forked from pool/libvirt
278a149fdc
Note: tarball verification is now done using %gpg_verify, along with the .asc file the upstream libvirt maintainer now generates for each release. This approach requires using the upstream .gz tarball, which is slightly larger than the regenerated .bz2 one. - Update to libvirt 1.2.9 - Introduce virNodeAllocPages - event: introduce new event for tunable values - Add support for fetching statistics of completed jobs - CVE-2014-3657: domain_conf: fix domain deadlock - CVE-2014-3633: qemu: blkiotune: Use correct definition when looking up disk - