/show/540060
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=636

apparmor-fine-grained-mount-rules.patch

@@ -0,0 +1,35 @@
+commit 97853972e6e5a92b56e1ec0841aa27043ac1301b
+Author: intrigeri <intrigeri+libvirt@boum.org>
+Date:   Sun Nov 5 15:29:58 2017 +0000
+
+    AppArmor: use fine-grained mount rules instead of a blanket catch-all one
+    
+    This set of rules was proposed by Christian Boltz <apparmor@cboltz.de>
+    on https://bugzilla.opensuse.org/show_bug.cgi?id=1065123.
+
+Index: libvirt-3.9.0/examples/apparmor/usr.sbin.libvirtd
+===================================================================
+--- libvirt-3.9.0.orig/examples/apparmor/usr.sbin.libvirtd
++++ libvirt-3.9.0/examples/apparmor/usr.sbin.libvirtd
+@@ -30,7 +30,20 @@
+   # Needed for vfio
+   capability sys_resource,
+ 
+-  mount,
++  mount options=(rw,rslave)  -> /,
++  mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
++
++  mount options=(rw, move) /dev/           -> /{var/,}run/libvirt/qemu/*.dev/,
++  mount options=(rw, move) /dev/hugepages/ -> /{var/,}run/libvirt/qemu/*.hugepages/,
++  mount options=(rw, move) /dev/mqueue/    -> /{var/,}run/libvirt/qemu/*.mqueue/,
++  mount options=(rw, move) /dev/pts/       -> /{var/,}run/libvirt/qemu/*.pts/,
++  mount options=(rw, move) /dev/shm/       -> /{var/,}run/libvirt/qemu/*.shm/,
++
++  mount options=(rw, move) /{var/,}run/libvirt/qemu/*.dev/       -> /dev/,
++  mount options=(rw, move) /{var/,}run/libvirt/qemu/*.hugepages/ -> /dev/hugepages/,
++  mount options=(rw, move) /{var/,}run/libvirt/qemu/*.mqueue/    -> /dev/mqueue/,
++  mount options=(rw, move) /{var/,}run/libvirt/qemu/*.pts/       -> /dev/pts/,
++  mount options=(rw, move) /{var/,}run/libvirt/qemu/*.shm/       -> /dev/shm/,
+ 
+   network inet stream,
+   network inet dgram,

apparmor-rules-for-new-mediation-features.patch

@@ -0,0 +1,49 @@
+commit 141103378a74c68cbd775a306cdfd641119debbd
+Author: intrigeri <intrigeri+libvirt@boum.org>
+Date:   Sun Nov 5 15:29:57 2017 +0000
+
+    AppArmor: add rules needed with additional mediation features brought by Linux 4.14.
+
+Index: libvirt-3.9.0/examples/apparmor/libvirt-qemu
+===================================================================
+--- libvirt-3.9.0.orig/examples/apparmor/libvirt-qemu
++++ libvirt-3.9.0/examples/apparmor/libvirt-qemu
+@@ -16,6 +16,10 @@
+   network inet stream,
+   network inet6 stream,
+ 
++  ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
++
++  signal (receive) peer=/usr/sbin/libvirtd,
++
+   /dev/net/tun rw,
+   /dev/kvm rw,
+   /dev/ptmx rw,
+Index: libvirt-3.9.0/examples/apparmor/usr.sbin.libvirtd
+===================================================================
+--- libvirt-3.9.0.orig/examples/apparmor/usr.sbin.libvirtd
++++ libvirt-3.9.0/examples/apparmor/usr.sbin.libvirtd
+@@ -30,10 +30,13 @@
+   # Needed for vfio
+   capability sys_resource,
+ 
++  mount,
++
+   network inet stream,
+   network inet dgram,
+   network inet6 stream,
+   network inet6 dgram,
++  network netlink raw,
+   network packet dgram,
+   network packet raw,
+ 
+@@ -42,6 +45,9 @@
+   ptrace (trace) peer=/usr/sbin/dnsmasq,
+   ptrace (trace) peer=libvirt-*,
+ 
++  signal (send) peer=/usr/sbin/dnsmasq,
++  signal (read, send) peer=libvirt-*,
++
+   # Very lenient profile for libvirtd since we want to first focus on confining
+   # the guests. Guests will have a very restricted profile.
+   / r,

libvirt.changes

@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed Nov  8 21:10:34 UTC 2017 - jfehlig@suse.com
+
+- apparmor: add rules for new mediation features
+  apparmor-rules-for-new-mediation-features.patch,
+  apparmor-fine-grained-mount-rules.patch
+  bsc#1066124, boo#1065123
+- spec: unconditionally enable the wireshark dissector
+
 -------------------------------------------------------------------
 Wed Nov  8 11:04:04 UTC 2017 - cbosdonnat@suse.com
 

libvirt.spec

@@ -40,13 +40,13 @@
 # Optional bits on by default
 %define with_sanlock       0%{!?_without_sanlock:1}
 %define with_polkit_rules  1
+%define with_wireshark     0%{!?_without_wireshark:1}
 
