Accepting request 528890 from Virtualization

1

OBS-URL: https://build.opensuse.org/request/show/528890
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvirt?expand=0&rev=236

apparmor-fixes.patch

@@ -1,14 +0,0 @@
-Index: libvirt-3.7.0/examples/apparmor/libvirt-qemu
-===================================================================
---- libvirt-3.7.0.orig/examples/apparmor/libvirt-qemu
-+++ libvirt-3.7.0/examples/apparmor/libvirt-qemu
-@@ -156,6 +156,9 @@
-   # for restore
-   /{usr/,}bin/bash rmix,
- 
-+  /run/nscd/passwd r,
-+  /run/nscd/group r,
-+
-   # for usb access
-   /dev/bus/usb/ r,
-   /etc/udev/udev.conf r,

apparmor-no-mount.patch

@@ -2,15 +2,12 @@ Index: libvirt-3.7.0/examples/apparmor/libvirt-lxc
 ===================================================================
 --- libvirt-3.7.0.orig/examples/apparmor/libvirt-lxc
 +++ libvirt-3.7.0/examples/apparmor/libvirt-lxc
-@@ -2,42 +2,19 @@
+@@ -2,39 +2,15 @@
  
    #include <abstractions/base>
  
 -  umount,
-   dbus,
-   signal,
-   ptrace,
- 
+-
 -  # ignore DENIED message on / remount
 -  deny mount options=(ro, remount) -> /,
 -

apparmor-ptrace-support.patch

@@ -1,88 +0,0 @@
-commit e3bb609812776b30acfc0349b25b2e4d539c45c2
-Author: Jim Fehlig <jfehlig@suse.com>
-Date:   Mon Sep 18 13:41:26 2017 -0600
-
-    apparmor: support ptrace checks
-    
-    Kernel 4.13 introduced finer-grained ptrace checks
-    
-    https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07
-    
-    When Apparmor is enabled and libvirtd is confined, attempting to start
-    a domain fails
-    
-    virsh start test
-    error: Failed to start domain test
-    error: internal error: child reported: Kernel does not provide mount
-           namespace: Permission denied
-    
-    The audit log contains
-    
-    type=AVC msg=audit(1505466699.828:534): apparmor="DENIED"
-    operation="ptrace" profile="/usr/sbin/libvirtd" pid=6621
-    comm="libvirtd" requested_mask="trace" denied_mask="trace"
-    peer="/usr/sbin/libvirtd"
-    
-    It was also noticed that simply connecting to libvirtd (e.g. virsh list)
-    resulted in the following entries in the audit log
-    
-    type=AVC msg=audit(1505755799.975:65): apparmor="DENIED"
-    operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418
-    comm="libvirtd" requested_mask="trace" denied_mask="trace"
-    peer="unconfined"
-    type=AVC msg=audit(1505755799.976:66): apparmor="DENIED"
-    operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418
-    comm="libvirtd" requested_mask="trace" denied_mask="trace"
-    peer="unconfined"
-    
-    Both Apparmor denials can be fixed by supporting ptrace in the
-    libvirtd, qemu, and lxc profiles. While at it, also add support
-    for dbus, signal, and unix.
-    
-    Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847
-
-diff --git a/examples/apparmor/libvirt-lxc b/examples/apparmor/libvirt-lxc
-index 4bfb503aa..0db137de0 100644
---- a/examples/apparmor/libvirt-lxc
-+++ b/examples/apparmor/libvirt-lxc
-@@ -3,6 +3,9 @@
-   #include <abstractions/base>
- 
-   umount,
-+  dbus,
-+  signal,
-+  ptrace,
- 
-   # ignore DENIED message on / remount
-   deny mount options=(ro, remount) -> /,
-diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
-index dcfb1a598..6a4a2335a 100644
---- a/examples/apparmor/libvirt-qemu
-+++ b/examples/apparmor/libvirt-qemu
-@@ -170,6 +170,9 @@
-   @{PROC}/device-tree/** r,
-   /sys/firmware/devicetree/** r,
- 
-+  signal (receive) peer=/usr/sbin/libvirtd,
-+  ptrace (tracedby) peer=/usr/sbin/libvirtd,
-+
-   # for gathering information about available host resources
-   /sys/devices/system/cpu/ r,
-   /sys/devices/system/node/ r,
-diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
-index acb59e071..9aadba411 100644
---- a/examples/apparmor/usr.sbin.libvirtd
-+++ b/examples/apparmor/usr.sbin.libvirtd
-@@ -36,6 +36,12 @@
-   network inet6 dgram,
-   network packet dgram,
-   network packet raw,
-+  network netlink,
-+
-+  dbus bus=system,
-+  signal,
-+  ptrace,
-+  unix,
- 
-   # Very lenient profile for libvirtd since we want to first focus on confining
-   # the guests. Guests will have a very restricted profile.

