pool/libvirt
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
932db09f51
libvirt/apparmor-no-mount.patch
James Fehlig 278a149fdc Accepting request 253577 from home:jfehlig:branches:Virtualization 
Note:  tarball verification is now done using %gpg_verify, along
with the .asc file the upstream libvirt maintainer now generates
for each release.  This approach requires using the upstream .gz
tarball, which is slightly larger than the regenerated .bz2 one.

- Update to libvirt 1.2.9
  - Introduce virNodeAllocPages
  - event: introduce new event for tunable values
  - Add support for fetching statistics of completed jobs
  - CVE-2014-3657: domain_conf: fix domain deadlock
  - CVE-2014-3633: qemu: blkiotune: Use correct definition when
    looking up disk
  - Many incremental improvements and bug fixes, see
    http://libvirt.org/news.html
  - Drop upstream patches: 3e745e8f-CVE-2014-3633.patch,
    libvirt-guests-wait-for-ntp.patch
- Verify tarball with associated .asc file
  Add: libvirt.keyring, libvirt-1.2.9.tar.gz.asc
  Use upstream .gz tarball instead of locally generated .bz2

OBS-URL: https://build.opensuse.org/request/show/253577
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=411
2014-10-01 22:29:37 +00:00

47 lines
1.4 KiB
Diff
Raw Blame History

Index: libvirt-1.2.9/examples/apparmor/libvirt-lxc
===================================================================
--- libvirt-1.2.9.orig/examples/apparmor/libvirt-lxc
+++ libvirt-1.2.9/examples/apparmor/libvirt-lxc
@@ -2,39 +2,15 @@
#include <abstractions/base>
- umount,
-
- # ignore DENIED message on / remount
- deny mount options=(ro, remount) -> /,
-
- # allow tmpfs mounts everywhere
- mount fstype=tmpfs,
-
- # allow mqueue mounts everywhere
- mount fstype=mqueue,
-
- # allow fuse mounts everywhere
- mount fstype=fuse.*,
-
- # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
- mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
+ # deny writes in /proc/sys/fs
deny @{PROC}/sys/fs/** wklx,
- # allow efivars to be mounted, writing to it will be blocked though
- mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
-
# block some other dangerous paths
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/mem rwklx,
deny @{PROC}/kmem rwklx,
- # deny writes in /sys except for /sys/fs/cgroup, also allow
- # fusectl, securityfs and debugfs to be mounted there (read-only)
- mount fstype=fusectl -> /sys/fs/fuse/connections/,
- mount fstype=securityfs -> /sys/kernel/security/,
- mount fstype=debugfs -> /sys/kernel/debug/,
- mount fstype=proc -> /proc/,
- mount fstype=sysfs -> /sys/,
+ # deny writes in /sys
deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx,
Reference in New Issue View Git Blame Copy Permalink