Accepting request 282003 from home:mlatimer:branches:Virtualization

- Apparmor profile regression breaks Xen domains. bsc#913799
  apparmor-xen-fixup.patch
  apparmor-allow-helpers.patch
  apparmor-tck-raw-packets.patch

OBS-URL: https://build.opensuse.org/request/show/282003
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=434

apparmor-allow-helpers.patch

@@ -0,0 +1,34 @@
+From b2bf7c00b79de032bd7eeb6ba9c970895223a53f Mon Sep 17 00:00:00 2001
+Message-Id: <b2bf7c00b79de032bd7eeb6ba9c970895223a53f.1421716686.git.mlatimer@suse.com>
+In-Reply-To: <cover.1421716686.git.mlatimer@suse.com>
+References: <cover.1421716686.git.mlatimer@suse.com>
+From: Mike Latimer <mlatimer@suse.com>
+Date: Mon, 19 Jan 2015 17:12:33 -0700
+Subject: [PATCH 2/3] Grant access to helpers
+
+Apparmor must not prevent access to required helper programs. The following
+helpers should be allowed to run in unconfined execution mode:
+
+ - libvirt_parthelper
+ - libvirt_iohelper
+
+---
+ examples/apparmor/usr.sbin.libvirtd | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
+index 9917836..ab6572a 100644
+--- a/examples/apparmor/usr.sbin.libvirtd
++++ b/examples/apparmor/usr.sbin.libvirtd
+@@ -57,6 +57,8 @@
+   audit deny /sys/kernel/security/apparmor/.* rwxl,
+   /sys/kernel/security/apparmor/profiles r,
+   /usr/{lib,lib64}/libvirt/* PUxr,
++  /usr/{lib,lib64}/libvirt/libvirt_parthelper Ux,
++  /usr/{lib,lib64}/libvirt/libvirt_iohelper Ux,
+   /etc/libvirt/hooks/** rmix,
+   /etc/xen/scripts/** rmix,
+ 
+-- 
+1.8.4.5
+

apparmor-tck-raw-packets.patch

@@ -0,0 +1,34 @@
+From 3a94e34f2a411a2e371c8ead1fe54f7bdeaf0422 Mon Sep 17 00:00:00 2001
+Message-Id: <3a94e34f2a411a2e371c8ead1fe54f7bdeaf0422.1421716686.git.mlatimer@suse.com>
+In-Reply-To: <cover.1421716686.git.mlatimer@suse.com>
+References: <cover.1421716686.git.mlatimer@suse.com>
+From: Mike Latimer <mlatimer@suse.com>
+Date: Mon, 19 Jan 2015 18:18:02 -0700
+Subject: [PATCH 3/3] Fix apparmor issues for tck
+
+The network and nwfilter tests contained in the libvirt-TCK testkit can fail
+unless access to raw network packets is granted. Without this access, the
+following apparmor error can be seen while running the tests:
+
+  apparmor="DENIED" operation="create" parent=1 profile="/usr/sbin/libvirtd"
+  pid=94731 comm="libvirtd" family="packet" sock_type="raw" protocol=768
+
+---
+ examples/apparmor/usr.sbin.libvirtd | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
+index ab6572a..3cd6b58 100644
+--- a/examples/apparmor/usr.sbin.libvirtd
++++ b/examples/apparmor/usr.sbin.libvirtd
+@@ -35,6 +35,7 @@
+   network inet6 stream,
+   network inet6 dgram,
+   network packet dgram,
++  network packet raw,
+ 
+   # Very lenient profile for libvirtd since we want to first focus on confining
+   # the guests. Guests will have a very restricted profile.
+-- 
+1.8.4.5
+

apparmor-xen-fixup.patch

@@ -0,0 +1,61 @@
+From b286f2c50bdea753c9c490687db90071dff137ad Mon Sep 17 00:00:00 2001
+Message-Id: <b286f2c50bdea753c9c490687db90071dff137ad.1421716686.git.mlatimer@suse.com>
+In-Reply-To: <cover.1421716686.git.mlatimer@suse.com>
+References: <cover.1421716686.git.mlatimer@suse.com>
+From: Mike Latimer <mlatimer@suse.com>
+Date: Mon, 19 Jan 2015 16:48:59 -0700
+Subject: [PATCH 1/3] Fix apparmor issues for Xen
+
+In order for apparmor to work properly in Xen environments, the following
+access rights need to be allowed:
+
+ - Allow CAP_SYS_PACCT, which is required when resetting some multi-port
+   Broadcom cards by writting to the PCI config space
+
+ - Allow CAP_IPC_LOCK, which is required to lock/unlock memory. Without
+   this setting, an error 'Resource temporarily unavailable' can be seen
+   while attempting to mmap memory. At the same time, the following
+   apparmor message is seen:
+
+   apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/libvirtd"
+   pid=2097 comm="libvirtd" pid=2097 comm="libvirtd" capability=14
+   capname="ipc_lock"
+
+ - Allow access to distribution specific directories:
+     /usr/{lib,lib64}/xen/bin
+
+---
+ examples/apparmor/usr.sbin.libvirtd | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
+index 7151052..9917836 100644
+--- a/examples/apparmor/usr.sbin.libvirtd
++++ b/examples/apparmor/usr.sbin.libvirtd
+@@ -13,6 +13,7 @@
+   capability sys_admin,
+   capability sys_module,
+   capability sys_ptrace,
++  capability sys_pacct,
+   capability sys_nice,
+   capability sys_chroot,
+   capability setuid,
+@@ -24,6 +25,7 @@
+   capability mknod,
+   capability fsetid,
+   capability audit_write,
++  capability ipc_lock,
+ 
+   # Needed for vfio
+   capability sys_resource,
+@@ -45,6 +47,7 @@
+   /usr/sbin/* PUx,
+   /lib/udev/scsi_id PUx,
+   /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
++  /usr/{lib,lib64}/xen/bin/* Ux,
+ 
+   # force the use of virt-aa-helper
+   audit deny /sbin/apparmor_parser rwxl,
+-- 
+1.8.4.5
+

libvirt.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Jan 20 01:46:52 UTC 2015 - mlatimer@suse.com
+
+- Apparmor profile regression breaks Xen domains. bsc#913799
+  apparmor-xen-fixup.patch
+  apparmor-allow-helpers.patch
+  apparmor-tck-raw-packets.patch
+
 -------------------------------------------------------------------
 Mon Jan  5 09:44:12 UTC 2015 - cbosdonnat@suse.com
 

libvirt.spec

@@ -436,6 +436,9 @@ Source99:       baselibs.conf
 # Upstream patches
 Patch0:         30c6aecc-apparmor-lib64.patch
 # Patches pending upstream review
+Patch100:       apparmor-xen-fixup.patch
+Patch101:       apparmor-allow-helpers.patch
+Patch102:       apparmor-tck-raw-packets.patch
 # Need to go upstream
 Patch150:       xen-name-for-devid.patch
 Patch151:       xen-pv-cdrom.patch
@@ -966,6 +969,9 @@ Provides a dissector for the libvirt RPC protocol to help debugging it.
 %prep
 %setup -q
 %patch0 -p1
+%patch100 -p1
+%patch101 -p1
+%patch102 -p1
 %patch150 -p1
 %patch151 -p1
 %patch152 -p1