libvirt/apparmor-qemu-bridge-helper.patch
James Fehlig e27e06d482 Accepting request 419115 from home:jfehlig:branches:Virtualization
- Update to libvirt 2.1.0
  - New subpackages libvirt-libs and libvirt-admin
  - Many incremental improvements and bug fixes, see
    http://libvirt.org/news.html
  - Dropped patches:
    c8f08e48-systemd-notify-fix.patch
- qemu: fix qemu.conf security_driver regression in 2.1.0 release
  856965b3-qemu-secdriver.patch

OBS-URL: https://build.opensuse.org/request/show/419115
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=562
2016-08-13 00:51:10 +00:00

67 lines
2.1 KiB
Diff

From 430cd5a72cf1f5c3e56cf1b4b40385812477aef3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Fri, 5 Aug 2016 09:32:54 +0200
Subject: [PATCH] apparmor: move qemu-bridge-helper to libvirtd profile
qemu-bridge-helper is only called from libvirtd, it has to be moved
from the qemu domain abstraction to the usr.sbin.libvirtd profile.
---
examples/apparmor/libvirt-qemu | 19 -------------------
examples/apparmor/usr.sbin.libvirtd | 18 ++++++++++++++++++
2 files changed, 18 insertions(+), 19 deletions(-)
Index: libvirt-2.1.0/examples/apparmor/libvirt-qemu
===================================================================
--- libvirt-2.1.0.orig/examples/apparmor/libvirt-qemu
+++ libvirt-2.1.0/examples/apparmor/libvirt-qemu
@@ -151,22 +151,3 @@
/etc/udev/udev.conf r,
/sys/bus/ r,
/sys/class/ r,
-
- /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
- # child profile for bridge helper process
- profile qemu_bridge_helper {
- #include <abstractions/base>
-
- capability setuid,
- capability setgid,
- capability setpcap,
- capability net_admin,
-
- network inet stream,
-
- /dev/net/tun rw,
- /etc/qemu/** r,
- owner @{PROC}/*/status r,
-
- /usr/{lib,libexec}/qemu-bridge-helper rmix,
- }
Index: libvirt-2.1.0/examples/apparmor/usr.sbin.libvirtd
===================================================================
--- libvirt-2.1.0.orig/examples/apparmor/usr.sbin.libvirtd
+++ libvirt-2.1.0/examples/apparmor/usr.sbin.libvirtd
@@ -67,4 +67,22 @@
# allow changing to our UUID-based named profiles
change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+ /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
+ # child profile for bridge helper process
+ profile qemu_bridge_helper {
+ #include <abstractions/base>
+
+ capability setuid,
+ capability setgid,
+ capability setpcap,
+ capability net_admin,
+
+ network inet stream,
+
+ /dev/net/tun rw,
+ /etc/qemu/** r,
+ owner @{PROC}/*/status r,
+
+ /usr/{lib,libexec}/qemu-bridge-helper rmix,
+ }
}