From dd4dfc896b74997337f0ca586c71de8bdc303d21f3acb7fa977c5a310a936fcf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= Date: Mon, 17 Nov 2014 17:17:05 +0000 Subject: [PATCH] Accepting request 262066 from home:cbosdonnat:branches:Virtualization - Fix Qemu AppArmor abstraction. - qemu-block.so was denied on x86_64. install-apparmor-profiles.patch - Temporary fix access to screenshot temporary file. bsc#904426. qemu-apparmor-screenshot.patch OBS-URL: https://build.opensuse.org/request/show/262066 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=420 --- install-apparmor-profiles.patch | 311 +++++++++++++++++++++++++++++++- libvirt.changes | 8 + libvirt.spec | 2 + qemu-apparmor-screenshot.patch | 14 ++ 4 files changed, 333 insertions(+), 2 deletions(-) create mode 100644 qemu-apparmor-screenshot.patch diff --git a/install-apparmor-profiles.patch b/install-apparmor-profiles.patch index a06f9ec..67c883e 100644 --- a/install-apparmor-profiles.patch +++ b/install-apparmor-profiles.patch @@ -2,9 +2,12 @@ Index: libvirt-1.2.10/examples/apparmor/Makefile.am =================================================================== --- libvirt-1.2.10.orig/examples/apparmor/Makefile.am +++ libvirt-1.2.10/examples/apparmor/Makefile.am -@@ -19,10 +19,22 @@ EXTRA_DIST= \ +@@ -17,12 +17,30 @@ + EXTRA_DIST= \ + TEMPLATE.qemu \ TEMPLATE.lxc \ - libvirt-qemu \ +- libvirt-qemu \ ++ libvirt-qemu.in \ libvirt-lxc \ - usr.lib.libvirt.virt-aa-helper \ - usr.sbin.libvirtd @@ -23,6 +26,12 @@ Index: libvirt-1.2.10/examples/apparmor/Makefile.am + -e 's![@]libdir[@]!$(libdir)!g' \ + < $< > $@-t + mv $@-t $@ ++ ++libvirt-qemu: libvirt-qemu.in ++ sed \ ++ -e 's![@]libdir[@]!$(libdir)!g' \ ++ < $< > $@-t ++ mv $@-t $@ + apparmordir = $(sysconfdir)/apparmor.d/ apparmor_DATA = \ @@ -274,3 +283,301 @@ Index: libvirt-1.2.10/examples/apparmor/usr.sbin.libvirtd - change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, - -} +Index: libvirt-1.2.10/examples/apparmor/libvirt-qemu +=================================================================== +--- libvirt-1.2.10.orig/examples/apparmor/libvirt-qemu ++++ /dev/null +@@ -1,144 +0,0 @@ +-# Last Modified: Wed Sep 3 21:52:03 2014 +- +- #include +- #include +- #include +- +- # required for reading disk images +- capability dac_override, +- capability dac_read_search, +- capability chown, +- +- # needed to drop privileges +- capability setgid, +- capability setuid, +- +- network inet stream, +- network inet6 stream, +- +- /dev/net/tun rw, +- /dev/kvm rw, +- /dev/ptmx rw, +- /dev/kqemu rw, +- @{PROC}/*/status r, +- @{PROC}/sys/kernel/cap_last_cap r, +- +- # For hostdev access. The actual devices will be added dynamically +- /sys/bus/usb/devices/ r, +- /sys/devices/**/usb[0-9]*/** r, +- +- # WARNING: this gives the guest direct access to host hardware and specific +- # portions of shared memory. This is required for sound using ALSA with kvm, +- # but may constitute a security risk. If your environment does not require +- # the use of sound in your VMs, feel free to comment out or prepend 'deny' to +- # the rules for files in /dev. +- /{dev,run}/shm r, +- /{dev,run}/shmpulse-shm* r, +- /{dev,run}/shmpulse-shm* rwk, +- /dev/snd/* rw, +- capability ipc_lock, +- # spice +- owner /{dev,run}/shm/spice.