b482925c-apparmor-ptrace-support.patch

@@ -0,0 +1,61 @@
+commit b482925c2277e906542faea52ef587a5c0aa1f5f
+Author: Jim Fehlig <jfehlig@suse.com>
+Date:   Fri Sep 22 17:02:42 2017 -0600
+
+    apparmor: support ptrace checks
+    
+    Kernel 4.13 introduced finer-grained ptrace checks
+    
+    https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07
+    
+    With kernel 4.13 and apparmor 2.11, simply starting libvirtd
+    results in the following apparmor denial
+    
+    type=AVC msg=audit(1506112085.645:954): apparmor="DENIED"
+    operation="ptrace" profile="/usr/sbin/libvirtd" pid=6984
+    comm="libvirtd" requested_mask="trace" denied_mask="trace"
+    peer="unconfined"
+    
+    Attempting to start an unconfined domain results in
+    
+    type=AVC msg=audit(1506112301.227:1112): apparmor="DENIED"
+    operation="ptrace" profile="/usr/sbin/libvirtd" pid=7498
+    comm="libvirtd" requested_mask="trace" denied_mask="trace"
+    peer="/usr/sbin/libvirtd"
+    
+    And attempting to start a confined domain results in
+    
+    type=AVC msg=audit(1506112631.408:1312): apparmor="DENIED"
+    operation="open" profile="virt-aa-helper" name="/etc/libnl/classid"
+    pid=8283 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
+    fsuid=0 ouid=0
+    type=AVC msg=audit(1506112631.530:1319): apparmor="DENIED"
+    operation="open" profile="virt-aa-helper" name="/etc/libnl/classid"
+    pid=8289 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
+    fsuid=0 ouid=0
+    type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED"
+    operation="ptrace" profile="/usr/sbin/libvirtd" pid=8342
+    comm="libvirtd" requested_mask="trace" denied_mask="trace"
+    peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
+    
+    Add ptrace rules to allow the trace operations.
+    
+    Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847
+    Signed-off-by: Jim Fehlig <jfehlig@suse.com>
+    Reviewed-by: Guido Günther <agx@sigxcpu.org>
+
+Index: libvirt-3.7.0/examples/apparmor/usr.sbin.libvirtd
+===================================================================
+--- libvirt-3.7.0.orig/examples/apparmor/usr.sbin.libvirtd
++++ libvirt-3.7.0/examples/apparmor/usr.sbin.libvirtd
+@@ -37,6 +37,10 @@
+   network packet dgram,
+   network packet raw,
+ 
++  ptrace (trace) peer=unconfined,
++  ptrace (trace) peer=/usr/sbin/libvirtd,
++  ptrace (trace) peer=libvirt-*,
++
+   # Very lenient profile for libvirtd since we want to first focus on confining
+   # the guests. Guests will have a very restricted profile.
+   / r,

