rpm/libvirt
SHA256
1
0
Fork 0
forked from pool/libvirt
Code Pull Requests Activity
690cef5c1e
libvirt/0001-virt-aa-helper-handle-more-disk-images.patch

101 lines
3.2 KiB
Diff
Raw Normal View History

Accepting request 558885 from home:cbosdonnat:branches:Virtualization - Close clients before drivers are cleaned up to avoid crash at libvirtd stop (bsc#1073730) daemon-close-crasher.patch - Set a hostname on lxc containers based on guest's name. lxc-hostname.patch OBS-URL: https://build.opensuse.org/request/show/558885 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=652
2017-12-20 18:21:40 +01:00
From 4fafa4c0b150c011ae905dfebcb7b42d20d8390b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Mon, 11 Dec 2017 11:09:31 +0100
Subject: [PATCH] virt-aa-helper: handle more disk images
virt-aa-helper needs read access to the disk image to resolve symlinks
and add the proper rules to the profile. Its profile whitelists a few
common paths, but users can place their images anywhere.
This commit helps users allowing access to their images by adding their
own rules in apparmor.d/local/usr.lib.libvirt.virt-aa-helper.
This commit also adds rules to allow reading files named:
- *.raw as this is a rather common disk image extension
- /run/libvirt/**[vd]d[a-z] as these are used by virt-sandbox
---
examples/Makefile.am | 23 +++++++++++++++++++++--
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++++
2 files changed, 25 insertions(+), 2 deletions(-)
diff --git a/examples/Makefile.am b/examples/Makefile.am
index ef2f79db3..eca3506b0 100644
--- a/examples/Makefile.am
+++ b/examples/Makefile.am
@@ -67,6 +67,9 @@ admin_client_info_SOURCES = admin/client_info.c
admin_client_close_SOURCES = admin/client_close.c
admin_logging_SOURCES = admin/logging.c
+INSTALL_DATA_LOCAL =
+UNINSTALL_LOCAL =
+
if WITH_APPARMOR_PROFILES
apparmordir = $(sysconfdir)/apparmor.d/
apparmor_DATA = \
@@ -85,20 +88,36 @@ templates_DATA = \
apparmor/TEMPLATE.qemu \
apparmor/TEMPLATE.lxc \
$(NULL)
+
+APPARMOR_LOCAL_DIR = "$(DESTDIR)$(apparmordir)/local"
+install-apparmor-local:
+ $(MKDIR_P) "$(APPARMOR_LOCAL_DIR)"
+ echo "# Site-specific additions and overrides for 'usr.lib.libvirt.virt-aa-helper'" \
+ >$(APPARMOR_LOCAL_DIR)/usr.lib.libvirt.virt-aa-helper
+
+INSTALL_DATA_LOCAL += install-apparmor-local
+UNINSTALL_LOCAL += uninstall-apparmor-local
endif WITH_APPARMOR_PROFILES
if WITH_NWFILTER
NWFILTER_DIR = "$(DESTDIR)$(sysconfdir)/libvirt/nwfilter"
-install-data-local:
+install-nwfilter-local:
$(MKDIR_P) "$(NWFILTER_DIR)"
for f in $(FILTERS); do \
$(INSTALL_DATA) $$f "$(NWFILTER_DIR)"; \
done
-uninstall-local::
+uninstall-nwfilter-local::
for f in $(FILTERS); do \
rm -f "$(NWFILTER_DIR)/`basename $$f`"; \
done
-test -z "$(shell ls $(NWFILTER_DIR))" || rmdir $(NWFILTER_DIR)
+
+INSTALL_DATA_LOCAL += install-nwfilter-local
+UNINSTALL_LOCAL += uninstall-nwfilter-local
endif WITH_NWFILTER
+
+install-data-local: $(INSTALL_DATA_LOCAL)
+
+uninstall-local: $(UNINSTALL_LOCAL)
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
index bd6181d00..f3069d369 100644
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -3,6 +3,7 @@
profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
#include <abstractions/base>
+ #include <local/usr.lib.libvirt.virt-aa-helper>
# needed for searching directories
capability dac_override,
@@ -50,8 +51,11 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
/var/lib/libvirt/images/ r,
/var/lib/libvirt/images/** r,
/{media,mnt,opt,srv}/** r,
+ # For virt-sandbox
+ /run/libvirt/**/[sv]d[a-z] r
/**.img r,
+ /**.raw r,
/**.qcow{,2} r,
/**.qed r,
/**.vmdk r,
--
2.15.1
Copy Permalink