* rw, +- # 'kill' is not required for sound and is a security risk. Do not enable +- # unless you absolutely need it. +- deny capability kill, +- +- # Uncomment the following if you need access to /dev/fb* +- #/dev/fb* rw, +- +- /etc/pulse/client.conf r, +- @{HOME}/.pulse-cookie rwk, +- owner /root/.pulse-cookie rwk, +- owner /root/.pulse/ rw, +- owner /root/.pulse/* rw, +- /usr/share/alsa/** r, +- owner /tmp/pulse-*/ rw, +- owner /tmp/pulse-*/* rw, +- /var/lib/dbus/machine-id r, +- +- # access to firmware's etc +- /usr/share/kvm/** r, +- /usr/share/qemu/** r, +- /usr/share/bochs/** r, +- /usr/share/openbios/** r, +- /usr/share/openhackware/** r, +- /usr/share/proll/** r, +- /usr/share/vgabios/** r, +- /usr/share/seabios/** r, +- /usr/share/ovmf/** r, +- +- # access PKI infrastructure +- /etc/pki/libvirt-vnc/** r, +- +- # the various binaries +- /usr/bin/kvm rmix, +- /usr/bin/qemu rmix, +- /usr/bin/qemu-system-arm rmix, +- /usr/bin/qemu-system-cris rmix, +- /usr/bin/qemu-system-i386 rmix, +- /usr/bin/qemu-system-m68k rmix, +- /usr/bin/qemu-system-microblaze rmix, +- /usr/bin/qemu-system-microblazeel rmix, +- /usr/bin/qemu-system-mips rmix, +- /usr/bin/qemu-system-mips64 rmix, +- /usr/bin/qemu-system-mips64el rmix, +- /usr/bin/qemu-system-mipsel rmix, +- /usr/bin/qemu-system-ppc rmix, +- /usr/bin/qemu-system-ppc64 rmix, +- /usr/bin/qemu-system-ppcemb rmix, +- /usr/bin/qemu-system-sh4 rmix, +- /usr/bin/qemu-system-sh4eb rmix, +- /usr/bin/qemu-system-sparc rmix, +- /usr/bin/qemu-system-sparc64 rmix, +- /usr/bin/qemu-system-x86_64 rmix, +- /usr/bin/qemu-alpha rmix, +- /usr/bin/qemu-arm rmix, +- /usr/bin/qemu-armeb rmix, +- /usr/bin/qemu-cris rmix, +- /usr/bin/qemu-i386 rmix, +- /usr/bin/qemu-m68k rmix, +- /usr/bin/qemu-microblaze rmix, +- /usr/bin/qemu-microblazeel rmix, +- /usr/bin/qemu-mips rmix, +- /usr/bin/qemu-mipsel rmix, +- /usr/bin/qemu-ppc rmix, +- /usr/bin/qemu-ppc64 rmix, +- /usr/bin/qemu-ppc64abi32 rmix, +- /usr/bin/qemu-sh4 rmix, +- /usr/bin/qemu-sh4eb rmix, +- /usr/bin/qemu-sparc rmix, +- /usr/bin/qemu-sparc64 rmix, +- /usr/bin/qemu-sparc32plus rmix, +- /usr/bin/qemu-sparc64 rmix, +- /usr/bin/qemu-x86_64 rmix, +- /usr/lib/qemu/block-curl.so mr, +- +- # for save and resume +- /bin/dash rmix, +- /bin/dd rmix, +- /bin/cat rmix, +- +- # for usb access +- /dev/bus/usb/ r, +- /etc/udev/udev.conf r, +- /sys/bus/ r, +- /sys/class/ r, +- +- /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, +- # child profile for bridge helper process +- profile qemu_bridge_helper { +- #include +- +- capability setuid, +- capability setgid, +- capability setpcap, +- capability net_admin, +- +- network inet stream, +- +- /dev/net/tun rw, +- /etc/qemu/** r, +- owner @{PROC}/*/status r, +- +- /usr/{lib,libexec}/qemu-bridge-helper rmix, +- } +Index: