pool/libvirt
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 79898 from Virtualization

Browse Source 
- Add cgconfig to Should-{Start,Stop} in libvirtd init script
  bnc#712245

- Fix apparmor profile location and content
  update install-apparmor-profiles.patch
  bnc#705668

- Fix libvirtd SIGHUP handler
  9e093f0b-libvirtd-sighup.patch

- add baselibs.conf to sources

- Enable apparmor security dirver, SLES bnc#705668
  install-apparmor-profiles.patch

OBS-URL: https://build.opensuse.org/request/show/79898
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvirt?expand=0&rev=84
This commit is contained in:
Sascha Peilicke 2011-08-29 09:27:53 +00:00 committed by Git OBS Bridge
commit bf6c7c0f04
5 changed files with 369 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
9e093f0b-libvirtd-sighup.patch Normal file
View File

@ -0,0 +1,46 @@
commit 9e093f0b4cc5a5fc455a4893d73dc0f2c5355161
Author: Osier Yang <jyang@redhat.com>
Date: Mon Aug 15 15:40:46 2011 +0800
daemon: Fix regression of libvirtd reloading support
This is introduced by commit df0b57a95a, which forgot to
add signal handler for SIGHUP.
A simple reproduce method:
1) Create a domain XML under /etc/libvirt/qemu
2) % kill -SIGHUP $(pidof libvirtd)
3) % virsh list --all (the new created domain XML is not listed)
Index: libvirt-0.9.4/daemon/libvirtd.c
===================================================================
--- libvirt-0.9.4.orig/daemon/libvirtd.c
+++ libvirt-0.9.4/daemon/libvirtd.c
@@ -1139,6 +1139,17 @@ static void daemonShutdownHandler(virNet
virNetServerQuit(srv);
}
+static void daemonReloadHandler(virNetServerPtr srv ATTRIBUTE_UNUSED,
+ siginfo_t *sig ATTRIBUTE_UNUSED,
+ void *opaque ATTRIBUTE_UNUSED)
+{
+ VIR_INFO("Reloading configuration on SIGHUP");
+ virHookCall(VIR_HOOK_DRIVER_DAEMON, "-",
+ VIR_HOOK_DAEMON_OP_RELOAD, SIGHUP, "SIGHUP", NULL);
+ if (virStateReload() < 0)
+ VIR_WARN("Error while reloading drivers");
+}
+
static int daemonSetupSignals(virNetServerPtr srv)
{
if (virNetServerAddSignalHandler(srv, SIGINT, daemonShutdownHandler, NULL) < 0)
@@ -1147,6 +1158,8 @@ static int daemonSetupSignals(virNetServ
return -1;
if (virNetServerAddSignalHandler(srv, SIGTERM, daemonShutdownHandler, NULL) < 0)
return -1;
+ if (virNetServerAddSignalHandler(srv, SIGHUP, daemonReloadHandler, NULL) < 0)
+ return -1;
return 0;
}

