From 21a15fa2f759f4f9fccda3ef6002705ccc9349641c48103372d38665ce63d6bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= Date: Wed, 20 Dec 2017 19:41:21 +0000 Subject: [PATCH] Accepting request 558919 from home:cbosdonnat:branches:Virtualization - Enhance apparmor rules for virt-aa-helper (bsc#1070916) 0f33025a-virt-aa-helper-handle-more-disk-images.patch OBS-URL: https://build.opensuse.org/request/show/558919 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=653 --- ...rt-aa-helper-handle-more-disk-images.patch | 32 +++++++++---------- libvirt.changes | 2 ++ libvirt.spec | 8 ++--- 3 files changed, 21 insertions(+), 21 deletions(-) rename 0001-virt-aa-helper-handle-more-disk-images.patch => 0f33025a-virt-aa-helper-handle-more-disk-images.patch (78%) diff --git a/0001-virt-aa-helper-handle-more-disk-images.patch b/0f33025a-virt-aa-helper-handle-more-disk-images.patch similarity index 78% rename from 0001-virt-aa-helper-handle-more-disk-images.patch rename to 0f33025a-virt-aa-helper-handle-more-disk-images.patch index 66d88fe..08d1a90 100644 --- a/0001-virt-aa-helper-handle-more-disk-images.patch +++ b/0f33025a-virt-aa-helper-handle-more-disk-images.patch @@ -1,4 +1,4 @@ -From 4fafa4c0b150c011ae905dfebcb7b42d20d8390b Mon Sep 17 00:00:00 2001 +From 0f33025a43788f7f3483dfac6ab0b9f79c0d7957 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= Date: Mon, 11 Dec 2017 11:09:31 +0100 Subject: [PATCH] virt-aa-helper: handle more disk images @@ -14,12 +14,12 @@ This commit also adds rules to allow reading files named: - *.raw as this is a rather common disk image extension - /run/libvirt/**[vd]d[a-z] as these are used by virt-sandbox --- - examples/Makefile.am | 23 +++++++++++++++++++++-- - examples/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++++ - 2 files changed, 25 insertions(+), 2 deletions(-) + examples/Makefile.am | 24 ++++++++++++++++++++++-- + examples/apparmor/usr.lib.libvirt.virt-aa-helper | 5 +++++ + 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/examples/Makefile.am b/examples/Makefile.am -index ef2f79db3..eca3506b0 100644 +index ef2f79db3..7069d74e7 100644 --- a/examples/Makefile.am +++ b/examples/Makefile.am @@ -67,6 +67,9 @@ admin_client_info_SOURCES = admin/client_info.c @@ -32,7 +32,7 @@ index ef2f79db3..eca3506b0 100644 if WITH_APPARMOR_PROFILES apparmordir = $(sysconfdir)/apparmor.d/ apparmor_DATA = \ -@@ -85,20 +88,36 @@ templates_DATA = \ +@@ -85,20 +88,37 @@ templates_DATA = \ apparmor/TEMPLATE.qemu \ apparmor/TEMPLATE.lxc \ $(NULL) @@ -40,7 +40,8 @@ index ef2f79db3..eca3506b0 100644 +APPARMOR_LOCAL_DIR = "$(DESTDIR)$(apparmordir)/local" +install-apparmor-local: + $(MKDIR_P) "$(APPARMOR_LOCAL_DIR)" -+ echo "# Site-specific additions and overrides for 'usr.lib.libvirt.virt-aa-helper'" \ ++ echo "# Site-specific additions and overrides for \ ++ 'usr.lib.libvirt.virt-aa-helper'" \ + >$(APPARMOR_LOCAL_DIR)/usr.lib.libvirt.virt-aa-helper + +INSTALL_DATA_LOCAL += install-apparmor-local @@ -72,18 +73,10 @@ index ef2f79db3..eca3506b0 100644 + +uninstall-local: $(UNINSTALL_LOCAL) diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper -index bd6181d00..f3069d369 100644 +index bd6181d00..9c822b644 100644 --- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper +++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper -@@ -3,6 +3,7 @@ - - profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { - #include -+ #include - - # needed for searching directories - capability dac_override, -@@ -50,8 +51,11 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { +@@ -50,11 +50,16 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { /var/lib/libvirt/images/ r, /var/lib/libvirt/images/** r, /{media,mnt,opt,srv}/** r, @@ -95,6 +88,11 @@ index bd6181d00..f3069d369 100644 /**.qcow{,2} r, /**.qed r, /**.vmdk r, + /**.[iI][sS][oO] r, + /**/disk{,.*} r, ++ ++ #include + } -- 2.15.1 diff --git a/libvirt.changes b/libvirt.changes index 51c9079..c600627 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -6,6 +6,8 @@ Wed Dec 20 16:58:50 UTC 2017 - cbosdonnat@suse.com daemon-close-crasher.patch - Set a hostname on lxc containers based on guest's name. lxc-hostname.patch +- Enhance apparmor rules for virt-aa-helper (bsc#1070916) + 0f33025a-virt-aa-helper-handle-more-disk-images.patch ------------------------------------------------------------------- Mon Dec 18 17:08:28 UTC 2017 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index 00ddc4e..2fe39a1 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -311,6 +311,7 @@ Source100: %{name}-rpmlintrc Patch0: 2d07f1f0-fix-storage-crash.patch Patch1: 69ed99c7-dom0-persistent.patch Patch2: 8599aedd-libvirt-guests-dom0-filter.patch +Patch3: 0f33025a-virt-aa-helper-handle-more-disk-images.patch # Patches pending upstream review Patch100: libxl-dom-reset.patch Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch @@ -321,9 +322,8 @@ Patch152: libvirt-power8-models.patch Patch153: ppc64le-canonical-name.patch Patch154: libxl-set-migration-constraints.patch Patch155: libxl-set-cach-mode.patch -Patch156: 0001-virt-aa-helper-handle-more-disk-images.patch -Patch157: lxc-hostname.patch -Patch158: daemon-close-crasher.patch +Patch156: lxc-hostname.patch +Patch157: daemon-close-crasher.patch # Our patches Patch200: suse-libvirtd-disable-tls.patch Patch201: suse-libvirtd-sysconfig-settings.patch @@ -892,6 +892,7 @@ libvirt plugin for NSS for translating domain names into IP addresses. %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 %patch100 -p1 %patch101 -p1 %patch150 -p1 @@ -902,7 +903,6 @@ libvirt plugin for NSS for translating domain names into IP addresses. %patch155 -p1 %patch156 -p1 %patch157 -p1 -%patch158 -p1 %patch200 -p1 %patch201 -p1 %patch202 -p1