f305d8a1-apparmor-attach_disconnected.patch

@@ -0,0 +1,39 @@
+commit f305d8a191941d1ea6e036ae9fc02a3164b3e746
+Author: Guido Günther <agx@sigxcpu.org>
+Date:   Fri Sep 15 17:13:16 2017 +0200
+
+    apparmor: add attach_disconnected
+    
+    Otherwise we fail to reconnect to /dev/net/tun opened by libvirtd
+    like
+    
+        [ 8144.507756] audit: type=1400 audit(1505488162.386:38069121): apparmor="DENIED" operation="file_perm" info="Failed name lookup - disconnected path" error=-13 profile="libvirt-5dfcc8a7-b79a-4fa9-a41f-f6271651934c" name="dev/net/tun" pid=9607 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
+    
+    Reviewed-By: Jamie Strandboge <jamie@canonical.com>
+    Acked-By: Michal Privoznik <mprivozn@redhat.com>
+
+Index: libvirt-3.7.0/examples/apparmor/TEMPLATE.lxc
+===================================================================
+--- libvirt-3.7.0.orig/examples/apparmor/TEMPLATE.lxc
++++ libvirt-3.7.0/examples/apparmor/TEMPLATE.lxc
+@@ -4,7 +4,7 @@
+ 
+ #include <tunables/global>
+ 
+-profile LIBVIRT_TEMPLATE {
++profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
+   #include <abstractions/libvirt-lxc>
+ 
+   # Globally allows everything to run under this profile
+Index: libvirt-3.7.0/examples/apparmor/TEMPLATE.qemu
+===================================================================
+--- libvirt-3.7.0.orig/examples/apparmor/TEMPLATE.qemu
++++ libvirt-3.7.0/examples/apparmor/TEMPLATE.qemu
+@@ -4,6 +4,6 @@
+ 
+ #include <tunables/global>
+ 
+-profile LIBVIRT_TEMPLATE {
++profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
+   #include <abstractions/libvirt-qemu>
+ }

libvirt.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Tue Sep 26 22:38:42 UTC 2017 - jfehlig@suse.com
+
+- apparmor: Add rules for kernel 4.13 ptrace checks
+  b482925c-apparmor-ptrace-support.patch
+  Drop temporary workaround apparmor-ptrace-support.patch
+  bsc#1058847
+- apparmor: Add rules for denial encountered when starting
+  confined domains
+  f305d8a1-apparmor-attach_disconnected.patch,
+  suse-apparmor-libnl-paths.patch
+  Drop old, useless, undocumented apparmor-fixes.patch
+
 -------------------------------------------------------------------
 Wed Sep 20 16:28:46 UTC 2017 - jfehlig@suse.com
 

