pool/libvirt
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 344926 from Virtualization

Browse Source 
1

OBS-URL: https://build.opensuse.org/request/show/344926
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvirt?expand=0&rev=194
This commit is contained in:
Stephan Kulow 2015-11-22 10:00:22 +00:00 committed by Git OBS Bridge
commit c932d6bfd6
3 changed files with 45 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
libvirt.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Tue Nov 17 14:40:41 UTC 2015 - cbosdonnat@suse.com
- Don't add apparmor deny rw rule for 9P readonly mounts.
bsc#952849. virt-aa-helper-rw-mounts.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Nov 9 23:20:22 UTC 2015 - cbosdonnat@suse.com Mon Nov 9 23:20:22 UTC 2015 - cbosdonnat@suse.com

4
libvirt.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package libvirt # spec file for package libvirt
# #
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -456,6 +456,7 @@ Source99: baselibs.conf
Patch0: 703ec1b7-qemu-bridge-helper-fix.patch Patch0: 703ec1b7-qemu-bridge-helper-fix.patch
# Patches pending upstream review # Patches pending upstream review
Patch100: add-with-login-shell.patch Patch100: add-with-login-shell.patch
Patch101: virt-aa-helper-rw-mounts.patch
# Need to go upstream # Need to go upstream
Patch150: xen-pv-cdrom.patch Patch150: xen-pv-cdrom.patch
Patch151: blockcopy-check-dst-identical-device.patch Patch151: blockcopy-check-dst-identical-device.patch
@ -971,6 +972,7 @@ Wireshark dissector plugin for better analysis of libvirt RPC traffic.
%setup -q %setup -q
%patch0 -p1 %patch0 -p1
%patch100 -p1 %patch100 -p1
%patch101 -p1
%patch150 -p1 %patch150 -p1
%patch151 -p1 %patch151 -p1
%patch152 -p1 %patch152 -p1

36
virt-aa-helper-rw-mounts.patch Normal file
View File

@ -0,0 +1,36 @@
From 9abe699b0b91fd2c8a2870b36342a37fa97f7e36 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Tue, 17 Nov 2015 10:11:30 +0100
Subject: [PATCH] virt-aa-helper: don't deny writes to readonly mounts
There is no need to deny writes on a readonly mount: write still
won't be accepted, even if the user remounts the folder as RW in
the guest as qemu sets the 9p mount as ro.
This deny rule was leading to problems for example with readonly /:
The qemu process had to write to a bunch of files in / like logs,
sockets, etc. This deny rule was also preventing auditing of these
denials, making it harder to debug.
---
src/security/virt-aa-helper.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 5de56e5..a2d7226 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1127,7 +1127,10 @@ get_files(vahControl * ctl)
ctl->def->fss[i]->src) {
virDomainFSDefPtr fs = ctl->def->fss[i];
- if (vah_add_path(&buf, fs->src, fs->readonly ? "r" : "rw", true) != 0)
+ /* We don't need to add deny rw rules for readonly mounts,
+ * this can only lead to troubles when mounting / readonly.
+ */
+ if (vah_add_path(&buf, fs->src, "rw", true) != 0)
goto cleanup;
}
}
--
2.1.4