SHA256
1
0
forked from pool/libvirt

Accepting request 291048 from Virtualization

1

OBS-URL: https://build.opensuse.org/request/show/291048
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvirt?expand=0&rev=172
This commit is contained in:
Dominique Leuenberger 2015-03-18 12:06:03 +00:00 committed by Git OBS Bridge
commit 805aacfe40
6 changed files with 93 additions and 17 deletions

33
apparmor-fixes.patch Normal file
View File

@ -0,0 +1,33 @@
Index: libvirt-1.2.13/examples/apparmor/libvirt-qemu
===================================================================
--- libvirt-1.2.13.orig/examples/apparmor/libvirt-qemu
+++ libvirt-1.2.13/examples/apparmor/libvirt-qemu
@@ -59,6 +59,7 @@
# access to firmware's etc
/usr/share/kvm/** r,
/usr/share/qemu/** r,
+ /usr/share/qemu-kvm/** r,
/usr/share/bochs/** r,
/usr/share/openbios/** r,
/usr/share/openhackware/** r,
@@ -73,6 +74,7 @@
# the various binaries
/usr/bin/kvm rmix,
/usr/bin/qemu rmix,
+ /usr/bin/qemu-kvm rmix,
/usr/bin/qemu-system-arm rmix,
/usr/bin/qemu-system-cris rmix,
/usr/bin/qemu-system-i386 rmix,
@@ -118,6 +120,12 @@
/bin/dd rmix,
/bin/cat rmix,
+ # for restore
+ /bin/bash rmix,
+
+ /run/nscd/passwd r,
+ /run/nscd/group r,
+
# for usb access
/dev/bus/usb/ r,
/etc/udev/udev.conf r,

View File

@ -1,3 +1,26 @@
-------------------------------------------------------------------
Thu Mar 12 07:48:35 UTC 2015 - fcastelli@suse.com
- Instruct polkit to allow memebers of the 'libvirt' group to connect
to libvirt without providing any password (bnc#920804)
- Added polkit-10-virt.rules to fix bnc#920804
-------------------------------------------------------------------
Wed Mar 11 09:29:29 MDT 2015 - jfehlig@suse.com
- Change default setting of security_default_confined in
/etc/libvirt/qemu.conf instead of in code. Making the change in
code changes the default behavior for all users, even those that
have a custom security setup in their /etc/libvirt/qemu.conf.
Modified suse-qemu-conf.patch
bsc#921586
-------------------------------------------------------------------
Mon Mar 9 16:51:08 UTC 2015 - cbosdonnat@suse.com
- Fixed a number of QEMU apparmor abstraction problems. bsc#921355
apparmor-fixes.patch
-------------------------------------------------------------------
Mon Mar 2 12:05:43 MST 2015 - jfehlig@suse.com