libvirt.spec

@@ -307,10 +307,11 @@ Source100:      %{name}-rpmlintrc
 Patch0:         92bd87a2-ryzen-test-data.patch
 Patch1:         5c83b360-epyc-test-data.patch
 Patch2:         a0b62843-epyc-cpu-model.patch
+Patch3:         f305d8a1-apparmor-attach_disconnected.patch
+Patch4:         b482925c-apparmor-ptrace-support.patch
 # Patches pending upstream review
 Patch100:       libxl-dom-reset.patch
 Patch101:       network-don-t-use-dhcp-authoritative-on-static-netwo.patch
-Patch102:       apparmor-ptrace-support.patch
 # Need to go upstream
 Patch150:       xen-pv-cdrom.patch
 Patch151:       blockcopy-check-dst-identical-device.patch
@@ -318,7 +319,6 @@ Patch152:       libvirt-power8-models.patch
 Patch153:       ppc64le-canonical-name.patch
 Patch154:       libxl-set-migration-constraints.patch
 Patch155:       libxl-set-cach-mode.patch
-Patch156:       apparmor-fixes.patch
 # Our patches
 Patch200:       suse-libvirtd-disable-tls.patch
 Patch201:       suse-libvirtd-sysconfig-settings.patch
@@ -328,14 +328,15 @@ Patch204:       suse-virtlogd-sysconfig-settings.patch
 Patch205:       suse-libvirtd-service-xen.patch
 Patch206:       suse-qemu-conf.patch
 Patch207:       suse-ovmf-paths.patch
-Patch208:       support-managed-pci-xen-driver.patch
-Patch209:       xen-sxpr-disk-type.patch
-Patch210:       libxl-support-block-script.patch
-Patch211:       apparmor-no-mount.patch
-Patch212:       qemu-apparmor-screenshot.patch
-Patch213:       libvirt-suse-netcontrol.patch
-Patch214:       lxc-wait-after-eth-del.patch
-Patch215:       libxl-qemu-emulator-caps.patch
+Patch208:       suse-apparmor-libnl-paths.patch
+Patch209:       support-managed-pci-xen-driver.patch
+Patch210:       xen-sxpr-disk-type.patch
+Patch211:       libxl-support-block-script.patch
+Patch212:       apparmor-no-mount.patch
+Patch213:       qemu-apparmor-screenshot.patch
+Patch214:       libvirt-suse-netcontrol.patch
+Patch215:       lxc-wait-after-eth-del.patch
+Patch216:       libxl-qemu-emulator-caps.patch
 # SLES-Only patches
 %if %{with_sle_build}
 Patch400:       virt-create-rootfs.patch
@@ -876,16 +877,16 @@ libvirt plugin for NSS for translating domain names into IP addresses.
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
+%patch4 -p1
 %patch100 -p1
 %patch101 -p1
-%patch102 -p1
 %patch150 -p1
 %patch151 -p1
 %patch152 -p1
 %patch153 -p1
 %patch154 -p1
 %patch155 -p1
-%patch156 -p1
 %patch200 -p1
 %patch201 -p1
 %patch202 -p1
@@ -902,6 +903,7 @@ libvirt plugin for NSS for translating domain names into IP addresses.
 %patch213 -p1
 %patch214 -p1
 %patch215 -p1
+%patch216 -p1
 %if %{with_sle_build}
 %patch400 -p1
 %endif

qemu-apparmor-screenshot.patch

@@ -2,7 +2,7 @@ Index: libvirt-3.7.0/examples/apparmor/libvirt-qemu
 ===================================================================
 --- libvirt-3.7.0.orig/examples/apparmor/libvirt-qemu
 +++ libvirt-3.7.0/examples/apparmor/libvirt-qemu
-@@ -181,3 +181,6 @@
+@@ -176,3 +176,6 @@
    /sys/devices/system/node/ r,
    /sys/devices/system/node/node[0-9]*/meminfo r,
    /sys/module/vhost/parameters/max_mem_regions r,

suse-apparmor-libnl-paths.patch

@@ -0,0 +1,35 @@
+Apparmor: Adjust libnl paths
+
+In SUSE distros, libnl paths generally contain only 'libnl', and
+not an embedded version number such as 'libnl-3'. Use 'libnl*' in
+the virt-aa-helper profile to accommodate all libnl path variants.
+
+It was also noticed that the per-domain profiles need a libnl rule
+to squelch a denial when starting confined domains.
+
+Found while investigating bsc#1058847
+Index: libvirt-3.7.0/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+===================================================================
+--- libvirt-3.7.0.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper
++++ libvirt-3.7.0/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+@@ -16,7 +16,7 @@ profile virt-aa-helper /usr/{lib,lib64}/
+   owner @{PROC}/[0-9]*/status r,
+   @{PROC}/filesystems r,
+ 
+-  /etc/libnl-3/classid r,
++  /etc/libnl*/classid r,
+ 
+   # for hostdev
+   /sys/devices/ r,
+Index: libvirt-3.7.0/examples/apparmor/libvirt-qemu
+===================================================================
+--- libvirt-3.7.0.orig/examples/apparmor/libvirt-qemu
++++ libvirt-3.7.0/examples/apparmor/libvirt-qemu
+@@ -50,6 +50,7 @@
+   #/dev/fb* rw,
+ 
+   /etc/pulse/client.conf r,
++  /etc/libnl*/classid r,
+   @{HOME}/.pulse-cookie rwk,
+   owner /root/.pulse-cookie rwk,
+   owner /root/.pulse/ rw,