libvirt/apparmor-qemu-bridge-helper.patch

From 430cd5a72cf1f5c3e56cf1b4b40385812477aef3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Fri, 5 Aug 2016 09:32:54 +0200
Subject: [PATCH] apparmor: move qemu-bridge-helper to libvirtd profile

qemu-bridge-helper is only called from libvirtd, it has to be moved
from the qemu domain abstraction to the usr.sbin.libvirtd profile.
---
 examples/apparmor/libvirt-qemu      | 19 -------------------
 examples/apparmor/usr.sbin.libvirtd | 18 ++++++++++++++++++
 2 files changed, 18 insertions(+), 19 deletions(-)

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index efb4873..11381d4 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -148,22 +148,3 @@
   /etc/udev/udev.conf r,
   /sys/bus/ r,
   /sys/class/ r,
-
-  /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
-  # child profile for bridge helper process
-  profile qemu_bridge_helper {
-   #include <abstractions/base>
-
-   capability setuid,
-   capability setgid,
-   capability setpcap,
-   capability net_admin,
-
-   network inet stream,
-
-   /dev/net/tun rw,
-   /etc/qemu/** r,
-   owner @{PROC}/*/status r,
-
-   /usr/{lib,libexec}/qemu-bridge-helper rmix,
-  }
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index 23f70f5..48651b2 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -67,4 +67,22 @@
   # allow changing to our UUID-based named profiles
   change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
 
+  /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
+  # child profile for bridge helper process
+  profile qemu_bridge_helper {
+   #include <abstractions/base>
+
+   capability setuid,
+   capability setgid,
+   capability setpcap,
+   capability net_admin,
+
+   network inet stream,
+
+   /dev/net/tun rw,
+   /etc/qemu/** r,
+   owner @{PROC}/*/status r,
+
+   /usr/{lib,libexec}/qemu-bridge-helper rmix,
+  }
 }
-- 
2.6.6
Accepting request 417046 from home:cbosdonnat:branches:Virtualization - bsc#988279. Move the qemu-bridge-helper apparmor profile from the qemu abstraction to the usr.sbin.libvirtd profile. apparmor-qemu-bridge-helper.patch OBS-URL: https://build.opensuse.org/request/show/417046 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=559 2016-08-05 10:23:21 +02:00			`From 430cd5a72cf1f5c3e56cf1b4b40385812477aef3 Mon Sep 17 00:00:00 2001`
			`From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>`
			`Date: Fri, 5 Aug 2016 09:32:54 +0200`
			`Subject: [PATCH] apparmor: move qemu-bridge-helper to libvirtd profile`

			`qemu-bridge-helper is only called from libvirtd, it has to be moved`
			`from the qemu domain abstraction to the usr.sbin.libvirtd profile.`
			`---`
			`examples/apparmor/libvirt-qemu \| 19 -------------------`
			`examples/apparmor/usr.sbin.libvirtd \| 18 ++++++++++++++++++`
			`2 files changed, 18 insertions(+), 19 deletions(-)`

			`diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu`
			`index efb4873..11381d4 100644`
			`--- a/examples/apparmor/libvirt-qemu`
			`+++ b/examples/apparmor/libvirt-qemu`
			`@@ -148,22 +148,3 @@`
			`/etc/udev/udev.conf r,`
			`/sys/bus/ r,`
			`/sys/class/ r,`
			`-`
			`- /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,`
			`- # child profile for bridge helper process`
			`- profile qemu_bridge_helper {`
			`- #include <abstractions/base>`
			`-`
			`- capability setuid,`
			`- capability setgid,`
			`- capability setpcap,`
			`- capability net_admin,`
			`-`
			`- network inet stream,`
			`-`
			`- /dev/net/tun rw,`
			`- /etc/qemu/** r,`
			`- owner @{PROC}/*/status r,`
			`-`
			`- /usr/{lib,libexec}/qemu-bridge-helper rmix,`
			`- }`
			`diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd`
			`index 23f70f5..48651b2 100644`
			`--- a/examples/apparmor/usr.sbin.libvirtd`
			`+++ b/examples/apparmor/usr.sbin.libvirtd`
			`@@ -67,4 +67,22 @@`
			`# allow changing to our UUID-based named profiles`
			`change_profile -> @{LIBVIRT}-[0-9a-f]-[0-9a-f]-[0-9a-f]-[0-9a-f]-[0-9a-f]*,`

			`+ /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,`
			`+ # child profile for bridge helper process`
			`+ profile qemu_bridge_helper {`
			`+ #include <abstractions/base>`
			`+`
			`+ capability setuid,`
			`+ capability setgid,`
			`+ capability setpcap,`
			`+ capability net_admin,`
			`+`
			`+ network inet stream,`
			`+`
			`+ /dev/net/tun rw,`
			`+ /etc/qemu/** r,`
			`+ owner @{PROC}/*/status r,`
			`+`
			`+ /usr/{lib,libexec}/qemu-bridge-helper rmix,`
			`+ }`
			`}`
			`--`
			`2.6.6`