libvirt/a3ab6d42-apparmor-conv-libvirtd-named-profile.patch

commit a3ab6d42d825499af44b8f19f9299e150d9687bc
Author: Jim Fehlig <jfehlig@suse.com>
Date:   Fri Jan 11 17:59:59 2019 -0700

    apparmor: convert libvirtd profile to a named profile
    
    Signed-off-by: Jim Fehlig <jfehlig@suse.com>

Index: libvirt-5.0.0/src/security/apparmor/usr.sbin.libvirtd
===================================================================
--- libvirt-5.0.0.orig/src/security/apparmor/usr.sbin.libvirtd
+++ libvirt-5.0.0/src/security/apparmor/usr.sbin.libvirtd
@@ -2,7 +2,7 @@
 #include <tunables/global>
 @{LIBVIRT}="libvirt"
 
-/usr/sbin/libvirtd flags=(attach_disconnected) {
+profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
   #include <abstractions/base>
   #include <abstractions/dbus>
 
@@ -51,7 +51,7 @@
   unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
 
   ptrace (read,trace) peer=unconfined,
-  ptrace (read,trace) peer=/usr/sbin/libvirtd,
+  ptrace (read,trace) peer=@{profile_name},
   ptrace (read,trace) peer=dnsmasq,
   ptrace (read,trace) peer=/usr/sbin/dnsmasq,
   ptrace (read,trace) peer=libvirt-*,
@@ -123,6 +123,7 @@
    # For communication/control from libvirtd
    unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
    signal (receive) set=("term") peer=/usr/sbin/libvirtd,
+   signal (receive) set=("term") peer=libvirtd,
 
    /dev/net/tun rw,
    /etc/qemu/** r,
Accepting request 668190 from home:jfehlig:branches:Virtualization - apparmor: add support for named profiles and convert libvirtd profile to a named profile 70c2933d-apparmor-named-profiles.patch, a3ab6d42-apparmor-conv-libvirtd-named-profile.patch boo#1118952 - libxl: save current memory value after successful balloon 11c8aca9-libxl-set-mem-after-balloon.patch bsc#1120813 OBS-URL: https://build.opensuse.org/request/show/668190 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=726 2019-01-23 23:10:16 +01:00			`commit a3ab6d42d825499af44b8f19f9299e150d9687bc`
			`Author: Jim Fehlig <jfehlig@suse.com>`
			`Date: Fri Jan 11 17:59:59 2019 -0700`

			`apparmor: convert libvirtd profile to a named profile`

			`Signed-off-by: Jim Fehlig <jfehlig@suse.com>`

			`Index: libvirt-5.0.0/src/security/apparmor/usr.sbin.libvirtd`
			`===================================================================`
			`--- libvirt-5.0.0.orig/src/security/apparmor/usr.sbin.libvirtd`
			`+++ libvirt-5.0.0/src/security/apparmor/usr.sbin.libvirtd`
			`@@ -2,7 +2,7 @@`
			`#include <tunables/global>`
			`@{LIBVIRT}="libvirt"`

			`-/usr/sbin/libvirtd flags=(attach_disconnected) {`
			`+profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {`
			`#include <abstractions/base>`
			`#include <abstractions/dbus>`

			`@@ -51,7 +51,7 @@`
			`unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),`

			`ptrace (read,trace) peer=unconfined,`
			`- ptrace (read,trace) peer=/usr/sbin/libvirtd,`
			`+ ptrace (read,trace) peer=@{profile_name},`
			`ptrace (read,trace) peer=dnsmasq,`
			`ptrace (read,trace) peer=/usr/sbin/dnsmasq,`
			`ptrace (read,trace) peer=libvirt-*,`
			`@@ -123,6 +123,7 @@`
			`# For communication/control from libvirtd`
			`unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),`
			`signal (receive) set=("term") peer=/usr/sbin/libvirtd,`
			`+ signal (receive) set=("term") peer=libvirtd,`

			`/dev/net/tun rw,`
			`/etc/qemu/** r,`