271
install-apparmor-profiles.patch Normal file
View File

@ -0,0 +1,271 @@
Index: libvirt-0.9.4/examples/apparmor/Makefile.am
===================================================================
--- libvirt-0.9.4.orig/examples/apparmor/Makefile.am
+++ libvirt-0.9.4/examples/apparmor/Makefile.am
@@ -1,8 +1,39 @@
## Copyright (C) 2005-2011 Red Hat, Inc.
## See COPYING.LIB for the License of this software
-EXTRA_DIST= \
- TEMPLATE \
- libvirt-qemu \
- usr.lib.libvirt.virt-aa-helper \
- usr.sbin.libvirtd
+EXTRA_DIST= \
+ TEMPLATE \
+ libvirt-qemu \
+ usr.lib.libvirt.virt-aa-helper.in \
+ usr.sbin.libvirtd.in
+
+if WITH_SECDRIVER_APPARMOR
+
+usr.lib.libvirt.virt-aa-helper: usr.lib.libvirt.virt-aa-helper.in
+ sed \
+ -e 's![@]libdir[@]!$(libdir)!g' \
+ < $< > $@-t
+ mv $@-t $@
+
+usr.sbin.libvirtd: usr.sbin.libvirtd.in
+ sed \
+ -e 's![@]libdir[@]!$(libdir)!g' \
+ < $< > $@-t
+ mv $@-t $@
+
+install-data-local: usr.sbin.libvirtd usr.lib.libvirt.virt-aa-helper
+ mkdir -p $(DESTDIR)$(sysconfdir)/apparmor.d/
+ $(INSTALL_DATA) usr.lib.libvirt.virt-aa-helper $(DESTDIR)$(sysconfdir)/apparmor.d/usr.lib.libvirt.virt-aa-helper
+ $(INSTALL_DATA) usr.sbin.libvirtd $(DESTDIR)$(sysconfdir)/apparmor.d/usr.sbin.libvirtd
+ mkdir -p $(DESTDIR)$(sysconfdir)/apparmor.d/libvirt
+ $(INSTALL_DATA) TEMPLATE $(DESTDIR)$(sysconfdir)/apparmor.d/libvirt/TEMPLATE
+ mkdir -p $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions
+ $(INSTALL_DATA) libvirt-qemu $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/libvirt-qemu
+
+uninstall-local::
+ rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/usr.lib.libvirt.virt-aa-helper
+ rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/usr.sbin.libvirtd
+ rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/libvirt-qemu
+ rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/libvirt/TEMPLATE
+
+endif
Index: libvirt-0.9.4/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
===================================================================
--- /dev/null
+++ libvirt-0.9.4/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -0,0 +1,40 @@
+# Last Modified: Fri Aug 19 11:21:48 2011
+#include <tunables/global>
+
+@libdir@/libvirt/virt-aa-helper {
+ #include <abstractions/base>
+
+ # needed for searching directories
+ capability dac_override,
+ capability dac_read_search,
+
+ # needed for when disk is on a network filesystem
+ network inet,
+
+ deny @{PROC}/[0-9]*/mounts r,
+ @{PROC}/filesystems r,
+
+ # for hostdev
+ /sys/devices/ r,
+ /sys/devices/** r,
+
+ @libdir@/libvirt/virt-aa-helper mr,
+ /sbin/apparmor_parser Ux,
+
+ /etc/apparmor.d/libvirt/* r,
+ /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+
+ # for backingstore -- allow access to non-hidden files in @{HOME} as well
+ # as storage pools
+ audit deny @{HOME}/.* mrwkl,
+ audit deny @{HOME}/.*/ rw,
+ audit deny @{HOME}/.*/** mrwkl,
+ audit deny @{HOME}/bin/ rw,
+ audit deny @{HOME}/bin/** mrwkl,
+ @{HOME}/ r,
+ @{HOME}/** r,
+ /var/lib/libvirt/images/ r,
+ /var/lib/libvirt/images/** r,
+ /var/lib/kvm/images/ r,
+ /var/lib/kvm/images/** r,
+}
Index: libvirt-0.9.4/examples/apparmor/usr.lib.libvirt.virt-aa-helper
===================================================================
--- libvirt-0.9.4.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ /dev/null
@@ -1,38 +0,0 @@
-# Last Modified: Mon Apr 5 15:10:27 2010
-#include <tunables/global>
-
-/usr/lib/libvirt/virt-aa-helper {
- #include <abstractions/base>
-
- # needed for searching directories
- capability dac_override,
- capability dac_read_search,
-
- # needed for when disk is on a network filesystem
- network inet,
-
- deny @{PROC}/[0-9]*/mounts r,
- @{PROC}/filesystems r,
-
- # for hostdev
- /sys/devices/ r,
- /sys/devices/** r,
-
- /usr/lib/libvirt/virt-aa-helper mr,
- /sbin/apparmor_parser Ux,
-
- /etc/apparmor.d/libvirt/* r,
- /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
-
- # for backingstore -- allow access to non-hidden files in @{HOME} as well
