diff --git a/apparmor-qemu-bridge-helper.patch b/apparmor-qemu-bridge-helper.patch new file mode 100644 index 0000000..c472caa --- /dev/null +++ b/apparmor-qemu-bridge-helper.patch @@ -0,0 +1,69 @@ +From 430cd5a72cf1f5c3e56cf1b4b40385812477aef3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= +Date: Fri, 5 Aug 2016 09:32:54 +0200 +Subject: [PATCH] apparmor: move qemu-bridge-helper to libvirtd profile + +qemu-bridge-helper is only called from libvirtd, it has to be moved +from the qemu domain abstraction to the usr.sbin.libvirtd profile. +--- + examples/apparmor/libvirt-qemu | 19 ------------------- + examples/apparmor/usr.sbin.libvirtd | 18 ++++++++++++++++++ + 2 files changed, 18 insertions(+), 19 deletions(-) + +diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu +index efb4873..11381d4 100644 +--- a/examples/apparmor/libvirt-qemu ++++ b/examples/apparmor/libvirt-qemu +@@ -148,22 +148,3 @@ + /etc/udev/udev.conf r, + /sys/bus/ r, + /sys/class/ r, +- +- /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, +- # child profile for bridge helper process +- profile qemu_bridge_helper { +- #include +- +- capability setuid, +- capability setgid, +- capability setpcap, +- capability net_admin, +- +- network inet stream, +- +- /dev/net/tun rw, +- /etc/qemu/** r, +- owner @{PROC}/*/status r, +- +- /usr/{lib,libexec}/qemu-bridge-helper rmix, +- } +diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd +index 23f70f5..48651b2 100644 +--- a/examples/apparmor/usr.sbin.libvirtd ++++ b/examples/apparmor/usr.sbin.libvirtd +@@ -67,4 +67,22 @@ + # allow changing to our UUID-based named profiles + change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, + ++ /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, ++ # child profile for bridge helper process ++ profile qemu_bridge_helper { ++ #include ++ ++ capability setuid, ++ capability setgid, ++ capability setpcap, ++ capability net_admin, ++ ++ network inet stream, ++ ++ /dev/net/tun rw, ++ /etc/qemu/** r, ++ owner @{PROC}/*/status r, ++ ++ /usr/{lib,libexec}/qemu-bridge-helper rmix, ++ } + } +-- +2.6.6 + diff --git a/libvirt.changes b/libvirt.changes index cc8c3b7..dfccb8d 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Aug 5 08:05:39 UTC 2016 - cbosdonnat@suse.com + +- bsc#988279. Move the qemu-bridge-helper apparmor profile from the + qemu abstraction to the usr.sbin.libvirtd profile. + apparmor-qemu-bridge-helper.patch + ------------------------------------------------------------------- Wed Aug 3 19:31:11 UTC 2016 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index 08082f5..68a84fb 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -1,7 +1,7 @@ # # spec file for package libvirt # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -325,6 +325,7 @@ Patch153: ppc64le-canonical-name.patch Patch154: libxl-set-migration-constraints.patch Patch155: libxl-set-cach-mode.patch Patch156: apparmor-fixes.patch +Patch157: apparmor-qemu-bridge-helper.patch # Our patches Patch200: libvirtd-defaults.patch Patch201: libvirtd-init-script.patch @@ -776,6 +777,7 @@ libvirt plugin for NSS for translating domain names into IP addresses. %patch154 -p1 %patch155 -p1 %patch156 -p1 +%patch157 -p1 %patch200 -p1 %patch201 -p1 %patch202 -p1 diff --git a/qemu-apparmor-screenshot.patch b/qemu-apparmor-screenshot.patch index 582493c..8dc46f6 100644 --- a/qemu-apparmor-screenshot.patch +++ b/qemu-apparmor-screenshot.patch @@ -2,13 +2,10 @@ Index: libvirt-2.0.0/examples/apparmor/libvirt-qemu =================================================================== --- libvirt-2.0.0.orig/examples/apparmor/libvirt-qemu +++ libvirt-2.0.0/examples/apparmor/libvirt-qemu -@@ -152,6 +152,9 @@ +@@ -151,3 +151,6 @@ + /etc/udev/udev.conf r, /sys/bus/ r, /sys/class/ r, - ++ + # Temporary screendump rule -- See bsc#904426 + /var/cache/libvirt/qemu/qemu.screendump.* rw, -+ - /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, - # child profile for bridge helper process - profile qemu_bridge_helper {