Accepting request 682276 from home:jfehlig:branches:Virtualization

- apparmor: fix more fallout from changing libvirtd profile to a named profile 4ec3cf9a-apparmor-rules.patch, 0001-apparmor-Check-libvirtd-profile-status-by-name.patch boo#1125841 OBS-URL: https://build.opensuse.org/request/show/682276 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=735
2019-03-06 20:25:56 +00:00 · 2019-03-06 20:25:56 +00:00 · c50e323c11
commit c50e323c11
parent 7fe9d077c7
6 changed files with 94 additions and 2 deletions
--- a/0001-apparmor-Check-libvirtd-profile-status-by-name.patch
+++ b/0001-apparmor-Check-libvirtd-profile-status-by-name.patch
@ -0,0 +1,46 @@
+From b1a50c10c95747dacd31a23b5c73ec4f938af329 Mon Sep 17 00:00:00 2001
+From: Jim Fehlig <jfehlig@suse.com>
+Date: Fri, 1 Mar 2019 14:34:17 -0700
+Subject: [PATCH 1/2] apparmor: Check libvirtd profile status by name
+
+Commit a3ab6d42 changed the libvirtd profile to a named profile,
+breaking the apparmor driver's ability to detect if the profile is
+active. When the apparmor driver loads it checks the status of the
+libvirtd profile using the full binary path, which fails since the
+profile is now referenced by name. If the apparmor driver is
+explicitly requested in /etc/libvirt/qemu.conf, then libvirtd fails
+to load too.
+
+Instead of only checking the profile status by full binary path,
+also check by profile name. The full path check is retained in case
+users have a customized libvirtd profile with full path.
+
+Signed-off-by: Jim Fehlig <jfehlig@suse.com>
+---
+ src/security/security_apparmor.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+Index: libvirt-5.1.0/src/security/security_apparmor.c
+===================================================================
+--- libvirt-5.1.0.orig/src/security/security_apparmor.c
+++ libvirt-5.1.0/src/security/security_apparmor.c
+@@ -257,10 +257,16 @@ use_apparmor(void)
+     if (access(APPARMOR_PROFILES_PATH, R_OK) != 0)
+         goto cleanup;
+ 
+    /* First check profile status using full binary path. If that fails
+     * check using profile name.
+     */
+     rc = profile_status(libvirt_daemon, 1);
+-    /* Error or unconfined should all result in -1*/
+-    if (rc < 0)
+-        rc = -1;
+    if (rc < 0) {
+        rc = profile_status("libvirtd", 1);
+        /* Error or unconfined should all result in -1*/
+        if (rc < 0)
+            rc = -1;
+    }
+ 
+  cleanup:
+     VIR_FREE(libvirt_daemon);
--- a/4ec3cf9a-apparmor-rules.patch
+++ b/4ec3cf9a-apparmor-rules.patch
@ -0,0 +1,33 @@
+commit 4ec3cf9a0fc3d76058ea363a6c35df19e67e6261
+Author: Jim Fehlig <jfehlig@suse.com>
+Date:   Fri Mar 1 15:05:36 2019 -0700
+
+    apparmor: Add ptrace and signal rules for named profile
+    
+    Commit a3ab6d42 changed the libvirtd profile to a named profile
+    but neglected to accommodate the change in the qemu profile
+    ptrace and signal rules. As a result, libvirtd is unable to
+    signal confined qemu processes and hence unable to shutdown
+    or destroy VMs.
+    
+    Add ptrace and signal rules that reference the libvirtd profile
+    by name in addition to full binary path.
+    
+    Signed-off-by: Jim Fehlig <jfehlig@suse.com>
+    Acked-by: Jamie Strandboge <jamie@canonical.com>
+
+Index: libvirt-5.1.0/src/security/apparmor/libvirt-qemu
+===================================================================
+--- libvirt-5.1.0.orig/src/security/apparmor/libvirt-qemu
+++ libvirt-5.1.0/src/security/apparmor/libvirt-qemu
+@@ -16,8 +16,10 @@
+   network inet stream,
+   network inet6 stream,
+ 
+  ptrace (readby, tracedby) peer=libvirtd,
+   ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
+ 
+  signal (receive) peer=libvirtd,
+   signal (receive) peer=/usr/sbin/libvirtd,
+ 
+   /dev/net/tun rw,
--- a/libvirt.changes
+++ b/libvirt.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed Mar  6 17:11:49 UTC 2019 - James Fehlig <jfehlig@suse.com>
+
+- apparmor: fix more fallout from changing libvirtd profile to a
+  named profile
+  4ec3cf9a-apparmor-rules.patch,
+  0001-apparmor-Check-libvirtd-profile-status-by-name.patch
+  boo#1125841
+
 -------------------------------------------------------------------
 Mon Mar  4 18:52:57 UTC 2019 - James Fehlig <jfehlig@suse.com>

--- a/libvirt.spec
+++ b/libvirt.spec
@ -333,9 +333,11 @@ Source6:        libvirtd-relocation-server.xml
 Source99:       baselibs.conf
 Source100:      %{name}-rpmlintrc
 # Upstream patches
+Patch0:         4ec3cf9a-apparmor-rules.patch
 # Patches pending upstream review
 Patch100:       libxl-dom-reset.patch
 Patch101:       network-don-t-use-dhcp-authoritative-on-static-netwo.patch
+Patch102:       0001-apparmor-Check-libvirtd-profile-status-by-name.patch
 # Need to go upstream
 Patch150:       xen-pv-cdrom.patch
 Patch151:       blockcopy-check-dst-identical-device.patch
@ -866,8 +868,10 @@ libvirt plugin for NSS for translating domain names into IP addresses.

 %prep
 %setup -q
+%patch0 -p1
 %patch100 -p1
 %patch101 -p1
+%patch102 -p1
 %patch150 -p1
 %patch151 -p1
 %patch152 -p1
--- a/qemu-apparmor-screenshot.patch
+++ b/qemu-apparmor-screenshot.patch
@ -2,7 +2,7 @@ Index: libvirt-5.1.0/src/security/apparmor/libvirt-qemu
 ===================================================================
 --- libvirt-5.1.0.orig/src/security/apparmor/libvirt-qemu
 +++ libvirt-5.1.0/src/security/apparmor/libvirt-qemu
-@@ -220,3 +220,6 @@
+@@ -222,3 +222,6 @@
   # required for sasl GSSAPI plugin
   /etc/gss/mech.d/ r,
   /etc/gss/mech.d/* r,
--- a/suse-apparmor-libnl-paths.patch
+++ b/suse-apparmor-libnl-paths.patch
@ -12,7 +12,7 @@ Index: libvirt-5.1.0/src/security/apparmor/libvirt-qemu
 ===================================================================
 --- libvirt-5.1.0.orig/src/security/apparmor/libvirt-qemu
 +++ libvirt-5.1.0/src/security/apparmor/libvirt-qemu
-@@ -61,6 +61,7 @@
+@@ -63,6 +63,7 @@
   #/dev/fb* rw,
 
   /etc/pulse/client.conf r,