Accepting request 262066 from home:cbosdonnat:branches:Virtualization

- Fix Qemu AppArmor abstraction. - qemu-block.so was denied on x86_64. install-apparmor-profiles.patch - Temporary fix access to screenshot temporary file. bsc#904426. qemu-apparmor-screenshot.patch OBS-URL: https://build.opensuse.org/request/show/262066 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=420
2014-11-17 17:17:05 +00:00 · 2014-11-17 17:17:05 +00:00 · dd4dfc896b
commit dd4dfc896b
parent d97b2f8ea8
4 changed files with 333 additions and 2 deletions
--- a/install-apparmor-profiles.patch
+++ b/install-apparmor-profiles.patch
@ -2,9 +2,12 @@ Index: libvirt-1.2.10/examples/apparmor/Makefile.am
 ===================================================================
 --- libvirt-1.2.10.orig/examples/apparmor/Makefile.am
 +++ libvirt-1.2.10/examples/apparmor/Makefile.am
-@@ -19,10 +19,22 @@ EXTRA_DIST=				\
+@@ -17,12 +17,30 @@
 EXTRA_DIST=				\
 	TEMPLATE.qemu			\
 	TEMPLATE.lxc			\
- 	libvirt-qemu			\
+-	libvirt-qemu			\
 +	libvirt-qemu.in			\
 	libvirt-lxc 			\
 -	usr.lib.libvirt.virt-aa-helper	\
 -	usr.sbin.libvirtd
@ -23,6 +26,12 @@ Index: libvirt-1.2.10/examples/apparmor/Makefile.am
 +	    -e 's![@]libdir[@]!$(libdir)!g'     \
 +	    < $< > $@-t
 +	mv $@-t $@
 +
 +libvirt-qemu: libvirt-qemu.in
 +	sed                                     \
 +	    -e 's![@]libdir[@]!$(libdir)!g'     \
 +	    < $< > $@-t
 +	mv $@-t $@
 +
 apparmordir = $(sysconfdir)/apparmor.d/
 apparmor_DATA = \
@ -274,3 +283,301 @@ Index: libvirt-1.2.10/examples/apparmor/usr.sbin.libvirtd
 -  change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
 -
 -}
 Index: libvirt-1.2.10/examples/apparmor/libvirt-qemu
 ===================================================================
 --- libvirt-1.2.10.orig/examples/apparmor/libvirt-qemu
 +++ /dev/null
@@ -1,144 +0,0 @@
 -# Last Modified: Wed Sep 3 21:52:03 2014
 -
 -  #include <abstractions/base>
 -  #include <abstractions/consoles>
 -  #include <abstractions/nameservice>
 -
 -  # required for reading disk images
 -  capability dac_override,
 -  capability dac_read_search,
 -  capability chown,
 -
 -  # needed to drop privileges
 -  capability setgid,
 -  capability setuid,
 -
 -  network inet stream,
 -  network inet6 stream,
 -
 -  /dev/net/tun rw,
 -  /dev/kvm rw,
 -  /dev/ptmx rw,
 -  /dev/kqemu rw,
 -  @{PROC}/*/status r,
 -  @{PROC}/sys/kernel/cap_last_cap r,
 -
 -  # For hostdev access. The actual devices will be added dynamically
 -  /sys/bus/usb/devices/ r,
 -  /sys/devices/**/usb[0-9]*/** r,
 -
 -  # WARNING: this gives the guest direct access to host hardware and specific
 -  # portions of shared memory. This is required for sound using ALSA with kvm,
 -  # but may constitute a security risk. If your environment does not require
 -  # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
 -  # the rules for files in /dev.
 -  /{dev,run}/shm r,
 -  /{dev,run}/shmpulse-shm* r,
 -  /{dev,run}/shmpulse-shm* rwk,
 -  /dev/snd/* rw,
 -  capability ipc_lock,
 -  # spice
 -  owner /{dev,run}/shm/spice.* rw,
 -  # 'kill' is not required for sound and is a security risk. Do not enable
 -  # unless you absolutely need it.