 # A few optional bits off by default, we enable later
 %define with_cgconfig      0%{!?_without_cgconfig:0}
 %define with_numactl       0%{!?_without_numactl:0}
 %define with_numad         0%{!?_without_numad:0}
 %define with_firewalld     0%{!?_without_firewalld:0}
-%define with_wireshark     0%{!?_without_wireshark:0}
 %define with_libssh        0%{!?_without_libssh:0}
 
 # Xen no longer contains xm/xend so disable building the legacy Xen driver
@@ -131,13 +131,6 @@
     %endif
 %endif
 
-# libvirt commit 37397320 changed the configure check for wireshark to use
-# pkgconfig. Currently only the Leap 42.2 and Factory wireshark-devel packages
-# provide wireshark.pc. Disable the dissector for SLE and Leap <= 42.1
-%if 0%{?sle_version} < 120200 && ! 0%{?is_opensuse}
-    %define with_wireshark     0
-%endif
-
 # numad is used to manage the CPU and memory placement dynamically for
 # qemu, lxc, and uml drivers
 %if %{with_qemu} || %{with_lxc} || %{with_uml}
@@ -293,7 +286,7 @@ BuildRequires:  systemtap-sdt-devel
 BuildRequires:  numad
 %endif
 %if %{with_wireshark}
-BuildRequires:  wireshark-devel >= 1.12.1
+BuildRequires:  wireshark-devel >= 2.1.0
 %endif
 %if %{with_libssh}
 BuildRequires:  libssh-devel >= 0.7.0
@@ -310,6 +303,8 @@ Source100:      %{name}-rpmlintrc
 # Patches pending upstream review
 Patch100:       libxl-dom-reset.patch
 Patch101:       network-don-t-use-dhcp-authoritative-on-static-netwo.patch
+Patch102:       apparmor-rules-for-new-mediation-features.patch
+Patch103:       apparmor-fine-grained-mount-rules.patch
 # Need to go upstream
 Patch150:       xen-pv-cdrom.patch
 Patch151:       blockcopy-check-dst-identical-device.patch
@@ -883,6 +878,8 @@ libvirt plugin for NSS for translating domain names into IP addresses.
 %setup -q
 %patch100 -p1
 %patch101 -p1
+%patch102 -p1
+%patch103 -p1
 %patch150 -p1
 %patch151 -p1
 %patch152 -p1
@@ -1105,7 +1102,7 @@ make %{?_smp_mflags} -C examples distclean
 cp examples/lxcconvert/virt-lxc-convert %{buildroot}/%{_bindir}
 rm -f %{buildroot}/%{_libdir}/*.la
 %if %{with_wireshark}
-rm -f %{buildroot}/%{_libdir}/wireshark/plugins/libvirt.la
+rm -f %{buildroot}/%{_libdir}/wireshark/plugins/*/libvirt.la
 %endif
 rm -f %{buildroot}/%{_libdir}/*.a
 rm -f %{buildroot}/%{_libdir}/%{name}/lock-driver/*.la
@@ -1694,7 +1691,7 @@ fi
 %if %{with_wireshark}
 
 %files -n wireshark-plugin-libvirt
-%{_libdir}/wireshark/plugins/libvirt.so
+%{_libdir}/wireshark/plugins/*/libvirt.so
 %endif
 
 %files nss

qemu-apparmor-screenshot.patch

@@ -2,7 +2,7 @@ Index: libvirt-3.9.0/examples/apparmor/libvirt-qemu
 ===================================================================
 --- libvirt-3.9.0.orig/examples/apparmor/libvirt-qemu
 +++ libvirt-3.9.0/examples/apparmor/libvirt-qemu
-@@ -180,3 +180,6 @@
+@@ -184,3 +184,6 @@
    /sys/devices/system/node/ r,
    /sys/devices/system/node/node[0-9]*/meminfo r,
    /sys/module/vhost/parameters/max_mem_regions r,

suse-apparmor-libnl-paths.patch

@@ -25,7 +25,7 @@ Index: libvirt-3.9.0/examples/apparmor/libvirt-qemu
 ===================================================================
 --- libvirt-3.9.0.orig/examples/apparmor/libvirt-qemu
 +++ libvirt-3.9.0/examples/apparmor/libvirt-qemu
-@@ -54,6 +54,7 @@
+@@ -58,6 +58,7 @@
    #/dev/fb* rw,
  
    /etc/pulse/client.conf r,