forked from pool/libvirt
Accepting request 344926 from Virtualization
1 OBS-URL: https://build.opensuse.org/request/show/344926 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvirt?expand=0&rev=194
This commit is contained in:
commit
c932d6bfd6
@ -1,3 +1,9 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 17 14:40:41 UTC 2015 - cbosdonnat@suse.com
|
||||
|
||||
- Don't add apparmor deny rw rule for 9P readonly mounts.
|
||||
bsc#952849. virt-aa-helper-rw-mounts.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Nov 9 23:20:22 UTC 2015 - cbosdonnat@suse.com
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package libvirt
|
||||
#
|
||||
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -456,6 +456,7 @@ Source99: baselibs.conf
|
||||
Patch0: 703ec1b7-qemu-bridge-helper-fix.patch
|
||||
# Patches pending upstream review
|
||||
Patch100: add-with-login-shell.patch
|
||||
Patch101: virt-aa-helper-rw-mounts.patch
|
||||
# Need to go upstream
|
||||
Patch150: xen-pv-cdrom.patch
|
||||
Patch151: blockcopy-check-dst-identical-device.patch
|
||||
@ -971,6 +972,7 @@ Wireshark dissector plugin for better analysis of libvirt RPC traffic.
|
||||
%setup -q
|
||||
%patch0 -p1
|
||||
%patch100 -p1
|
||||
%patch101 -p1
|
||||
%patch150 -p1
|
||||
%patch151 -p1
|
||||
%patch152 -p1
|
||||
|
36
virt-aa-helper-rw-mounts.patch
Normal file
36
virt-aa-helper-rw-mounts.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From 9abe699b0b91fd2c8a2870b36342a37fa97f7e36 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
|
||||
Date: Tue, 17 Nov 2015 10:11:30 +0100
|
||||
Subject: [PATCH] virt-aa-helper: don't deny writes to readonly mounts
|
||||
|
||||
There is no need to deny writes on a readonly mount: write still
|
||||
won't be accepted, even if the user remounts the folder as RW in
|
||||
the guest as qemu sets the 9p mount as ro.
|
||||
|
||||
This deny rule was leading to problems for example with readonly /:
|
||||
The qemu process had to write to a bunch of files in / like logs,
|
||||
sockets, etc. This deny rule was also preventing auditing of these
|
||||
denials, making it harder to debug.
|
||||
---
|
||||
src/security/virt-aa-helper.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
|
||||
index 5de56e5..a2d7226 100644
|
||||
--- a/src/security/virt-aa-helper.c
|
||||
+++ b/src/security/virt-aa-helper.c
|
||||
@@ -1127,7 +1127,10 @@ get_files(vahControl * ctl)
|
||||
ctl->def->fss[i]->src) {
|
||||
virDomainFSDefPtr fs = ctl->def->fss[i];
|
||||
|
||||
- if (vah_add_path(&buf, fs->src, fs->readonly ? "r" : "rw", true) != 0)
|
||||
+ /* We don't need to add deny rw rules for readonly mounts,
|
||||
+ * this can only lead to troubles when mounting / readonly.
|
||||
+ */
|
||||
+ if (vah_add_path(&buf, fs->src, "rw", true) != 0)
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.1.4
|
||||
|
Loading…
Reference in New Issue
Block a user