Accepting request 532350 from home:jfehlig:branches:Virtualization

Incremental update of the libvirt package to fix bsc#1060860. - apparmor: add dnsmasq ptrace rule to libvirtd profile c44b29aa-apparmor-dnsmasq-ptrace.patch bsc#1060860 OBS-URL: https://build.opensuse.org/request/show/532350 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=627
2017-10-06 23:21:18 +00:00 · 2017-10-06 23:21:18 +00:00 · de19f2680c
commit de19f2680c
parent 5f197ada50
3 changed files with 69 additions and 0 deletions
--- a/c44b29aa-apparmor-dnsmasq-ptrace.patch
+++ b/c44b29aa-apparmor-dnsmasq-ptrace.patch
@ -0,0 +1,60 @@
+commit c44b29aacb6a3f445ab06d61899a0308b9d6d0d3
+Author: Jim Fehlig <jfehlig@suse.com>
+Date:   Fri Oct 6 14:20:36 2017 -0600
+
+    apparmor: add dnsmasq ptrace rule to libvirtd profile
+    
+    Commit b482925c added ptrace rule for the apparmor profiles,
+    but one was missed in the libvirtd profile for dnsmasq. It was
+    overlooked since the test machine did not have an active libvirt
+    network requiring dnsmasq that was also set to autostart. With
+    one active and set to autostart, the following denial is observed
+    in audit.log when restarting libvirtd
+    
+    type=AVC msg=audit(1507320136.306:298): apparmor="DENIED" \
+    operation="ptrace" profile="/usr/sbin/libvirtd" pid=5472 \
+    comm="libvirtd" requested_mask="trace" denied_mask="trace" \
+    peer="/usr/sbin/dnsmasq"
+    
+    With an active network, I suspect a libvirtd restart causes access
+    to /proc/<dnsmasq-pid>/*, hence the resulting denial. As a nasty
+    side affect of the denial, libvirtd thinks it needs to spawn a
+    dnsmasq process even though one is already running for the network.
+    E.g. after two libvirtd restarts
+    
+    dnsmasq   1683  0.0  0.0  51188  2612 ?        S    12:03   0:00 \
+     /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
+     --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
+    root      1684  0.0  0.0  51160   576 ?        S    12:03   0:00 \
+     /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
+     --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
+    dnsmasq   4706  0.0  0.0  51188  2572 ?        S    13:54   0:00 \
+     /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
+     --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
+    root      4707  0.0  0.0  51160   572 ?        S    13:54   0:00 \
+     /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
+     --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
+    dnsmasq   4791  0.0  0.0  51188  2580 ?        S    13:56   0:00 \
+     /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
+     --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
+    root      4792  0.0  0.0  51160   572 ?        S    13:56   0:00 \
+     /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
+     --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
+    
+    A simple fix is to add a ptrace rule for dnsmasq.
+    
+    Signed-off-by: Jim Fehlig <jfehlig@suse.com>
+    Reviewed-By: Guido Günther <agx@sigxcpu.org>
+
+Index: libvirt-3.8.0/examples/apparmor/usr.sbin.libvirtd
+===================================================================
+--- libvirt-3.8.0.orig/examples/apparmor/usr.sbin.libvirtd
+++ libvirt-3.8.0/examples/apparmor/usr.sbin.libvirtd
+@@ -39,6 +39,7 @@
+ 
+   ptrace (trace) peer=unconfined,
+   ptrace (trace) peer=/usr/sbin/libvirtd,
+  ptrace (trace) peer=/usr/sbin/dnsmasq,
+   ptrace (trace) peer=libvirt-*,
+ 
+   # Very lenient profile for libvirtd since we want to first focus on confining
--- a/libvirt.changes
+++ b/libvirt.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri Oct  6 22:46:12 UTC 2017 - jfehlig@suse.com
+
+- apparmor: add dnsmasq ptrace rule to libvirtd profile
+  c44b29aa-apparmor-dnsmasq-ptrace.patch
+  bsc#1060860
+
 -------------------------------------------------------------------
 Thu Oct  5 15:19:24 UTC 2017 - jfehlig@suse.com

--- a/libvirt.spec
+++ b/libvirt.spec
@ -309,6 +309,7 @@ Source4:        libvirt-supportconfig
 Source99:       baselibs.conf
 Source100:      %{name}-rpmlintrc
 # Upstream patches
+Patch0:         c44b29aa-apparmor-dnsmasq-ptrace.patch
 # Patches pending upstream review
 Patch100:       libxl-dom-reset.patch
 Patch101:       network-don-t-use-dhcp-authoritative-on-static-netwo.patch
@ -882,6 +883,7 @@ libvirt plugin for NSS for translating domain names into IP addresses.

 %prep
 %setup -q
+%patch0 -p1
 %patch100 -p1
 %patch101 -p1
 %patch150 -p1