 -  deny capability kill,
 -
 -  # Uncomment the following if you need access to /dev/fb*
 -  #/dev/fb* rw,
 -
 -  /etc/pulse/client.conf r,
 -  @{HOME}/.pulse-cookie rwk,
 -  owner /root/.pulse-cookie rwk,
 -  owner /root/.pulse/ rw,
 -  owner /root/.pulse/* rw,
 -  /usr/share/alsa/** r,
 -  owner /tmp/pulse-*/ rw,
 -  owner /tmp/pulse-*/* rw,
 -  /var/lib/dbus/machine-id r,
 -
 -  # access to firmware's etc
 -  /usr/share/kvm/** r,
 -  /usr/share/qemu/** r,
 -  /usr/share/bochs/** r,
 -  /usr/share/openbios/** r,
 -  /usr/share/openhackware/** r,
 -  /usr/share/proll/** r,
 -  /usr/share/vgabios/** r,
 -  /usr/share/seabios/** r,
 -  /usr/share/ovmf/** r,
 -
 -  # access PKI infrastructure
 -  /etc/pki/libvirt-vnc/** r,
 -
 -  # the various binaries
 -  /usr/bin/kvm rmix,
 -  /usr/bin/qemu rmix,
 -  /usr/bin/qemu-system-arm rmix,
 -  /usr/bin/qemu-system-cris rmix,
 -  /usr/bin/qemu-system-i386 rmix,
 -  /usr/bin/qemu-system-m68k rmix,
 -  /usr/bin/qemu-system-microblaze rmix,
 -  /usr/bin/qemu-system-microblazeel rmix,
 -  /usr/bin/qemu-system-mips rmix,
 -  /usr/bin/qemu-system-mips64 rmix,
 -  /usr/bin/qemu-system-mips64el rmix,
 -  /usr/bin/qemu-system-mipsel rmix,
 -  /usr/bin/qemu-system-ppc rmix,
 -  /usr/bin/qemu-system-ppc64 rmix,
 -  /usr/bin/qemu-system-ppcemb rmix,
 -  /usr/bin/qemu-system-sh4 rmix,
 -  /usr/bin/qemu-system-sh4eb rmix,
 -  /usr/bin/qemu-system-sparc rmix,
 -  /usr/bin/qemu-system-sparc64 rmix,
 -  /usr/bin/qemu-system-x86_64 rmix,
 -  /usr/bin/qemu-alpha rmix,
 -  /usr/bin/qemu-arm rmix,
 -  /usr/bin/qemu-armeb rmix,
 -  /usr/bin/qemu-cris rmix,
 -  /usr/bin/qemu-i386 rmix,
 -  /usr/bin/qemu-m68k rmix,
 -  /usr/bin/qemu-microblaze rmix,
 -  /usr/bin/qemu-microblazeel rmix,
 -  /usr/bin/qemu-mips rmix,
 -  /usr/bin/qemu-mipsel rmix,
 -  /usr/bin/qemu-ppc rmix,
 -  /usr/bin/qemu-ppc64 rmix,
 -  /usr/bin/qemu-ppc64abi32 rmix,
 -  /usr/bin/qemu-sh4 rmix,
 -  /usr/bin/qemu-sh4eb rmix,
 -  /usr/bin/qemu-sparc rmix,
 -  /usr/bin/qemu-sparc64 rmix,
 -  /usr/bin/qemu-sparc32plus rmix,
 -  /usr/bin/qemu-sparc64 rmix,
 -  /usr/bin/qemu-x86_64 rmix,
 -  /usr/lib/qemu/block-curl.so mr,
 -
 -  # for save and resume
 -  /bin/dash rmix,
 -  /bin/dd rmix,
 -  /bin/cat rmix,
 -
 -  # for usb access
 -  /dev/bus/usb/ r,
 -  /etc/udev/udev.conf r,
 -  /sys/bus/ r,
 -  /sys/class/ r,
 -
 -  /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
 -  # child profile for bridge helper process
 -  profile qemu_bridge_helper {
 -   #include <abstractions/base>
 -
 -   capability setuid,
 -   capability setgid,
 -   capability setpcap,
 -   capability net_admin,
 -
 -   network inet stream,
 -
 -   /dev/net/tun rw,
 -   /etc/qemu/** r,
 -   owner @{PROC}/*/status r,
 -
 -   /usr/{lib,libexec}/qemu-bridge-helper rmix,
 -  }
 Index: libvirt-1.2.10/examples/apparmor/libvirt-qemu.in
 ===================================================================
 --- /dev/null
 +++ libvirt-1.2.10/examples/apparmor/libvirt-qemu.in
@@ -0,0 +1,144 @@
 +# Last Modified: Wed Sep 3 21:52:03 2014
 +
 +  #include <abstractions/base>
 +  #include <abstractions/consoles>
 +  #include <abstractions/nameservice>
 +
 +  # required for reading disk images
 +  capability dac_override,
 +  capability dac_read_search,
 +  capability chown,
 +
 +  # needed to drop privileges
 +  capability setgid,
 +  capability setuid,
 +
 +  network inet stream,
 +  network inet6 stream,
 +
 +  /dev/net/tun rw,
 +  /dev/kvm rw,
 +  /dev/ptmx rw,
 +  /dev/kqemu rw,
 +  @{PROC}/*/status r,
 +  @{PROC}/sys/kernel/cap_last_cap r,
 +
 +  # For hostdev access. The actual devices will be added dynamically
 +  /sys/bus/usb/devices/ r,
 +  /sys/devices/**/usb[0-9]*/** r,
 +
 +  # WARNING: this gives the guest direct access to host hardware and specific
 +  # portions of shared memory. This is required for sound using ALSA with kvm,
 +  # but may constitute a security risk. If your environment does not require
 +  # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
 +  # the rules for files in /dev.
 +  /{dev,run}/shm r,
 +  /{dev,run}/shmpulse-shm* r,
 +  /{dev,run}/shmpulse-shm* rwk,
 +  /dev/snd/* rw,
 +  capability ipc_lock,
 +  # spice
 +  owner /{dev,run}/shm/spice.* rw,
 +  # 'kill' is not required for sound and is a security risk. Do not enable
 +  # unless you absolutely need it.
 +  deny capability kill,
 +
 +  # Uncomment the following if you need access to /dev/fb*
 +  #/dev/fb* rw,
 +
 +  /etc/pulse/client.conf r,
 +  @{HOME}/.pulse-cookie rwk,
 +  owner /root/.pulse-cookie rwk,
 +  owner /root/.pulse/ rw,
 +  owner /root/.pulse/* rw,
 +  /usr/share/alsa/** r,
 +  owner /tmp/pulse-*/ rw,
 +  owner /tmp/pulse-*/* rw,
 +  /var/lib/dbus/machine-id r,
 +
 +  # access to firmware's etc
 +  /usr/share/kvm/** r,
 +  /usr/share/qemu/** r,
 +  /usr/share/bochs/** r,
 +  /usr/share/openbios/** r,
 +  /usr/share/openhackware/** r,
 +  /usr/share/proll/** r,
 +  /usr/share/vgabios/** r,
 +  /usr/share/seabios/** r,
 +  /usr/share/ovmf/** r,
 +
 +  # access PKI infrastructure
 +  /etc/pki/libvirt-vnc/** r,
 +
 +  # the various binaries
 +  /usr/bin/kvm rmix,
 +  /usr/bin/qemu rmix,
 +  /usr/bin/qemu-system-arm rmix,
 +  /usr/bin/qemu-system-cris rmix,
 +  /usr/bin/qemu-system-i386 rmix,
 +  /usr/bin/qemu-system-m68k rmix,
 +  /usr/bin/qemu-system-microblaze rmix,
 +  /usr/bin/qemu-system-microblazeel rmix,
 +  /usr/bin/qemu-system-mips rmix,
 +  /usr/bin/qemu-system-mips64 rmix,
 +  /usr/bin/qemu-system-mips64el rmix,
 +  /usr/bin/qemu-system-mipsel rmix,
 +  /usr/bin/qemu-system-ppc rmix,
 +  /usr/bin/qemu-system-ppc64 rmix,
 +  /usr/bin/qemu-system-ppcemb rmix,
 +  /usr/bin/qemu-system-sh4 rmix,
 +  /usr/bin/qemu-system-sh4eb rmix,
 +  /usr/bin/qemu-system-sparc rmix,
 +  /usr/bin/qemu-system-sparc64 rmix,
 +  /usr/bin/qemu-system-x86_64 rmix,
 +  /usr/bin/qemu-alpha rmix,
 +  /usr/bin/qemu-arm rmix,
 +  /usr/bin/qemu-armeb rmix,
 +  /usr/bin/qemu-cris rmix,
