From 700dcddea3d9940e45b6888ee60ebf8879f39ce1 Mon Sep 17 00:00:00 2001 From: Jim Fehlig Date: Tue, 5 Jul 2022 11:43:19 -0600 Subject: SUSE adjustments to qemu.conf This patch contains SUSE-specific adjustments to the upstream qemu.conf configuration file. In the future, it might make sense to separate these changes into individual patches (e.g. suse-qemu-conf-secdriver.patch, suse-qemu-conf-lockmgr.patch, etc.), but for now they are all lumped together in this single patch. Signed-off-by: Jim Fehlig --- src/qemu/qemu.conf.in | 32 ++++++++++++++++++++++++------ src/qemu/qemu_conf.c | 2 +- src/qemu/test_libvirtd_qemu.aug.in | 1 + 3 files changed, 28 insertions(+), 7 deletions(-) Index: libvirt-9.0.0/src/qemu/qemu.conf.in =================================================================== --- libvirt-9.0.0.orig/src/qemu/qemu.conf.in +++ libvirt-9.0.0/src/qemu/qemu.conf.in @@ -491,10 +491,19 @@ # isolation, but it cannot appear in a list of drivers. # #security_driver = "selinux" +#security_driver = "apparmor" # If set to non-zero, then the default security labeling # will make guests confined. If set to zero, then guests -# will be unconfined by default. Defaults to 1. +# will be unconfined by default. Defaults to 0. +# +# SUSE Note: +# Currently, Apparmor is the default security framework in SUSE +# distros. If Apparmor is enabled on the host, libvirtd is +# generously confined but users must opt-in to confine qemu +# instances. Change this to a non-zero value to enable default +# Apparmor confinement of qemu instances. +# #security_default_confined = 1 # If set to non-zero, then attempts to create unconfined @@ -729,11 +738,22 @@ #relaxed_acs_check = 1 -# In order to prevent accidentally starting two domains that -# share one writable disk, libvirt offers two approaches for -# locking files. The first one is sanlock, the other one, -# virtlockd, is then our own implementation. Accepted values -# are "sanlock" and "lockd". +# SUSE note: +# Two lock managers are supported: lockd and sanlock. lockd, which +# is provided by the virtlockd service, uses advisory locks (flock(2)) +# to protect virtual machine disks. sanlock uses the notion of leases +# to protect virtual machine disks and is more appropriate in a SAN +# environment. +# +# For most deployments that require virtual machine disk protection, +# lockd is recommended since it is easy to configure and the virtlockd +# service can be restarted without terminating any running virtual +# machines. sanlock, which may be preferred in some SAN environments, +# has the disadvantage of not being able to be restarted without +# first terminating all virtual machines for which it holds leases. +# +# Specify lockd or sanlock to enable protection of virtual machine disk +# content. # #lock_manager = "lockd" Index: libvirt-9.0.0/src/qemu/qemu_conf.c =================================================================== --- libvirt-9.0.0.orig/src/qemu/qemu_conf.c +++ libvirt-9.0.0/src/qemu/qemu_conf.c @@ -265,7 +265,7 @@ virQEMUDriverConfig *virQEMUDriverConfig cfg->slirpHelperName = g_strdup(QEMU_SLIRP_HELPER); cfg->dbusDaemonName = g_strdup(QEMU_DBUS_DAEMON); - cfg->securityDefaultConfined = true; + cfg->securityDefaultConfined = false; cfg->securityRequireConfined = false; cfg->keepAliveInterval = 5; Index: libvirt-9.0.0/src/qemu/test_libvirtd_qemu.aug.in =================================================================== --- libvirt-9.0.0.orig/src/qemu/test_libvirtd_qemu.aug.in +++ libvirt-9.0.0/src/qemu/test_libvirtd_qemu.aug.in @@ -45,6 +45,7 @@ module Test_libvirtd_qemu = { "remote_websocket_port_min" = "5700" } { "remote_websocket_port_max" = "65535" } { "security_driver" = "selinux" } +{ "security_driver" = "apparmor" } { "security_default_confined" = "1" } { "security_require_confined" = "1" } { "user" = "@QEMU_USER@" }