- # as storage pools
- audit deny @{HOME}/.* mrwkl,
- audit deny @{HOME}/.*/ rw,
- audit deny @{HOME}/.*/** mrwkl,
- audit deny @{HOME}/bin/ rw,
- audit deny @{HOME}/bin/** mrwkl,
- @{HOME}/ r,
- @{HOME}/** r,
- /var/lib/libvirt/images/ r,
- /var/lib/libvirt/images/** r,
-}
Index: libvirt-0.9.4/examples/apparmor/usr.sbin.libvirtd
===================================================================
--- libvirt-0.9.4.orig/examples/apparmor/usr.sbin.libvirtd
+++ /dev/null
@@ -1,52 +0,0 @@
-# Last Modified: Mon Apr 5 15:03:58 2010
-#include <tunables/global>
-@{LIBVIRT}="libvirt"
-
-/usr/sbin/libvirtd {
- #include <abstractions/base>
-
- capability kill,
- capability net_admin,
- capability net_raw,
- capability setgid,
- capability sys_admin,
- capability sys_module,
- capability sys_ptrace,
- capability sys_nice,
- capability sys_chroot,
- capability setuid,
- capability dac_override,
- capability dac_read_search,
- capability fowner,
- capability chown,
- capability setpcap,
- capability mknod,
- capability fsetid,
-
- network inet stream,
- network inet dgram,
- network inet6 stream,
- network inet6 dgram,
-
- # Very lenient profile for libvirtd since we want to first focus on confining
- # the guests. Guests will have a very restricted profile.
- /** rwmkl,
-
- /bin/* Ux,
- /sbin/* Ux,
- /usr/bin/* Ux,
- /usr/sbin/* Ux,
-
- # force the use of virt-aa-helper
- audit deny /sbin/apparmor_parser rwxl,
- audit deny /etc/apparmor.d/libvirt/** wxl,
- audit deny /sys/kernel/security/apparmor/features rwxl,
- audit deny /sys/kernel/security/apparmor/matching rwxl,
- audit deny /sys/kernel/security/apparmor/.* rwxl,
- /sys/kernel/security/apparmor/profiles r,
- /usr/lib/libvirt/* PUxr,
-
- # allow changing to our UUID-based named profiles
- change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
-
-}
Index: libvirt-0.9.4/examples/apparmor/usr.sbin.libvirtd.in
===================================================================
--- /dev/null
+++ libvirt-0.9.4/examples/apparmor/usr.sbin.libvirtd.in
@@ -0,0 +1,52 @@
+# Last Modified: Fri Aug 19 11:20:36 2011
+#include <tunables/global>
+@{LIBVIRT}="libvirt"
+
+/usr/sbin/libvirtd {
+ #include <abstractions/base>
+
+ capability kill,
+ capability net_admin,
+ capability net_raw,
+ capability setgid,
+ capability sys_admin,
+ capability sys_module,
+ capability sys_ptrace,
+ capability sys_nice,
+ capability sys_chroot,
+ capability setuid,
+ capability dac_override,
+ capability dac_read_search,
+ capability fowner,
+ capability chown,
+ capability setpcap,
+ capability mknod,
+ capability fsetid,
+
+ network inet stream,
+ network inet dgram,
+ network inet6 stream,
+ network inet6 dgram,
+
+ # Very lenient profile for libvirtd since we want to first focus on confining
+ # the guests. Guests will have a very restricted profile.
+ /** rwmkl,
+
+ /bin/* Ux,
+ /sbin/* Ux,
+ /usr/bin/* Ux,
+ /usr/sbin/* Ux,
+
+ # force the use of virt-aa-helper
+ audit deny /sbin/apparmor_parser rwxl,
+ audit deny /etc/apparmor.d/libvirt/** wxl,
+ audit deny /sys/kernel/security/apparmor/features rwxl,
+ audit deny /sys/kernel/security/apparmor/matching rwxl,
+ audit deny /sys/kernel/security/apparmor/.* rwxl,
+ /sys/kernel/security/apparmor/profiles r,
+ @libdir@/libvirt/* Pxr,
+
+ # allow changing to our UUID-based named profiles
+ change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+
+}
Index: libvirt-0.9.4/examples/apparmor/libvirt-qemu
===================================================================
--- libvirt-0.9.4.orig/examples/apparmor/libvirt-qemu
+++ libvirt-0.9.4/examples/apparmor/libvirt-qemu
@@ -52,6 +52,7 @@
# access to firmware's etc
/usr/share/kvm/** r,
/usr/share/qemu/** r,
+ /usr/share/qemu-kvm/** r,
/usr/share/bochs/** r,
/usr/share/openbios/** r,
/usr/share/openhackware/** r,
@@ -65,6 +66,7 @@
# the various binaries
/usr/bin/kvm rmix,
/usr/bin/qemu rmix,
+ /usr/bin/qemu-kvm rmix,
/usr/bin/qemu-system-arm rmix,
/usr/bin/qemu-system-cris rmix,
/usr/bin/qemu-system-i386 rmix,

