Accepting request 682276 from home:jfehlig:branches:Virtualization

- apparmor: fix more fallout from changing libvirtd profile to a
  named profile
  4ec3cf9a-apparmor-rules.patch,
  0001-apparmor-Check-libvirtd-profile-status-by-name.patch
  boo#1125841

OBS-URL: https://build.opensuse.org/request/show/682276
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=735
This commit is contained in:
James Fehlig 2019-03-06 20:25:56 +00:00 committed by Git OBS Bridge
parent 7fe9d077c7
commit c50e323c11
6 changed files with 94 additions and 2 deletions

View File

@ -0,0 +1,46 @@
From b1a50c10c95747dacd31a23b5c73ec4f938af329 Mon Sep 17 00:00:00 2001
From: Jim Fehlig <jfehlig@suse.com>
Date: Fri, 1 Mar 2019 14:34:17 -0700
Subject: [PATCH 1/2] apparmor: Check libvirtd profile status by name
Commit a3ab6d42 changed the libvirtd profile to a named profile,
breaking the apparmor driver's ability to detect if the profile is
active. When the apparmor driver loads it checks the status of the
libvirtd profile using the full binary path, which fails since the
profile is now referenced by name. If the apparmor driver is
explicitly requested in /etc/libvirt/qemu.conf, then libvirtd fails
to load too.
Instead of only checking the profile status by full binary path,
also check by profile name. The full path check is retained in case
users have a customized libvirtd profile with full path.
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
---
src/security/security_apparmor.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
Index: libvirt-5.1.0/src/security/security_apparmor.c
===================================================================
--- libvirt-5.1.0.orig/src/security/security_apparmor.c
+++ libvirt-5.1.0/src/security/security_apparmor.c
@@ -257,10 +257,16 @@ use_apparmor(void)
if (access(APPARMOR_PROFILES_PATH, R_OK) != 0)
goto cleanup;
+ /* First check profile status using full binary path. If that fails
+ * check using profile name.
+ */
rc = profile_status(libvirt_daemon, 1);
- /* Error or unconfined should all result in -1*/
- if (rc < 0)
- rc = -1;
+ if (rc < 0) {
+ rc = profile_status("libvirtd", 1);
+ /* Error or unconfined should all result in -1*/
+ if (rc < 0)
+ rc = -1;
+ }
cleanup:
VIR_FREE(libvirt_daemon);

View File

@ -0,0 +1,33 @@
commit 4ec3cf9a0fc3d76058ea363a6c35df19e67e6261
Author: Jim Fehlig <jfehlig@suse.com>
Date: Fri Mar 1 15:05:36 2019 -0700
apparmor: Add ptrace and signal rules for named profile
Commit a3ab6d42 changed the libvirtd profile to a named profile
but neglected to accommodate the change in the qemu profile
ptrace and signal rules. As a result, libvirtd is unable to
signal confined qemu processes and hence unable to shutdown
or destroy VMs.
Add ptrace and signal rules that reference the libvirtd profile
by name in addition to full binary path.
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Acked-by: Jamie Strandboge <jamie@canonical.com>
Index: libvirt-5.1.0/src/security/apparmor/libvirt-qemu
===================================================================
--- libvirt-5.1.0.orig/src/security/apparmor/libvirt-qemu
+++ libvirt-5.1.0/src/security/apparmor/libvirt-qemu
@@ -16,8 +16,10 @@
network inet stream,
network inet6 stream,
+ ptrace (readby, tracedby) peer=libvirtd,
ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
+ signal (receive) peer=libvirtd,
signal (receive) peer=/usr/sbin/libvirtd,
/dev/net/tun rw,

View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Wed Mar 6 17:11:49 UTC 2019 - James Fehlig <jfehlig@suse.com>
- apparmor: fix more fallout from changing libvirtd profile to a
named profile
4ec3cf9a-apparmor-rules.patch,
0001-apparmor-Check-libvirtd-profile-status-by-name.patch
boo#1125841
-------------------------------------------------------------------
Mon Mar 4 18:52:57 UTC 2019 - James Fehlig <jfehlig@suse.com>

View File

@ -333,9 +333,11 @@ Source6: libvirtd-relocation-server.xml
Source99: baselibs.conf
Source100: %{name}-rpmlintrc
# Upstream patches
Patch0: 4ec3cf9a-apparmor-rules.patch
# Patches pending upstream review
Patch100: libxl-dom-reset.patch
Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch
Patch102: 0001-apparmor-Check-libvirtd-profile-status-by-name.patch
# Need to go upstream
Patch150: xen-pv-cdrom.patch
Patch151: blockcopy-check-dst-identical-device.patch
@ -866,8 +868,10 @@ libvirt plugin for NSS for translating domain names into IP addresses.
%prep
%setup -q
%patch0 -p1
%patch100 -p1
%patch101 -p1
%patch102 -p1
%patch150 -p1
%patch151 -p1
%patch152 -p1

View File

@ -2,7 +2,7 @@ Index: libvirt-5.1.0/src/security/apparmor/libvirt-qemu
===================================================================
--- libvirt-5.1.0.orig/src/security/apparmor/libvirt-qemu
+++ libvirt-5.1.0/src/security/apparmor/libvirt-qemu
@@ -220,3 +220,6 @@
@@ -222,3 +222,6 @@
# required for sasl GSSAPI plugin
/etc/gss/mech.d/ r,
/etc/gss/mech.d/* r,

View File

@ -12,7 +12,7 @@ Index: libvirt-5.1.0/src/security/apparmor/libvirt-qemu
===================================================================
--- libvirt-5.1.0.orig/src/security/apparmor/libvirt-qemu
+++ libvirt-5.1.0/src/security/apparmor/libvirt-qemu
@@ -61,6 +61,7 @@
@@ -63,6 +63,7 @@
#/dev/fb* rw,
/etc/pulse/client.conf r,