libvirt/b6440119-qemu-conf-sev.patch

commit b6440119185a4e307654a8d26d6d551a2675bf82
Author: Erik Skultety <eskultet@redhat.com>
Date:   Mon Jan 21 14:48:02 2019 +0100

    qemu: conf: Remove /dev/sev from the default cgroup device acl list
    
    We should not give domains access to something they don't necessarily
    need by default. Remove it from the qemu driver docs too.
    
    Signed-off-by: Erik Skultety <eskultet@redhat.com>
    Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

Index: libvirt-5.0.0/docs/drvqemu.html.in
===================================================================
--- libvirt-5.0.0.orig/docs/drvqemu.html.in
+++ libvirt-5.0.0/docs/drvqemu.html.in
@@ -396,8 +396,7 @@ chmod o+x /path/to/directory
 /dev/null, /dev/full, /dev/zero,
 /dev/random, /dev/urandom,
 /dev/ptmx, /dev/kvm, /dev/kqemu,
-/dev/rtc, /dev/hpet, /dev/net/tun,
-/dev/sev
+/dev/rtc, /dev/hpet, /dev/net/tun
 </pre>
 
     <p>
Index: libvirt-5.0.0/src/qemu/qemu.conf
===================================================================
--- libvirt-5.0.0.orig/src/qemu/qemu.conf
+++ libvirt-5.0.0/src/qemu/qemu.conf
@@ -484,7 +484,7 @@
 #    "/dev/null", "/dev/full", "/dev/zero",
 #    "/dev/random", "/dev/urandom",
 #    "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
-#    "/dev/rtc","/dev/hpet", "/dev/sev"
+#    "/dev/rtc","/dev/hpet"
 #]
 #
 # RDMA migration requires the following extra files to be added to the list:
Index: libvirt-5.0.0/src/qemu/qemu_cgroup.c
===================================================================
--- libvirt-5.0.0.orig/src/qemu/qemu_cgroup.c
+++ libvirt-5.0.0/src/qemu/qemu_cgroup.c
@@ -46,7 +46,7 @@ const char *const defaultDeviceACL[] = {
     "/dev/null", "/dev/full", "/dev/zero",
     "/dev/random", "/dev/urandom",
     "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
-    "/dev/rtc", "/dev/hpet", "/dev/sev",
+    "/dev/rtc", "/dev/hpet",
     NULL,
 };
 #define DEVICE_PTY_MAJOR 136
Index: libvirt-5.0.0/src/qemu/test_libvirtd_qemu.aug.in
===================================================================
--- libvirt-5.0.0.orig/src/qemu/test_libvirtd_qemu.aug.in
+++ libvirt-5.0.0/src/qemu/test_libvirtd_qemu.aug.in
@@ -62,7 +62,6 @@ module Test_libvirtd_qemu =
     { "8" = "/dev/kqemu" }
     { "9" = "/dev/rtc" }
     { "10" = "/dev/hpet" }
-    { "11" = "/dev/sev" }
 }
 { "save_image_format" = "raw" }
 { "dump_image_format" = "raw" }
Accepting request 672885 from home:jfehlig:branches:Virtualization - qemu: fix issues related to restricted permissions on /dev/sev b6440119-qemu-conf-sev.patch, a404ac34-qemu-cgroup-sev.patch, 6fd4c8f8-qemu-domain-sev.patch, 17f6a257-security-dac-sev.patch, a2d3dea9-qemu-caps-dac-override-sev.patch bsc#1124842 OBS-URL: https://build.opensuse.org/request/show/672885 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=728 2019-02-08 22:26:33 +00:00			`commit b6440119185a4e307654a8d26d6d551a2675bf82`
			`Author: Erik Skultety <eskultet@redhat.com>`
			`Date: Mon Jan 21 14:48:02 2019 +0100`

			`qemu: conf: Remove /dev/sev from the default cgroup device acl list`

			`We should not give domains access to something they don't necessarily`
			`need by default. Remove it from the qemu driver docs too.`

			`Signed-off-by: Erik Skultety <eskultet@redhat.com>`
			`Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>`

			`Index: libvirt-5.0.0/docs/drvqemu.html.in`
			`===================================================================`
			`--- libvirt-5.0.0.orig/docs/drvqemu.html.in`
			`+++ libvirt-5.0.0/docs/drvqemu.html.in`
			`@@ -396,8 +396,7 @@ chmod o+x /path/to/directory`
			`/dev/null, /dev/full, /dev/zero,`
			`/dev/random, /dev/urandom,`
			`/dev/ptmx, /dev/kvm, /dev/kqemu,`
			`-/dev/rtc, /dev/hpet, /dev/net/tun,`
			`-/dev/sev`
			`+/dev/rtc, /dev/hpet, /dev/net/tun`
			`</pre>`

			`<p>`
			`Index: libvirt-5.0.0/src/qemu/qemu.conf`
			`===================================================================`
			`--- libvirt-5.0.0.orig/src/qemu/qemu.conf`
			`+++ libvirt-5.0.0/src/qemu/qemu.conf`
			`@@ -484,7 +484,7 @@`
			`# "/dev/null", "/dev/full", "/dev/zero",`
			`# "/dev/random", "/dev/urandom",`
			`# "/dev/ptmx", "/dev/kvm", "/dev/kqemu",`
			`-# "/dev/rtc","/dev/hpet", "/dev/sev"`
			`+# "/dev/rtc","/dev/hpet"`
			`#]`
			`#`
			`# RDMA migration requires the following extra files to be added to the list:`
			`Index: libvirt-5.0.0/src/qemu/qemu_cgroup.c`
			`===================================================================`
			`--- libvirt-5.0.0.orig/src/qemu/qemu_cgroup.c`
			`+++ libvirt-5.0.0/src/qemu/qemu_cgroup.c`
			`@@ -46,7 +46,7 @@ const char *const defaultDeviceACL[] = {`
			`"/dev/null", "/dev/full", "/dev/zero",`
			`"/dev/random", "/dev/urandom",`
			`"/dev/ptmx", "/dev/kvm", "/dev/kqemu",`
			`- "/dev/rtc", "/dev/hpet", "/dev/sev",`
			`+ "/dev/rtc", "/dev/hpet",`
			`NULL,`
			`};`
			`#define DEVICE_PTY_MAJOR 136`
			`Index: libvirt-5.0.0/src/qemu/test_libvirtd_qemu.aug.in`
			`===================================================================`
			`--- libvirt-5.0.0.orig/src/qemu/test_libvirtd_qemu.aug.in`
			`+++ libvirt-5.0.0/src/qemu/test_libvirtd_qemu.aug.in`
			`@@ -62,7 +62,6 @@ module Test_libvirtd_qemu =`
			`{ "8" = "/dev/kqemu" }`
			`{ "9" = "/dev/rtc" }`
			`{ "10" = "/dev/hpet" }`
			`- { "11" = "/dev/sev" }`
			`}`
			`{ "save_image_format" = "raw" }`
			`{ "dump_image_format" = "raw" }`