From 62997836ccfd690f884861f6be5da9dbaab35eee8e6a715e6d7ad4e6c7d80886 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= Date: Tue, 17 Nov 2015 15:45:23 +0000 Subject: [PATCH] Accepting request 344925 from home:cbosdonnat:branches:Virtualization - Don't add apparmor deny rw rule for 9P readonly mounts. bsc#952849. virt-aa-helper-rw-mounts.patch OBS-URL: https://build.opensuse.org/request/show/344925 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=501 --- libvirt.changes | 6 ++++++ libvirt.spec | 4 +++- virt-aa-helper-rw-mounts.patch | 36 ++++++++++++++++++++++++++++++++++ 3 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 virt-aa-helper-rw-mounts.patch diff --git a/libvirt.changes b/libvirt.changes index 4530762..7222ad4 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Nov 17 14:40:41 UTC 2015 - cbosdonnat@suse.com + +- Don't add apparmor deny rw rule for 9P readonly mounts. + bsc#952849. virt-aa-helper-rw-mounts.patch + ------------------------------------------------------------------- Mon Nov 9 23:20:22 UTC 2015 - cbosdonnat@suse.com diff --git a/libvirt.spec b/libvirt.spec index 4bee6e6..1295383 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -1,7 +1,7 @@ # # spec file for package libvirt # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -456,6 +456,7 @@ Source99: baselibs.conf Patch0: 703ec1b7-qemu-bridge-helper-fix.patch # Patches pending upstream review Patch100: add-with-login-shell.patch +Patch101: virt-aa-helper-rw-mounts.patch # Need to go upstream Patch150: xen-pv-cdrom.patch Patch151: blockcopy-check-dst-identical-device.patch @@ -971,6 +972,7 @@ Wireshark dissector plugin for better analysis of libvirt RPC traffic. %setup -q %patch0 -p1 %patch100 -p1 +%patch101 -p1 %patch150 -p1 %patch151 -p1 %patch152 -p1 diff --git a/virt-aa-helper-rw-mounts.patch b/virt-aa-helper-rw-mounts.patch new file mode 100644 index 0000000..a3373ad --- /dev/null +++ b/virt-aa-helper-rw-mounts.patch @@ -0,0 +1,36 @@ +From 9abe699b0b91fd2c8a2870b36342a37fa97f7e36 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= +Date: Tue, 17 Nov 2015 10:11:30 +0100 +Subject: [PATCH] virt-aa-helper: don't deny writes to readonly mounts + +There is no need to deny writes on a readonly mount: write still +won't be accepted, even if the user remounts the folder as RW in +the guest as qemu sets the 9p mount as ro. + +This deny rule was leading to problems for example with readonly /: +The qemu process had to write to a bunch of files in / like logs, +sockets, etc. This deny rule was also preventing auditing of these +denials, making it harder to debug. +--- + src/security/virt-aa-helper.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c +index 5de56e5..a2d7226 100644 +--- a/src/security/virt-aa-helper.c ++++ b/src/security/virt-aa-helper.c +@@ -1127,7 +1127,10 @@ get_files(vahControl * ctl) + ctl->def->fss[i]->src) { + virDomainFSDefPtr fs = ctl->def->fss[i]; + +- if (vah_add_path(&buf, fs->src, fs->readonly ? "r" : "rw", true) != 0) ++ /* We don't need to add deny rw rules for readonly mounts, ++ * this can only lead to troubles when mounting / readonly. ++ */ ++ if (vah_add_path(&buf, fs->src, "rw", true) != 0) + goto cleanup; + } + } +-- +2.1.4 +