diff --git a/0001-apparmor-Check-libvirtd-profile-status-by-name.patch b/0001-apparmor-Check-libvirtd-profile-status-by-name.patch new file mode 100644 index 0000000..b2192d1 --- /dev/null +++ b/0001-apparmor-Check-libvirtd-profile-status-by-name.patch @@ -0,0 +1,46 @@ +From b1a50c10c95747dacd31a23b5c73ec4f938af329 Mon Sep 17 00:00:00 2001 +From: Jim Fehlig +Date: Fri, 1 Mar 2019 14:34:17 -0700 +Subject: [PATCH 1/2] apparmor: Check libvirtd profile status by name + +Commit a3ab6d42 changed the libvirtd profile to a named profile, +breaking the apparmor driver's ability to detect if the profile is +active. When the apparmor driver loads it checks the status of the +libvirtd profile using the full binary path, which fails since the +profile is now referenced by name. If the apparmor driver is +explicitly requested in /etc/libvirt/qemu.conf, then libvirtd fails +to load too. + +Instead of only checking the profile status by full binary path, +also check by profile name. The full path check is retained in case +users have a customized libvirtd profile with full path. + +Signed-off-by: Jim Fehlig +--- + src/security/security_apparmor.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +Index: libvirt-5.1.0/src/security/security_apparmor.c +=================================================================== +--- libvirt-5.1.0.orig/src/security/security_apparmor.c ++++ libvirt-5.1.0/src/security/security_apparmor.c +@@ -257,10 +257,16 @@ use_apparmor(void) + if (access(APPARMOR_PROFILES_PATH, R_OK) != 0) + goto cleanup; + ++ /* First check profile status using full binary path. If that fails ++ * check using profile name. ++ */ + rc = profile_status(libvirt_daemon, 1); +- /* Error or unconfined should all result in -1*/ +- if (rc < 0) +- rc = -1; ++ if (rc < 0) { ++ rc = profile_status("libvirtd", 1); ++ /* Error or unconfined should all result in -1*/ ++ if (rc < 0) ++ rc = -1; ++ } + + cleanup: + VIR_FREE(libvirt_daemon); diff --git a/4ec3cf9a-apparmor-rules.patch b/4ec3cf9a-apparmor-rules.patch new file mode 100644 index 0000000..4454ca1 --- /dev/null +++ b/4ec3cf9a-apparmor-rules.patch @@ -0,0 +1,33 @@ +commit 4ec3cf9a0fc3d76058ea363a6c35df19e67e6261 +Author: Jim Fehlig +Date: Fri Mar 1 15:05:36 2019 -0700 + + apparmor: Add ptrace and signal rules for named profile + + Commit a3ab6d42 changed the libvirtd profile to a named profile + but neglected to accommodate the change in the qemu profile + ptrace and signal rules. As a result, libvirtd is unable to + signal confined qemu processes and hence unable to shutdown + or destroy VMs. + + Add ptrace and signal rules that reference the libvirtd profile + by name in addition to full binary path. + + Signed-off-by: Jim Fehlig + Acked-by: Jamie Strandboge + +Index: libvirt-5.1.0/src/security/apparmor/libvirt-qemu +=================================================================== +--- libvirt-5.1.0.orig/src/security/apparmor/libvirt-qemu ++++ libvirt-5.1.0/src/security/apparmor/libvirt-qemu +@@ -16,8 +16,10 @@ + network inet stream, + network inet6 stream, + ++ ptrace (readby, tracedby) peer=libvirtd, + ptrace (readby, tracedby) peer=/usr/sbin/libvirtd, + ++ signal (receive) peer=libvirtd, + signal (receive) peer=/usr/sbin/libvirtd, + + /dev/net/tun rw, diff --git a/libvirt.changes b/libvirt.changes index d11d90a..56c8266 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Wed Mar 6 17:11:49 UTC 2019 - James Fehlig + +- apparmor: fix more fallout from changing libvirtd profile to a + named profile + 4ec3cf9a-apparmor-rules.patch, + 0001-apparmor-Check-libvirtd-profile-status-by-name.patch + boo#1125841 + ------------------------------------------------------------------- Mon Mar 4 18:52:57 UTC 2019 - James Fehlig diff --git a/libvirt.spec b/libvirt.spec index 7c30c1c..fcab97a 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -333,9 +333,11 @@ Source6: libvirtd-relocation-server.xml Source99: baselibs.conf Source100: %{name}-rpmlintrc # Upstream patches +Patch0: 4ec3cf9a-apparmor-rules.patch # Patches pending upstream review Patch100: libxl-dom-reset.patch Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch +Patch102: 0001-apparmor-Check-libvirtd-profile-status-by-name.patch # Need to go upstream Patch150: xen-pv-cdrom.patch Patch151: blockcopy-check-dst-identical-device.patch @@ -866,8 +868,10 @@ libvirt plugin for NSS for translating domain names into IP addresses. %prep %setup -q +%patch0 -p1 %patch100 -p1 %patch101 -p1 +%patch102 -p1 %patch150 -p1 %patch151 -p1 %patch152 -p1 diff --git a/qemu-apparmor-screenshot.patch b/qemu-apparmor-screenshot.patch index 8424ee9..8309781 100644 --- a/qemu-apparmor-screenshot.patch +++ b/qemu-apparmor-screenshot.patch @@ -2,7 +2,7 @@ Index: libvirt-5.1.0/src/security/apparmor/libvirt-qemu =================================================================== --- libvirt-5.1.0.orig/src/security/apparmor/libvirt-qemu +++ libvirt-5.1.0/src/security/apparmor/libvirt-qemu -@@ -220,3 +220,6 @@ +@@ -222,3 +222,6 @@ # required for sasl GSSAPI plugin /etc/gss/mech.d/ r, /etc/gss/mech.d/* r, diff --git a/suse-apparmor-libnl-paths.patch b/suse-apparmor-libnl-paths.patch index 57bb08c..983a8e5 100644 --- a/suse-apparmor-libnl-paths.patch +++ b/suse-apparmor-libnl-paths.patch @@ -12,7 +12,7 @@ Index: libvirt-5.1.0/src/security/apparmor/libvirt-qemu =================================================================== --- libvirt-5.1.0.orig/src/security/apparmor/libvirt-qemu +++ libvirt-5.1.0/src/security/apparmor/libvirt-qemu -@@ -61,6 +61,7 @@ +@@ -63,6 +63,7 @@ #/dev/fb* rw, /etc/pulse/client.conf r,