Accepting request 528890 from Virtualization

1 OBS-URL: https://build.opensuse.org/request/show/528890 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvirt?expand=0&rev=236
2017-09-29 09:51:22 +00:00 · 2017-09-29 09:51:22 +00:00 · e59cfa4e50
commit e59cfa4e50
parent e434985d78 51341f04c9
9 changed files with 165 additions and 120 deletions
--- a/apparmor-fixes.patch
+++ b/apparmor-fixes.patch
@ -1,14 +0,0 @@
 Index: libvirt-3.7.0/examples/apparmor/libvirt-qemu
 ===================================================================
 --- libvirt-3.7.0.orig/examples/apparmor/libvirt-qemu
 +++ libvirt-3.7.0/examples/apparmor/libvirt-qemu
@@ -156,6 +156,9 @@
   # for restore
   /{usr/,}bin/bash rmix,
 +  /run/nscd/passwd r,
 +  /run/nscd/group r,
 +
   # for usb access
   /dev/bus/usb/ r,
   /etc/udev/udev.conf r,
--- a/apparmor-no-mount.patch
+++ b/apparmor-no-mount.patch
@ -2,15 +2,12 @@ Index: libvirt-3.7.0/examples/apparmor/libvirt-lxc
 ===================================================================
 --- libvirt-3.7.0.orig/examples/apparmor/libvirt-lxc
 +++ libvirt-3.7.0/examples/apparmor/libvirt-lxc
-@@ -2,42 +2,19 @@
+@@ -2,39 +2,15 @@
   #include <abstractions/base>
 -  umount,
-   dbus,
+-
   signal,
   ptrace,
 -  # ignore DENIED message on / remount
 -  deny mount options=(ro, remount) -> /,
 -
--- a/apparmor-ptrace-support.patch
+++ b/apparmor-ptrace-support.patch
@ -1,88 +0,0 @@
 commit e3bb609812776b30acfc0349b25b2e4d539c45c2
 Author: Jim Fehlig <jfehlig@suse.com>
 Date:   Mon Sep 18 13:41:26 2017 -0600
    apparmor: support ptrace checks
    Kernel 4.13 introduced finer-grained ptrace checks
    https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07
    When Apparmor is enabled and libvirtd is confined, attempting to start
    a domain fails
    virsh start test
    error: Failed to start domain test
    error: internal error: child reported: Kernel does not provide mount
           namespace: Permission denied
    The audit log contains
    type=AVC msg=audit(1505466699.828:534): apparmor="DENIED"
    operation="ptrace" profile="/usr/sbin/libvirtd" pid=6621
    comm="libvirtd" requested_mask="trace" denied_mask="trace"
    peer="/usr/sbin/libvirtd"
    It was also noticed that simply connecting to libvirtd (e.g. virsh list)
    resulted in the following entries in the audit log
    type=AVC msg=audit(1505755799.975:65): apparmor="DENIED"
    operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418
    comm="libvirtd" requested_mask="trace" denied_mask="trace"
    peer="unconfined"
    type=AVC msg=audit(1505755799.976:66): apparmor="DENIED"
    operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418
    comm="libvirtd" requested_mask="trace" denied_mask="trace"
    peer="unconfined"
    Both Apparmor denials can be fixed by supporting ptrace in the
    libvirtd, qemu, and lxc profiles. While at it, also add support
    for dbus, signal, and unix.
    Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847
 diff --git a/examples/apparmor/libvirt-lxc b/examples/apparmor/libvirt-lxc
 index 4bfb503aa..0db137de0 100644
 --- a/examples/apparmor/libvirt-lxc
 +++ b/examples/apparmor/libvirt-lxc
@@ -3,6 +3,9 @@
   #include <abstractions/base>
   umount,
 +  dbus,
 +  signal,
 +  ptrace,
   # ignore DENIED message on / remount
   deny mount options=(ro, remount) -> /,
 diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
 index dcfb1a598..6a4a2335a 100644
 --- a/examples/apparmor/libvirt-qemu
 +++ b/examples/apparmor/libvirt-qemu
@@ -170,6 +170,9 @@
   @{PROC}/device-tree/** r,
   /sys/firmware/devicetree/** r,
 +  signal (receive) peer=/usr/sbin/libvirtd,
 +  ptrace (tracedby) peer=/usr/sbin/libvirtd,
 +
   # for gathering information about available host resources
   /sys/devices/system/cpu/ r,
   /sys/devices/system/node/ r,
 diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
 index acb59e071..9aadba411 100644
 --- a/examples/apparmor/usr.sbin.libvirtd
 +++ b/examples/apparmor/usr.sbin.libvirtd
@@ -36,6 +36,12 @@
   network inet6 dgram,
   network packet dgram,
   network packet raw,
 +  network netlink,
 +
 +  dbus bus=system,
 +  signal,
 +  ptrace,
 +  unix,
   # Very lenient profile for libvirtd since we want to first focus on confining
   # the guests. Guests will have a very restricted profile.
--- a/b482925c-apparmor-ptrace-support.patch
+++ b/b482925c-apparmor-ptrace-support.patch
@ -0,0 +1,61 @@
 commit b482925c2277e906542faea52ef587a5c0aa1f5f
 Author: Jim Fehlig <jfehlig@suse.com>
 Date:   Fri Sep 22 17:02:42 2017 -0600
    apparmor: support ptrace checks
    Kernel 4.13 introduced finer-grained ptrace checks
    https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07
    With kernel 4.13 and apparmor 2.11, simply starting libvirtd
    results in the following apparmor denial
    type=AVC msg=audit(1506112085.645:954): apparmor="DENIED"
    operation="ptrace" profile="/usr/sbin/libvirtd" pid=6984
    comm="libvirtd" requested_mask="trace" denied_mask="trace"
    peer="unconfined"
    Attempting to start an unconfined domain results in
    type=AVC msg=audit(1506112301.227:1112): apparmor="DENIED"
    operation="ptrace" profile="/usr/sbin/libvirtd" pid=7498
    comm="libvirtd" requested_mask="trace" denied_mask="trace"
    peer="/usr/sbin/libvirtd"
    And attempting to start a confined domain results in
    type=AVC msg=audit(1506112631.408:1312): apparmor="DENIED"
    operation="open" profile="virt-aa-helper" name="/etc/libnl/classid"
    pid=8283 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
    fsuid=0 ouid=0
    type=AVC msg=audit(1506112631.530:1319): apparmor="DENIED"
    operation="open" profile="virt-aa-helper" name="/etc/libnl/classid"
    pid=8289 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
    fsuid=0 ouid=0
    type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED"
    operation="ptrace" profile="/usr/sbin/libvirtd" pid=8342
    comm="libvirtd" requested_mask="trace" denied_mask="trace"
    peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
    Add ptrace rules to allow the trace operations.
    Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847
    Signed-off-by: Jim Fehlig <jfehlig@suse.com>
    Reviewed-by: Guido Günther <agx@sigxcpu.org>
 Index: libvirt-3.7.0/examples/apparmor/usr.sbin.libvirtd
 ===================================================================
 --- libvirt-3.7.0.orig/examples/apparmor/usr.sbin.libvirtd
 +++ libvirt-3.7.0/examples/apparmor/usr.sbin.libvirtd
@@ -37,6 +37,10 @@
   network packet dgram,
   network packet raw,
 +  ptrace (trace) peer=unconfined,
 +  ptrace (trace) peer=/usr/sbin/libvirtd,
 +  ptrace (trace) peer=libvirt-*,
 +
   # Very lenient profile for libvirtd since we want to first focus on confining
   # the guests. Guests will have a very restricted profile.
   / r,
--- a/f305d8a1-apparmor-attach_disconnected.patch
+++ b/f305d8a1-apparmor-attach_disconnected.patch
@ -0,0 +1,39 @@
 commit f305d8a191941d1ea6e036ae9fc02a3164b3e746
 Author: Guido Günther <agx@sigxcpu.org>
 Date:   Fri Sep 15 17:13:16 2017 +0200
    apparmor: add attach_disconnected
    Otherwise we fail to reconnect to /dev/net/tun opened by libvirtd
    like
        [ 8144.507756] audit: type=1400 audit(1505488162.386:38069121): apparmor="DENIED" operation="file_perm" info="Failed name lookup - disconnected path" error=-13 profile="libvirt-5dfcc8a7-b79a-4fa9-a41f-f6271651934c" name="dev/net/tun" pid=9607 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
    Reviewed-By: Jamie Strandboge <jamie@canonical.com>
    Acked-By: Michal Privoznik <mprivozn@redhat.com>
 Index: libvirt-3.7.0/examples/apparmor/TEMPLATE.lxc
 ===================================================================
 --- libvirt-3.7.0.orig/examples/apparmor/TEMPLATE.lxc
 +++ libvirt-3.7.0/examples/apparmor/TEMPLATE.lxc
@@ -4,7 +4,7 @@
 #include <tunables/global>
 -profile LIBVIRT_TEMPLATE {
 +profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
   #include <abstractions/libvirt-lxc>
   # Globally allows everything to run under this profile
 Index: libvirt-3.7.0/examples/apparmor/TEMPLATE.qemu
 ===================================================================
 --- libvirt-3.7.0.orig/examples/apparmor/TEMPLATE.qemu
 +++ libvirt-3.7.0/examples/apparmor/TEMPLATE.qemu
@@ -4,6 +4,6 @@
 #include <tunables/global>
 -profile LIBVIRT_TEMPLATE {
 +profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
   #include <abstractions/libvirt-qemu>
 }
--- a/libvirt.changes
+++ b/libvirt.changes
@ -1,3 +1,16 @@
 -------------------------------------------------------------------
 Tue Sep 26 22:38:42 UTC 2017 - jfehlig@suse.com
 - apparmor: Add rules for kernel 4.13 ptrace checks
  b482925c-apparmor-ptrace-support.patch
  Drop temporary workaround apparmor-ptrace-support.patch
  bsc#1058847
 - apparmor: Add rules for denial encountered when starting
  confined domains
  f305d8a1-apparmor-attach_disconnected.patch,
  suse-apparmor-libnl-paths.patch
  Drop old, useless, undocumented apparmor-fixes.patch
 -------------------------------------------------------------------
 Wed Sep 20 16:28:46 UTC 2017 - jfehlig@suse.com
--- a/libvirt.spec
+++ b/libvirt.spec
@ -307,10 +307,11 @@ Source100:      %{name}-rpmlintrc
 Patch0:         92bd87a2-ryzen-test-data.patch
 Patch1:         5c83b360-epyc-test-data.patch
 Patch2:         a0b62843-epyc-cpu-model.patch
 Patch3:         f305d8a1-apparmor-attach_disconnected.patch
 Patch4:         b482925c-apparmor-ptrace-support.patch
 # Patches pending upstream review
 Patch100:       libxl-dom-reset.patch
 Patch101:       network-don-t-use-dhcp-authoritative-on-static-netwo.patch
 Patch102:       apparmor-ptrace-support.patch
 # Need to go upstream
 Patch150:       xen-pv-cdrom.patch
 Patch151:       blockcopy-check-dst-identical-device.patch
@ -318,7 +319,6 @@ Patch152:       libvirt-power8-models.patch
 Patch153:       ppc64le-canonical-name.patch
 Patch154:       libxl-set-migration-constraints.patch
 Patch155:       libxl-set-cach-mode.patch
 Patch156:       apparmor-fixes.patch
 # Our patches
 Patch200:       suse-libvirtd-disable-tls.patch
 Patch201:       suse-libvirtd-sysconfig-settings.patch
@ -328,14 +328,15 @@ Patch204:       suse-virtlogd-sysconfig-settings.patch
 Patch205:       suse-libvirtd-service-xen.patch
 Patch206:       suse-qemu-conf.patch
 Patch207:       suse-ovmf-paths.patch
-Patch208:       support-managed-pci-xen-driver.patch
+Patch208:       suse-apparmor-libnl-paths.patch
-Patch209:       xen-sxpr-disk-type.patch
+Patch209:       support-managed-pci-xen-driver.patch
-Patch210:       libxl-support-block-script.patch
+Patch210:       xen-sxpr-disk-type.patch
-Patch211:       apparmor-no-mount.patch
+Patch211:       libxl-support-block-script.patch
-Patch212:       qemu-apparmor-screenshot.patch
+Patch212:       apparmor-no-mount.patch
-Patch213:       libvirt-suse-netcontrol.patch
+Patch213:       qemu-apparmor-screenshot.patch
-Patch214:       lxc-wait-after-eth-del.patch
+Patch214:       libvirt-suse-netcontrol.patch
-Patch215:       libxl-qemu-emulator-caps.patch
+Patch215:       lxc-wait-after-eth-del.patch
 Patch216:       libxl-qemu-emulator-caps.patch
 # SLES-Only patches
 %if %{with_sle_build}
 Patch400:       virt-create-rootfs.patch
@ -876,16 +877,16 @@ libvirt plugin for NSS for translating domain names into IP addresses.