30
libvirt.changes
View File

@ -1,3 +1,33 @@
-------------------------------------------------------------------
Wed Aug 24 20:29:37 MDT 2011 - jfehlig@novell.com
- Add cgconfig to Should-{Start,Stop} in libvirtd init script
bnc#712245
-------------------------------------------------------------------
Fri Aug 19 15:21:39 MDT 2011 - jfehlig@suse.com
- Fix apparmor profile location and content
update install-apparmor-profiles.patch
bnc#705668
-------------------------------------------------------------------
Wed Aug 17 16:24:17 MDT 2011 - jfehlig@suse.com
- Fix libvirtd SIGHUP handler
9e093f0b-libvirtd-sighup.patch
-------------------------------------------------------------------
Wed Aug 17 09:13:41 CEST 2011 - dmueller@suse.de
- add baselibs.conf to sources
-------------------------------------------------------------------
Mon Aug 8 15:21:42 MDT 2011 - jfehlig@suse.com
- Enable apparmor security dirver, SLES bnc#705668
install-apparmor-profiles.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Aug 4 11:07:32 MDT 2011 - jfehlig@suse.com Thu Aug 4 11:07:32 MDT 2011 - jfehlig@suse.com

24
libvirt.spec
View File

@ -58,7 +58,7 @@
%define with_storage_mpath 0%{!?_without_storage_mpath:%{server_drivers}} %define with_storage_mpath 0%{!?_without_storage_mpath:%{server_drivers}}
%define with_numactl 0%{!?_without_numactl:%{server_drivers}} %define with_numactl 0%{!?_without_numactl:%{server_drivers}}
%define with_selinux 0%{!?_without_selinux:%{server_drivers}} %define with_selinux 0%{!?_without_selinux:%{server_drivers}}
%define with_apparmor 0%{!?_without_apparmor:0} %define with_apparmor 0%{!?_without_apparmor:%{server_drivers}}
# A few optional bits off by default, we enable later # A few optional bits off by default, we enable later
%define with_polkit 0%{!?_without_polkit:0} %define with_polkit 0%{!?_without_polkit:0}
@ -359,7 +359,9 @@ Recommends: device-mapper
Source0: %{name}-%{version}.tar.bz2 Source0: %{name}-%{version}.tar.bz2
Source1: libvirtd.init Source1: libvirtd.init
Source2: libvirtd-relocation-server.fw Source2: libvirtd-relocation-server.fw
Source99: baselibs.conf
# Upstream patches # Upstream patches
Patch0: 9e093f0b-libvirtd-sighup.patch
# Need to go upstream # Need to go upstream
Patch100: xen-name-for-devid.patch Patch100: xen-name-for-devid.patch
Patch101: clone.patch Patch101: clone.patch
@ -368,6 +370,9 @@ Patch103: xend-disk-order.patch
# Our patches # Our patches
Patch200: libvirtd-defaults.patch Patch200: libvirtd-defaults.patch
Patch201: use-init-script-redhat.patch Patch201: use-init-script-redhat.patch
%if %{with_apparmor}
Patch250: install-apparmor-profiles.patch
%endif
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description %description