libvirt-1.2.10/examples/apparmor/libvirt-qemu.in +=================================================================== +--- /dev/null ++++ libvirt-1.2.10/examples/apparmor/libvirt-qemu.in +@@ -0,0 +1,144 @@ ++# Last Modified: Wed Sep 3 21:52:03 2014 ++ ++ #include ++ #include ++ #include ++ ++ # required for reading disk images ++ capability dac_override, ++ capability dac_read_search, ++ capability chown, ++ ++ # needed to drop privileges ++ capability setgid, ++ capability setuid, ++ ++ network inet stream, ++ network inet6 stream, ++ ++ /dev/net/tun rw, ++ /dev/kvm rw, ++ /dev/ptmx rw, ++ /dev/kqemu rw, ++ @{PROC}/*/status r, ++ @{PROC}/sys/kernel/cap_last_cap r, ++ ++ # For hostdev access. The actual devices will be added dynamically ++ /sys/bus/usb/devices/ r, ++ /sys/devices/**/usb[0-9]*/** r, ++ ++ # WARNING: this gives the guest direct access to host hardware and specific ++ # portions of shared memory. This is required for sound using ALSA with kvm, ++ # but may constitute a security risk. If your environment does not require ++ # the use of sound in your VMs, feel free to comment out or prepend 'deny' to ++ # the rules for files in /dev. ++ /{dev,run}/shm r, ++ /{dev,run}/shmpulse-shm* r, ++ /{dev,run}/shmpulse-shm* rwk, ++ /dev/snd/* rw, ++ capability ipc_lock, ++ # spice ++ owner /{dev,run}/shm/spice.* rw, ++ # 'kill' is not required for sound and is a security risk. Do not enable ++ # unless you absolutely need it. ++ deny capability kill, ++ ++ # Uncomment the following if you need access to /dev/fb* ++ #/dev/fb* rw, ++ ++ /etc/pulse/client.conf r, ++ @{HOME}/.pulse-cookie rwk, ++ owner /root/.pulse-cookie rwk, ++ owner /root/.pulse/ rw, ++ owner /root/.pulse/* rw, ++ /usr/share/alsa/** r, ++ owner /tmp/pulse-*/ rw, ++ owner /tmp/pulse-*/* rw, ++ /var/lib/dbus/machine-id r, ++ ++ # access to firmware's etc ++ /usr/share/kvm/** r, ++ /usr/share/qemu/** r, ++ /usr/share/bochs/** r, ++ /usr/share/openbios/** r, ++ /usr/share/openhackware/** r, ++ /usr/share/proll/** r, ++ /usr/share/vgabios/** r, ++ /usr/share/seabios/** r, ++ /usr/share/ovmf/** r, ++ ++ # access PKI infrastructure ++ /etc/pki/libvirt-vnc/** r, ++ ++ # the various binaries ++ /usr/bin/kvm rmix, ++ /usr/bin/qemu rmix, ++ /usr/bin/qemu-system-arm rmix, ++ /usr/bin/qemu-system-cris rmix, ++ /usr/bin/qemu-system-i386 rmix, ++ /usr/bin/qemu-system-m68k rmix, ++ /usr/bin/qemu-system-microblaze rmix, ++ /usr/bin/qemu-system-microblazeel rmix, ++ /usr/bin/qemu-system-mips rmix, ++ /usr/bin/qemu-system-mips64 rmix, ++ /usr/bin/qemu-system-mips64el rmix, ++ /usr/bin/qemu-system-mipsel rmix, ++ /usr/bin/qemu-system-ppc rmix, ++ /usr/bin/qemu-system-ppc64 rmix, ++ /usr/bin/qemu-system-ppcemb rmix, ++ /usr/bin/qemu-system-sh4 rmix, ++ /usr/bin/qemu-system-sh4eb rmix, ++ /usr/bin/qemu-system-sparc rmix, ++ /usr/bin/qemu-system-sparc64 rmix, ++ /usr/bin/qemu-system-x86_64 rmix, ++ /usr/bin/qemu-alpha rmix, ++ /usr/bin/qemu-arm rmix, ++ /usr/bin/qemu-armeb rmix, ++ /usr/bin/qemu-cris rmix, ++ /usr/bin/qemu-i386 rmix, ++ /usr/bin/qemu-m68k