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch100 -p1
 %patch101 -p1
 %patch102 -p1
 %patch150 -p1
 %patch151 -p1
 %patch152 -p1
 %patch153 -p1
 %patch154 -p1
 %patch155 -p1
 %patch156 -p1
 %patch200 -p1
 %patch201 -p1
 %patch202 -p1
@ -902,6 +903,7 @@ libvirt plugin for NSS for translating domain names into IP addresses.
 %patch213 -p1
 %patch214 -p1
 %patch215 -p1
 %patch216 -p1
 %if %{with_sle_build}
 %patch400 -p1
 %endif
--- a/qemu-apparmor-screenshot.patch
+++ b/qemu-apparmor-screenshot.patch
@ -2,7 +2,7 @@ Index: libvirt-3.7.0/examples/apparmor/libvirt-qemu
 ===================================================================
 --- libvirt-3.7.0.orig/examples/apparmor/libvirt-qemu
 +++ libvirt-3.7.0/examples/apparmor/libvirt-qemu
-@@ -181,3 +181,6 @@
+@@ -176,3 +176,6 @@
   /sys/devices/system/node/ r,
   /sys/devices/system/node/node[0-9]*/meminfo r,
   /sys/module/vhost/parameters/max_mem_regions r,
--- a/suse-apparmor-libnl-paths.patch
+++ b/suse-apparmor-libnl-paths.patch
@ -0,0 +1,35 @@
 Apparmor: Adjust libnl paths
 In SUSE distros, libnl paths generally contain only 'libnl', and
 not an embedded version number such as 'libnl-3'. Use 'libnl*' in
 the virt-aa-helper profile to accommodate all libnl path variants.
 It was also noticed that the per-domain profiles need a libnl rule
 to squelch a denial when starting confined domains.
 Found while investigating bsc#1058847
 Index: libvirt-3.7.0/examples/apparmor/usr.lib.libvirt.virt-aa-helper
 ===================================================================
 --- libvirt-3.7.0.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper
 +++ libvirt-3.7.0/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -16,7 +16,7 @@ profile virt-aa-helper /usr/{lib,lib64}/
   owner @{PROC}/[0-9]*/status r,
   @{PROC}/filesystems r,
 -  /etc/libnl-3/classid r,
 +  /etc/libnl*/classid r,
   # for hostdev
   /sys/devices/ r,
 Index: libvirt-3.7.0/examples/apparmor/libvirt-qemu
 ===================================================================
 --- libvirt-3.7.0.orig/examples/apparmor/libvirt-qemu
 +++ libvirt-3.7.0/examples/apparmor/libvirt-qemu
@@ -50,6 +50,7 @@
   #/dev/fb* rw,
   /etc/pulse/client.conf r,
 +  /etc/libnl*/classid r,
   @{HOME}/.pulse-cookie rwk,
   owner /root/.pulse-cookie rwk,
   owner /root/.pulse/ rw,