From 14ffab8d40f702bdb9565fb6850c201ffc7a05bdb28ff1aadb4f2c05cb90faf3 Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Mon, 22 Jan 2018 20:41:06 +0000 Subject: [PATCH] Accepting request 568385 from home:jfehlig:branches:Virtualization Inadvertently removed suse-apparmor-signal.patch. Add it back. OBS-URL: https://build.opensuse.org/request/show/568385 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=663 --- libvirt.changes | 1 - libvirt.spec | 18 ++++++++++-------- suse-apparmor-signal.patch | 25 +++++++++++++++++++++++++ virt-create-rootfs.patch | 18 +++++++++--------- 4 files changed, 44 insertions(+), 18 deletions(-) create mode 100644 suse-apparmor-signal.patch diff --git a/libvirt.changes b/libvirt.changes index fa10850..df45de9 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -13,7 +13,6 @@ Fri Jan 19 16:31:53 UTC 2018 - jfehlig@suse.com faec1958-lxc-set-hostname-based-on-container-name.patch, 2089ab21-netserver-close-clients-before-stopping-all-drivers.patch, fix-virt-aa-helper-profile.patch, - suse-apparmor-signal.patch - Patches added to fix upstream bugs: 72adaf2f-revert-qemu-monitor-error-report.patch, 71d56a39-nodedev-fix-parse-PCI-address.patch diff --git a/libvirt.spec b/libvirt.spec index 58a9333..5c74b8f 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -340,14 +340,15 @@ Patch205: suse-libvirtd-service-xen.patch Patch206: suse-qemu-conf.patch Patch207: suse-ovmf-paths.patch Patch208: suse-apparmor-libnl-paths.patch -Patch209: support-managed-pci-xen-driver.patch -Patch210: xen-sxpr-disk-type.patch -Patch211: libxl-support-block-script.patch -Patch212: apparmor-no-mount.patch -Patch213: qemu-apparmor-screenshot.patch -Patch214: libvirt-suse-netcontrol.patch -Patch215: lxc-wait-after-eth-del.patch -Patch216: libxl-qemu-emulator-caps.patch +Patch209: suse-apparmor-signal.patch +Patch210: support-managed-pci-xen-driver.patch +Patch211: xen-sxpr-disk-type.patch +Patch212: libxl-support-block-script.patch +Patch213: apparmor-no-mount.patch +Patch214: qemu-apparmor-screenshot.patch +Patch215: libvirt-suse-netcontrol.patch +Patch216: lxc-wait-after-eth-del.patch +Patch217: libxl-qemu-emulator-caps.patch # SLES-Only patches %if ! 0%{?is_opensuse} Patch400: virt-create-rootfs.patch @@ -930,6 +931,7 @@ libvirt plugin for NSS for translating domain names into IP addresses. %patch214 -p1 %patch215 -p1 %patch216 -p1 +%patch217 -p1 %if ! 0%{?is_opensuse} %patch400 -p1 %endif diff --git a/suse-apparmor-signal.patch b/suse-apparmor-signal.patch new file mode 100644 index 0000000..1b91a2e --- /dev/null +++ b/suse-apparmor-signal.patch @@ -0,0 +1,25 @@ +apparmor: allow libvirtd to send signals to unconfined processes + +When confinement of QEMU/KVM domains is not enforced (security_default_confined = 0), +qemu processes run unconfined. Add a rule to the libvirtd apparmor profile allowing +sending signals to unconfined processes. Without the rule, libvirtd +is unable to signal QEMU/KVM domains. E.g. 'virsh destroy dom' results in the +following denial in audit.log + +type=AVC msg=audit(1510951646.581:939): apparmor="DENIED" operation="signal" +profile="/usr/sbin/libvirtd" pid=18891 comm="libvirtd" requested_mask="send" +denied_mask="send" signal=term peer="unconfined" + +Index: libvirt-4.0.0/examples/apparmor/usr.sbin.libvirtd +=================================================================== +--- libvirt-4.0.0.orig/examples/apparmor/usr.sbin.libvirtd ++++ libvirt-4.0.0/examples/apparmor/usr.sbin.libvirtd +@@ -63,7 +63,7 @@ + + signal (send) peer=/usr/sbin/dnsmasq, + signal (read, send) peer=libvirt-*, +- signal (send) set=("kill") peer=unconfined, ++ signal (send) set=("kill", "term", "hup") peer=unconfined, + + # Very lenient profile for libvirtd since we want to first focus on confining + # the guests. Guests will have a very restricted profile. diff --git a/virt-create-rootfs.patch b/virt-create-rootfs.patch index 6a48de6..bff37a3 100644 --- a/virt-create-rootfs.patch +++ b/virt-create-rootfs.patch @@ -1,7 +1,7 @@ -Index: libvirt-3.10.0/tools/Makefile.am +Index: libvirt-4.0.0/tools/Makefile.am =================================================================== ---- libvirt-3.10.0.orig/tools/Makefile.am -+++ libvirt-3.10.0/tools/Makefile.am +--- libvirt-4.0.0.orig/tools/Makefile.am ++++ libvirt-4.0.0/tools/Makefile.am @@ -52,6 +52,7 @@ PODFILES = \ virt-sanlock-cleanup.pod \ virt-xml-validate.pod \ @@ -10,7 +10,7 @@ Index: libvirt-3.10.0/tools/Makefile.am $(NULL) MANINFILES = \ -@@ -85,7 +86,7 @@ MAINTAINERCLEANFILES = +@@ -86,7 +87,7 @@ MAINTAINERCLEANFILES = confdir = $(sysconfdir)/libvirt conf_DATA = @@ -19,7 +19,7 @@ Index: libvirt-3.10.0/tools/Makefile.am bin_PROGRAMS = virsh virt-admin libexec_SCRIPTS = libvirt-guests.sh man1_MANS = \ -@@ -111,6 +112,8 @@ bin_PROGRAMS += virt-host-validate +@@ -112,6 +113,8 @@ bin_PROGRAMS += virt-host-validate man1_MANS += virt-host-validate.1 endif WITH_HOST_VALIDATE @@ -28,10 +28,10 @@ Index: libvirt-3.10.0/tools/Makefile.am virt-xml-validate: virt-xml-validate.in Makefile $(AM_V_GEN)sed -e 's|[@]schemadir@|$(pkgdatadir)/schemas|g' \ -e 's|[@]VERSION@|$(VERSION)|g' \ -Index: libvirt-3.10.0/tools/virt-create-rootfs +Index: libvirt-4.0.0/tools/virt-create-rootfs =================================================================== --- /dev/null -+++ libvirt-3.10.0/tools/virt-create-rootfs ++++ libvirt-4.0.0/tools/virt-create-rootfs @@ -0,0 +1,214 @@ +#!/bin/sh +set -e @@ -247,10 +247,10 @@ Index: libvirt-3.10.0/tools/virt-create-rootfs + echo "pts/0" >> "$ROOT/etc/securetty" + chroot "$ROOT" /usr/bin/passwd +fi -Index: libvirt-3.10.0/tools/virt-create-rootfs.pod +Index: libvirt-4.0.0/tools/virt-create-rootfs.pod =================================================================== --- /dev/null -+++ libvirt-3.10.0/tools/virt-create-rootfs.pod ++++ libvirt-4.0.0/tools/virt-create-rootfs.pod @@ -0,0 +1,77 @@ +=head1 NAME +