rmix, ++ /usr/bin/qemu-microblaze rmix, ++ /usr/bin/qemu-microblazeel rmix, ++ /usr/bin/qemu-mips rmix, ++ /usr/bin/qemu-mipsel rmix, ++ /usr/bin/qemu-ppc rmix, ++ /usr/bin/qemu-ppc64 rmix, ++ /usr/bin/qemu-ppc64abi32 rmix, ++ /usr/bin/qemu-sh4 rmix, ++ /usr/bin/qemu-sh4eb rmix, ++ /usr/bin/qemu-sparc rmix, ++ /usr/bin/qemu-sparc64 rmix, ++ /usr/bin/qemu-sparc32plus rmix, ++ /usr/bin/qemu-sparc64 rmix, ++ /usr/bin/qemu-x86_64 rmix, ++ @libdir@/qemu/block-curl.so mr, ++ ++ # for save and resume ++ /bin/dash rmix, ++ /bin/dd rmix, ++ /bin/cat rmix, ++ ++ # for usb access ++ /dev/bus/usb/ r, ++ /etc/udev/udev.conf r, ++ /sys/bus/ r, ++ /sys/class/ r, ++ ++ /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, ++ # child profile for bridge helper process ++ profile qemu_bridge_helper { ++ #include ++ ++ capability setuid, ++ capability setgid, ++ capability setpcap, ++ capability net_admin, ++ ++ network inet stream, ++ ++ /dev/net/tun rw, ++ /etc/qemu/** r, ++ owner @{PROC}/*/status r, ++ ++ /usr/{lib,libexec}/qemu-bridge-helper rmix, ++ } diff --git a/libvirt.changes b/libvirt.changes index a7d3751..b49bf13 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -5,6 +5,14 @@ Mon Nov 10 22:01:31 MST 2014 - jfehlig@suse.com b1674ad5-CVE-2014-7823.patch bsc#904176 +------------------------------------------------------------------- +Thu Nov 6 16:00:24 UTC 2014 - cbosdonnat@suse.com + +- Fix Qemu AppArmor abstraction. + - qemu-block.so was denied on x86_64. install-apparmor-profiles.patch + - Temporary fix access to screenshot temporary file. bsc#904426. + qemu-apparmor-screenshot.patch + ------------------------------------------------------------------- Mon Nov 3 11:08:49 MST 2014 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index 99c83ab..b4bbe04 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -457,6 +457,7 @@ Patch208: disable-virCgroupGetPercpuStats-test.patch %if %{with_apparmor} Patch250: install-apparmor-profiles.patch Patch251: apparmor-no-mount.patch +Patch252: qemu-apparmor-screenshot.patch %endif %if %{with_netcontrol} Patch300: libvirt-suse-netcontrol.patch @@ -985,6 +986,7 @@ Provides a dissector for the libvirt RPC protocol to help debugging it. %if %{with_apparmor} %patch250 -p1 %patch251 -p1 +%patch252 -p1 %endif %if %{with_netcontrol} %patch300 -p1 diff --git a/qemu-apparmor-screenshot.patch b/qemu-apparmor-screenshot.patch new file mode 100644 index 0000000..d3d9c80 --- /dev/null +++ b/qemu-apparmor-screenshot.patch @@ -0,0 +1,14 @@ +Index: libvirt-1.2.10/examples/apparmor/libvirt-qemu.in +=================================================================== +--- libvirt-1.2.10.orig/examples/apparmor/libvirt-qemu.in ++++ libvirt-1.2.10/examples/apparmor/libvirt-qemu.in +@@ -124,6 +124,9 @@ + /sys/bus/ r, + /sys/class/ r, + ++ # Temporary screendump rule -- See bsc#904426 ++ /var/cache/libvirt/qemu/qemu.screendump.* rw, ++ + /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, + # child profile for bridge helper process + profile qemu_bridge_helper {