diff --git a/apparmor-allow-helpers.patch b/apparmor-allow-helpers.patch new file mode 100644 index 0000000..65bb0bf --- /dev/null +++ b/apparmor-allow-helpers.patch @@ -0,0 +1,34 @@ +From b2bf7c00b79de032bd7eeb6ba9c970895223a53f Mon Sep 17 00:00:00 2001 +Message-Id: +In-Reply-To: +References: +From: Mike Latimer +Date: Mon, 19 Jan 2015 17:12:33 -0700 +Subject: [PATCH 2/3] Grant access to helpers + +Apparmor must not prevent access to required helper programs. The following +helpers should be allowed to run in unconfined execution mode: + + - libvirt_parthelper + - libvirt_iohelper + +--- + examples/apparmor/usr.sbin.libvirtd | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd +index 9917836..ab6572a 100644 +--- a/examples/apparmor/usr.sbin.libvirtd ++++ b/examples/apparmor/usr.sbin.libvirtd +@@ -57,6 +57,8 @@ + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + /usr/{lib,lib64}/libvirt/* PUxr, ++ /usr/{lib,lib64}/libvirt/libvirt_parthelper Ux, ++ /usr/{lib,lib64}/libvirt/libvirt_iohelper Ux, + /etc/libvirt/hooks/** rmix, + /etc/xen/scripts/** rmix, + +-- +1.8.4.5 + diff --git a/apparmor-tck-raw-packets.patch b/apparmor-tck-raw-packets.patch new file mode 100644 index 0000000..8a31047 --- /dev/null +++ b/apparmor-tck-raw-packets.patch @@ -0,0 +1,34 @@ +From 3a94e34f2a411a2e371c8ead1fe54f7bdeaf0422 Mon Sep 17 00:00:00 2001 +Message-Id: <3a94e34f2a411a2e371c8ead1fe54f7bdeaf0422.1421716686.git.mlatimer@suse.com> +In-Reply-To: +References: +From: Mike Latimer +Date: Mon, 19 Jan 2015 18:18:02 -0700 +Subject: [PATCH 3/3] Fix apparmor issues for tck + +The network and nwfilter tests contained in the libvirt-TCK testkit can fail +unless access to raw network packets is granted. Without this access, the +following apparmor error can be seen while running the tests: + + apparmor="DENIED" operation="create" parent=1 profile="/usr/sbin/libvirtd" + pid=94731 comm="libvirtd" family="packet" sock_type="raw" protocol=768 + +--- + examples/apparmor/usr.sbin.libvirtd | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd +index ab6572a..3cd6b58 100644 +--- a/examples/apparmor/usr.sbin.libvirtd ++++ b/examples/apparmor/usr.sbin.libvirtd +@@ -35,6 +35,7 @@ + network inet6 stream, + network inet6 dgram, + network packet dgram, ++ network packet raw, + + # Very lenient profile for libvirtd since we want to first focus on confining + # the guests. Guests will have a very restricted profile. +-- +1.8.4.5 + diff --git a/apparmor-xen-fixup.patch b/apparmor-xen-fixup.patch new file mode 100644 index 0000000..ae15615 --- /dev/null +++ b/apparmor-xen-fixup.patch @@ -0,0 +1,61 @@ +From b286f2c50bdea753c9c490687db90071dff137ad Mon Sep 17 00:00:00 2001 +Message-Id: +In-Reply-To: +References: +From: Mike Latimer +Date: Mon, 19 Jan 2015 16:48:59 -0700 +Subject: [PATCH 1/3] Fix apparmor issues for Xen + +In order for apparmor to work properly in Xen environments, the following +access rights need to be allowed: + + - Allow CAP_SYS_PACCT, which is required when resetting some multi-port + Broadcom cards by writting to the PCI config space + + - Allow CAP_IPC_LOCK, which is required to lock/unlock memory. Without + this setting, an error 'Resource temporarily unavailable' can be seen + while attempting to mmap memory. At the same time, the following + apparmor message is seen: + + apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/libvirtd" + pid=2097 comm="libvirtd" pid=2097 comm="libvirtd" capability=14 + capname="ipc_lock" + + - Allow access to distribution specific directories: + /usr/{lib,lib64}/xen/bin + +--- + examples/apparmor/usr.sbin.libvirtd | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd +index 7151052..9917836 100644 +--- a/examples/apparmor/usr.sbin.libvirtd ++++ b/examples/apparmor/usr.sbin.libvirtd +@@ -13,6 +13,7 @@ + capability sys_admin, + capability sys_module, + capability sys_ptrace, ++ capability sys_pacct, + capability sys_nice, + capability sys_chroot, + capability setuid, +@@ -24,6 +25,7 @@ + capability mknod, + capability fsetid, + capability audit_write, ++ capability ipc_lock, + + # Needed for vfio + capability sys_resource, +@@ -45,6 +47,7 @@ + /usr/sbin/* PUx, + /lib/udev/scsi_id PUx, + /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, ++ /usr/{lib,lib64}/xen/bin/* Ux, + + # force the use of virt-aa-helper + audit deny /sbin/apparmor_parser rwxl, +-- +1.8.4.5 + diff --git a/libvirt.changes b/libvirt.changes index 24079ed..2d3bf84 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Jan 20 01:46:52 UTC 2015 - mlatimer@suse.com + +- Apparmor profile regression breaks Xen domains. bsc#913799 + apparmor-xen-fixup.patch + apparmor-allow-helpers.patch + apparmor-tck-raw-packets.patch + ------------------------------------------------------------------- Mon Jan 5 09:44:12 UTC 2015 - cbosdonnat@suse.com diff --git a/libvirt.spec b/libvirt.spec index faaf86c..415f67e 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -436,6 +436,9 @@ Source99: baselibs.conf # Upstream patches Patch0: 30c6aecc-apparmor-lib64.patch # Patches pending upstream review +Patch100: apparmor-xen-fixup.patch +Patch101: apparmor-allow-helpers.patch +Patch102: apparmor-tck-raw-packets.patch # Need to go upstream Patch150: xen-name-for-devid.patch Patch151: xen-pv-cdrom.patch @@ -966,6 +969,9 @@ Provides a dissector for the libvirt RPC protocol to help debugging it. %prep %setup -q %patch0 -p1 +%patch100 -p1 +%patch101 -p1 +%patch102 -p1 %patch150 -p1 %patch151 -p1 %patch152 -p1