SHA256
1
0
forked from pool/libvirt
libvirt/apparmor-no-mount.patch
James Fehlig 278a149fdc Accepting request 253577 from home:jfehlig:branches:Virtualization
Note:  tarball verification is now done using %gpg_verify, along
with the .asc file the upstream libvirt maintainer now generates
for each release.  This approach requires using the upstream .gz
tarball, which is slightly larger than the regenerated .bz2 one.

- Update to libvirt 1.2.9
  - Introduce virNodeAllocPages
  - event: introduce new event for tunable values
  - Add support for fetching statistics of completed jobs
  - CVE-2014-3657: domain_conf: fix domain deadlock
  - CVE-2014-3633: qemu: blkiotune: Use correct definition when
    looking up disk
  - Many incremental improvements and bug fixes, see
    http://libvirt.org/news.html
  - Drop upstream patches: 3e745e8f-CVE-2014-3633.patch,
    libvirt-guests-wait-for-ntp.patch
- Verify tarball with associated .asc file
  Add: libvirt.keyring, libvirt-1.2.9.tar.gz.asc
  Use upstream .gz tarball instead of locally generated .bz2

OBS-URL: https://build.opensuse.org/request/show/253577
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=411
2014-10-01 22:29:37 +00:00

47 lines
1.4 KiB
Diff

Index: libvirt-1.2.9/examples/apparmor/libvirt-lxc
===================================================================
--- libvirt-1.2.9.orig/examples/apparmor/libvirt-lxc
+++ libvirt-1.2.9/examples/apparmor/libvirt-lxc
@@ -2,39 +2,15 @@
#include <abstractions/base>
- umount,
-
- # ignore DENIED message on / remount
- deny mount options=(ro, remount) -> /,
-
- # allow tmpfs mounts everywhere
- mount fstype=tmpfs,
-
- # allow mqueue mounts everywhere
- mount fstype=mqueue,
-
- # allow fuse mounts everywhere
- mount fstype=fuse.*,
-
- # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
- mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
+ # deny writes in /proc/sys/fs
deny @{PROC}/sys/fs/** wklx,
- # allow efivars to be mounted, writing to it will be blocked though
- mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
-
# block some other dangerous paths
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/mem rwklx,
deny @{PROC}/kmem rwklx,
- # deny writes in /sys except for /sys/fs/cgroup, also allow
- # fusectl, securityfs and debugfs to be mounted there (read-only)
- mount fstype=fusectl -> /sys/fs/fuse/connections/,
- mount fstype=securityfs -> /sys/kernel/security/,
- mount fstype=debugfs -> /sys/kernel/debug/,
- mount fstype=proc -> /proc/,
- mount fstype=sysfs -> /sys/,
+ # deny writes in /sys
deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx,