forked from pool/libvirt
21a15fa2f7
- Enhance apparmor rules for virt-aa-helper (bsc#1070916) 0f33025a-virt-aa-helper-handle-more-disk-images.patch OBS-URL: https://build.opensuse.org/request/show/558919 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=653
99 lines
3.1 KiB
Diff
99 lines
3.1 KiB
Diff
From 0f33025a43788f7f3483dfac6ab0b9f79c0d7957 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
|
|
Date: Mon, 11 Dec 2017 11:09:31 +0100
|
|
Subject: [PATCH] virt-aa-helper: handle more disk images
|
|
|
|
virt-aa-helper needs read access to the disk image to resolve symlinks
|
|
and add the proper rules to the profile. Its profile whitelists a few
|
|
common paths, but users can place their images anywhere.
|
|
|
|
This commit helps users allowing access to their images by adding their
|
|
own rules in apparmor.d/local/usr.lib.libvirt.virt-aa-helper.
|
|
|
|
This commit also adds rules to allow reading files named:
|
|
- *.raw as this is a rather common disk image extension
|
|
- /run/libvirt/**[vd]d[a-z] as these are used by virt-sandbox
|
|
---
|
|
examples/Makefile.am | 24 ++++++++++++++++++++++--
|
|
examples/apparmor/usr.lib.libvirt.virt-aa-helper | 5 +++++
|
|
2 files changed, 27 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/examples/Makefile.am b/examples/Makefile.am
|
|
index ef2f79db3..7069d74e7 100644
|
|
--- a/examples/Makefile.am
|
|
+++ b/examples/Makefile.am
|
|
@@ -67,6 +67,9 @@ admin_client_info_SOURCES = admin/client_info.c
|
|
admin_client_close_SOURCES = admin/client_close.c
|
|
admin_logging_SOURCES = admin/logging.c
|
|
|
|
+INSTALL_DATA_LOCAL =
|
|
+UNINSTALL_LOCAL =
|
|
+
|
|
if WITH_APPARMOR_PROFILES
|
|
apparmordir = $(sysconfdir)/apparmor.d/
|
|
apparmor_DATA = \
|
|
@@ -85,20 +88,37 @@ templates_DATA = \
|
|
apparmor/TEMPLATE.qemu \
|
|
apparmor/TEMPLATE.lxc \
|
|
$(NULL)
|
|
+
|
|
+APPARMOR_LOCAL_DIR = "$(DESTDIR)$(apparmordir)/local"
|
|
+install-apparmor-local:
|
|
+ $(MKDIR_P) "$(APPARMOR_LOCAL_DIR)"
|
|
+ echo "# Site-specific additions and overrides for \
|
|
+ 'usr.lib.libvirt.virt-aa-helper'" \
|
|
+ >$(APPARMOR_LOCAL_DIR)/usr.lib.libvirt.virt-aa-helper
|
|
+
|
|
+INSTALL_DATA_LOCAL += install-apparmor-local
|
|
+UNINSTALL_LOCAL += uninstall-apparmor-local
|
|
endif WITH_APPARMOR_PROFILES
|
|
|
|
if WITH_NWFILTER
|
|
NWFILTER_DIR = "$(DESTDIR)$(sysconfdir)/libvirt/nwfilter"
|
|
|
|
-install-data-local:
|
|
+install-nwfilter-local:
|
|
$(MKDIR_P) "$(NWFILTER_DIR)"
|
|
for f in $(FILTERS); do \
|
|
$(INSTALL_DATA) $$f "$(NWFILTER_DIR)"; \
|
|
done
|
|
|
|
-uninstall-local::
|
|
+uninstall-nwfilter-local::
|
|
for f in $(FILTERS); do \
|
|
rm -f "$(NWFILTER_DIR)/`basename $$f`"; \
|
|
done
|
|
-test -z "$(shell ls $(NWFILTER_DIR))" || rmdir $(NWFILTER_DIR)
|
|
+
|
|
+INSTALL_DATA_LOCAL += install-nwfilter-local
|
|
+UNINSTALL_LOCAL += uninstall-nwfilter-local
|
|
endif WITH_NWFILTER
|
|
+
|
|
+install-data-local: $(INSTALL_DATA_LOCAL)
|
|
+
|
|
+uninstall-local: $(UNINSTALL_LOCAL)
|
|
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
|
|
index bd6181d00..9c822b644 100644
|
|
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
|
|
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
|
|
@@ -50,11 +50,16 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
|
|
/var/lib/libvirt/images/ r,
|
|
/var/lib/libvirt/images/** r,
|
|
/{media,mnt,opt,srv}/** r,
|
|
+ # For virt-sandbox
|
|
+ /run/libvirt/**/[sv]d[a-z] r
|
|
|
|
/**.img r,
|
|
+ /**.raw r,
|
|
/**.qcow{,2} r,
|
|
/**.qed r,
|
|
/**.vmdk r,
|
|
/**.[iI][sS][oO] r,
|
|
/**/disk{,.*} r,
|
|
+
|
|
+ #include <local/usr.lib.libvirt.virt-aa-helper>
|
|
}
|
|
--
|
|
2.15.1
|
|
|