View File

@ -363,6 +363,7 @@ BuildRequires: cyrus-sasl-devel
%endif
%if %{with_polkit}
%if 0%{?suse_version} > 1110
BuildRequires: polkit >= 0.9
BuildRequires: polkit-devel >= 0.9
%else
BuildRequires: PolicyKit-devel >= 0.6
@ -432,6 +433,7 @@ Source1: %{name}-%{version}.tar.gz.asc
Source2: %{name}.keyring
Source3: libvirtd.init
Source4: libvirtd-relocation-server.fw
Source5: polkit-10-virt.rules
Source99: baselibs.conf
# Upstream patches
# Patches pending upstream review
@ -441,6 +443,7 @@ Patch151: xen-pv-cdrom.patch
Patch152: blockcopy-check-dst-identical-device.patch
Patch153: libvirt-power8-models.patch
Patch154: ppc64le-canonical-name.patch
Patch155: apparmor-fixes.patch
# Our patches
Patch200: libvirtd-defaults.patch
Patch201: libvirtd-init-script.patch
@ -973,6 +976,7 @@ Provides a dissector for the libvirt RPC protocol to help debugging it.
%patch152 -p1
%patch153 -p1
%patch154 -p1
%patch155 -p1
%patch200 -p1
%patch201 -p1
%patch202 -p1
@ -1336,6 +1340,12 @@ mkdir -p $RPM_BUILD_ROOT%{_sbindir}
ln -s %{_sysconfdir}/init.d/libvirt-guests $RPM_BUILD_ROOT%{_sbindir}/rclibvirt-guests
%endif
mv $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/libvirt-guests $RPM_BUILD_ROOT%{_localstatedir}/adm/fillup-templates/sysconfig.libvirt-guests
%if %{with_polkit}
%if 0%{?suse_version} > 1110
install -d $RPM_BUILD_ROOT%{_sysconfdir}/polkit-1/rules.d/
install %SOURCE5 $RPM_BUILD_ROOT%{_sysconfdir}/polkit-1/rules.d/10-virt.rules
%endif
%endif
%fdupes -s $RPM_BUILD_ROOT
%clean
@ -1502,6 +1512,7 @@ fi
%if %{with_polkit}
%if 0%{?suse_version} > 1110
%{_datadir}/polkit-1/actions/org.libvirt.unix.policy
%{_sysconfdir}/polkit-1/rules.d/10-virt.rules
%else
%{_datadir}/PolicyKit/policy/org.libvirt.unix.policy
%endif

8
polkit-10-virt.rules Normal file
View File

@ -0,0 +1,8 @@
polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.unix.manage"
&& subject.local
&& subject.active
&& subject.isInGroup("libvirt")) {
return polkit.Result.YES;
}
});

View File

@ -2,7 +2,7 @@ Index: libvirt-1.2.13/examples/apparmor/libvirt-qemu
===================================================================
--- libvirt-1.2.13.orig/examples/apparmor/libvirt-qemu
+++ libvirt-1.2.13/examples/apparmor/libvirt-qemu
@@ -124,6 +124,9 @@
@@ -132,6 +132,9 @@
/sys/bus/ r,
/sys/class/ r,

View File

@ -2,16 +2,30 @@ Index: libvirt-1.2.13/src/qemu/qemu.conf
===================================================================
--- libvirt-1.2.13.orig/src/qemu/qemu.conf
+++ libvirt-1.2.13/src/qemu/qemu.conf
@@ -204,7 +204,7 @@
@@ -201,11 +201,20 @@
# isolation, but it cannot appear in a list of drivers.
#
#security_driver = "selinux"
+#security_driver = "apparmor"
# If set to non-zero, then the default security labeling
# will make guests confined. If set to zero, then guests
-# will be unconfined by default. Defaults to 1.
-#security_default_confined = 1
+# will be unconfined by default. Defaults to 0.
#security_default_confined = 1
+#
+# SUSE Note:
+# Currently, Apparmor is the default security framework in SUSE
+# distros. If Apparmor is enabled on the host, libvirtd is
+# generously confined but users must opt-in to confine qemu
+# instances. Change this to a non-zero value to enable default
+# Apparmor confinement of qemu instances.
+#
+security_default_confined = 0
# If set to non-zero, then attempts to create unconfined
@@ -417,11 +417,22 @@
# guests will be blocked. Defaults to 0.
@@ -417,11 +426,22 @@
#allow_disk_format_probing = 1
@ -39,16 +53,3 @@ Index: libvirt-1.2.13/src/qemu/qemu.conf
#
#lock_manager = "lockd"
Index: libvirt-1.2.13/src/qemu/qemu_conf.c
===================================================================
--- libvirt-1.2.13.orig/src/qemu/qemu_conf.c
+++ libvirt-1.2.13/src/qemu/qemu_conf.c
@@ -293,7 +293,7 @@ virQEMUDriverConfigPtr virQEMUDriverConf
cfg->clearEmulatorCapabilities = true;
- cfg->securityDefaultConfined = true;
+ cfg->securityDefaultConfined = false;
cfg->securityRequireConfined = false;
cfg->keepAliveInterval = 5;