forked from pool/libvirt
278a149fdc
Note: tarball verification is now done using %gpg_verify, along with the .asc file the upstream libvirt maintainer now generates for each release. This approach requires using the upstream .gz tarball, which is slightly larger than the regenerated .bz2 one. - Update to libvirt 1.2.9 - Introduce virNodeAllocPages - event: introduce new event for tunable values - Add support for fetching statistics of completed jobs - CVE-2014-3657: domain_conf: fix domain deadlock - CVE-2014-3633: qemu: blkiotune: Use correct definition when looking up disk - Many incremental improvements and bug fixes, see http://libvirt.org/news.html - Drop upstream patches: 3e745e8f-CVE-2014-3633.patch, libvirt-guests-wait-for-ntp.patch - Verify tarball with associated .asc file Add: libvirt.keyring, libvirt-1.2.9.tar.gz.asc Use upstream .gz tarball instead of locally generated .bz2 OBS-URL: https://build.opensuse.org/request/show/253577 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=411
47 lines
1.4 KiB
Diff
47 lines
1.4 KiB
Diff
Index: libvirt-1.2.9/examples/apparmor/libvirt-lxc
|
|
===================================================================
|
|
--- libvirt-1.2.9.orig/examples/apparmor/libvirt-lxc
|
|
+++ libvirt-1.2.9/examples/apparmor/libvirt-lxc
|
|
@@ -2,39 +2,15 @@
|
|
|
|
#include <abstractions/base>
|
|
|
|
- umount,
|
|
-
|
|
- # ignore DENIED message on / remount
|
|
- deny mount options=(ro, remount) -> /,
|
|
-
|
|
- # allow tmpfs mounts everywhere
|
|
- mount fstype=tmpfs,
|
|
-
|
|
- # allow mqueue mounts everywhere
|
|
- mount fstype=mqueue,
|
|
-
|
|
- # allow fuse mounts everywhere
|
|
- mount fstype=fuse.*,
|
|
-
|
|
- # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
|
|
- mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
|
|
+ # deny writes in /proc/sys/fs
|
|
deny @{PROC}/sys/fs/** wklx,
|
|
|
|
- # allow efivars to be mounted, writing to it will be blocked though
|
|
- mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
|
|
-
|
|
# block some other dangerous paths
|
|
deny @{PROC}/sysrq-trigger rwklx,
|
|
deny @{PROC}/mem rwklx,
|
|
deny @{PROC}/kmem rwklx,
|
|
|
|
- # deny writes in /sys except for /sys/fs/cgroup, also allow
|
|
- # fusectl, securityfs and debugfs to be mounted there (read-only)
|
|
- mount fstype=fusectl -> /sys/fs/fuse/connections/,
|
|
- mount fstype=securityfs -> /sys/kernel/security/,
|
|
- mount fstype=debugfs -> /sys/kernel/debug/,
|
|
- mount fstype=proc -> /proc/,
|
|
- mount fstype=sysfs -> /sys/,
|
|
+ # deny writes in /sys
|
|
deny /sys/firmware/efi/efivars/** rwklx,
|
|
deny /sys/kernel/security/** rwklx,
|
|
|