@ -453,7 +458,6 @@ Authors:
Karel Zak <kzak@redhat.com> Karel Zak <kzak@redhat.com>
%if %{with_python} %if %{with_python}
%package python %package python
License: LGPLv2.1+ License: LGPLv2.1+
Summary: A C toolkit to interract with the virtualization capabilities of Linux Summary: A C toolkit to interract with the virtualization capabilities of Linux
@ -476,12 +480,16 @@ Authors:
%prep %prep
%setup -q %setup -q
%patch0 -p1
%patch100 -p1 %patch100 -p1
%patch101 %patch101
%patch102 -p1 %patch102 -p1
%patch103 -p1 %patch103 -p1
%patch200 -p1 %patch200 -p1
%patch201 -p1 %patch201 -p1
%if %{with_apparmor}
%patch250 -p1
%endif
%build %build
%if ! %{with_xen} %if ! %{with_xen}
@ -748,7 +756,6 @@ fi
%postun client -p /sbin/ldconfig %postun client -p /sbin/ldconfig
%if %{with_libvirtd} %if %{with_libvirtd}
%files %files
%defattr(-, root, root) %defattr(-, root, root)
%{_sbindir}/libvirtd %{_sbindir}/libvirtd
@ -812,6 +819,16 @@ fi
%attr(0755, root, root) %{_libdir}/%{name}/libvirt_iohelper %attr(0755, root, root) %{_libdir}/%{name}/libvirt_iohelper
%doc %{_mandir}/man8/libvirtd.8* %doc %{_mandir}/man8/libvirtd.8*
%endif %endif
%if %{with_apparmor}
%dir %{_sysconfdir}/apparmor.d
%dir %{_sysconfdir}/apparmor.d/abstractions
%dir %{_sysconfdir}/apparmor.d/libvirt
%config(noreplace) %{_sysconfdir}/apparmor.d/usr.sbin.libvirtd
%config(noreplace) %{_sysconfdir}/apparmor.d/usr.lib.libvirt.virt-aa-helper
%config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/libvirt-qemu
%config(noreplace) %{_sysconfdir}/apparmor.d/libvirt/TEMPLATE
%{_libdir}/%{name}/virt-aa-helper
%endif
%config %{_fwdefdir}/libvirtd-relocation-server %config %{_fwdefdir}/libvirtd-relocation-server
%files client -f %{name}.lang %files client -f %{name}.lang
@ -868,7 +885,6 @@ fi
%doc %{_docdir}/%{name}/html %doc %{_docdir}/%{name}/html
%if %{with_python} %if %{with_python}
%files python %files python
%defattr(-, root, root) %defattr(-, root, root)
%doc %{_docdir}/%{name}-python %doc %{_docdir}/%{name}-python

4
libvirtd.init
View File

@ -6,10 +6,10 @@
### BEGIN INIT INFO ### BEGIN INIT INFO
# Provides: libvirtd # Provides: libvirtd
# Required-Start: $network $remote_fs # Required-Start: $network $remote_fs
# Should-Start: xend # Should-Start: xend cgconfig
# Default-Start: 3 5 # Default-Start: 3 5
# Required-Stop: $network $remote_fs # Required-Stop: $network $remote_fs
# Should-Stop: xend # Should-Stop: xend cgconfig
# Default-Stop: 0 1 2 4 6 # Default-Stop: 0 1 2 4 6
# Short-Description: daemon for libvirt virtualization API # Short-Description: daemon for libvirt virtualization API
# Description: This is a daemon for managing QEMU guest instances # Description: This is a daemon for managing QEMU guest instances