51341f04c9
Fix various apparmor issues. - apparmor: Add rules for kernel 4.13 ptrace checks b482925c-apparmor-ptrace-support.patch Drop temporary workaround apparmor-ptrace-support.patch bsc#1058847 - apparmor: Add rules for denial encountered when starting confined domains f305d8a1-apparmor-attach_disconnected.patch, suse-apparmor-libnl-paths.patch Drop old, useless, undocumented apparmor-fixes.patch OBS-URL: https://build.opensuse.org/request/show/528889 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=624
40 lines
1.5 KiB
Diff
40 lines
1.5 KiB
Diff
commit f305d8a191941d1ea6e036ae9fc02a3164b3e746
|
|
Author: Guido Günther <agx@sigxcpu.org>
|
|
Date: Fri Sep 15 17:13:16 2017 +0200
|
|
|
|
apparmor: add attach_disconnected
|
|
|
|
Otherwise we fail to reconnect to /dev/net/tun opened by libvirtd
|
|
like
|
|
|
|
[ 8144.507756] audit: type=1400 audit(1505488162.386:38069121): apparmor="DENIED" operation="file_perm" info="Failed name lookup - disconnected path" error=-13 profile="libvirt-5dfcc8a7-b79a-4fa9-a41f-f6271651934c" name="dev/net/tun" pid=9607 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
|
|
|
|
Reviewed-By: Jamie Strandboge <jamie@canonical.com>
|
|
Acked-By: Michal Privoznik <mprivozn@redhat.com>
|
|
|
|
Index: libvirt-3.7.0/examples/apparmor/TEMPLATE.lxc
|
|
===================================================================
|
|
--- libvirt-3.7.0.orig/examples/apparmor/TEMPLATE.lxc
|
|
+++ libvirt-3.7.0/examples/apparmor/TEMPLATE.lxc
|
|
@@ -4,7 +4,7 @@
|
|
|
|
#include <tunables/global>
|
|
|
|
-profile LIBVIRT_TEMPLATE {
|
|
+profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
|
|
#include <abstractions/libvirt-lxc>
|
|
|
|
# Globally allows everything to run under this profile
|
|
Index: libvirt-3.7.0/examples/apparmor/TEMPLATE.qemu
|
|
===================================================================
|
|
--- libvirt-3.7.0.orig/examples/apparmor/TEMPLATE.qemu
|
|
+++ libvirt-3.7.0/examples/apparmor/TEMPLATE.qemu
|
|
@@ -4,6 +4,6 @@
|
|
|
|
#include <tunables/global>
|
|
|
|
-profile LIBVIRT_TEMPLATE {
|
|
+profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
|
|
#include <abstractions/libvirt-qemu>
|
|
}
|