 +  /usr/bin/qemu-i386 rmix,
 +  /usr/bin/qemu-m68k rmix,
 +  /usr/bin/qemu-microblaze rmix,
 +  /usr/bin/qemu-microblazeel rmix,
 +  /usr/bin/qemu-mips rmix,
 +  /usr/bin/qemu-mipsel rmix,
 +  /usr/bin/qemu-ppc rmix,
 +  /usr/bin/qemu-ppc64 rmix,
 +  /usr/bin/qemu-ppc64abi32 rmix,
 +  /usr/bin/qemu-sh4 rmix,
 +  /usr/bin/qemu-sh4eb rmix,
 +  /usr/bin/qemu-sparc rmix,
 +  /usr/bin/qemu-sparc64 rmix,
 +  /usr/bin/qemu-sparc32plus rmix,
 +  /usr/bin/qemu-sparc64 rmix,
 +  /usr/bin/qemu-x86_64 rmix,
 +  @libdir@/qemu/block-curl.so mr,
 +
 +  # for save and resume
 +  /bin/dash rmix,
 +  /bin/dd rmix,
 +  /bin/cat rmix,
 +
 +  # for usb access
 +  /dev/bus/usb/ r,
 +  /etc/udev/udev.conf r,
 +  /sys/bus/ r,
 +  /sys/class/ r,
 +
 +  /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
 +  # child profile for bridge helper process
 +  profile qemu_bridge_helper {
 +   #include <abstractions/base>
 +
 +   capability setuid,
 +   capability setgid,
 +   capability setpcap,
 +   capability net_admin,
 +
 +   network inet stream,
 +
 +   /dev/net/tun rw,
 +   /etc/qemu/** r,
 +   owner @{PROC}/*/status r,
 +
 +   /usr/{lib,libexec}/qemu-bridge-helper rmix,
 +  }
--- a/libvirt.changes
+++ b/libvirt.changes
@ -5,6 +5,14 @@ Mon Nov 10 22:01:31 MST 2014 - jfehlig@suse.com
  b1674ad5-CVE-2014-7823.patch
  bsc#904176
 -------------------------------------------------------------------
 Thu Nov  6 16:00:24 UTC 2014 - cbosdonnat@suse.com
 - Fix Qemu AppArmor abstraction.
  - qemu-block.so was denied on x86_64. install-apparmor-profiles.patch
  - Temporary fix access to screenshot temporary file. bsc#904426.
    qemu-apparmor-screenshot.patch
 -------------------------------------------------------------------
 Mon Nov  3 11:08:49 MST 2014 - jfehlig@suse.com
--- a/libvirt.spec
+++ b/libvirt.spec
@ -457,6 +457,7 @@ Patch208:       disable-virCgroupGetPercpuStats-test.patch
 %if %{with_apparmor}
 Patch250:       install-apparmor-profiles.patch
 Patch251:       apparmor-no-mount.patch
 Patch252:       qemu-apparmor-screenshot.patch
 %endif
 %if %{with_netcontrol}
 Patch300:       libvirt-suse-netcontrol.patch
@ -985,6 +986,7 @@ Provides a dissector for the libvirt RPC protocol to help debugging it.
 %if %{with_apparmor}
 %patch250 -p1
 %patch251 -p1
 %patch252 -p1
 %endif
 %if %{with_netcontrol}
 %patch300 -p1
--- a/qemu-apparmor-screenshot.patch
+++ b/qemu-apparmor-screenshot.patch
@ -0,0 +1,14 @@
 Index: libvirt-1.2.10/examples/apparmor/libvirt-qemu.in
 ===================================================================
 --- libvirt-1.2.10.orig/examples/apparmor/libvirt-qemu.in
 +++ libvirt-1.2.10/examples/apparmor/libvirt-qemu.in
@@ -124,6 +124,9 @@
   /sys/bus/ r,
   /sys/class/ r,
 +  # Temporary screendump rule -- See bsc#904426
 +  /var/cache/libvirt/qemu/qemu.screendump.* rw,
 +
   /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
   # child profile for bridge helper process
   profile qemu_bridge_helper {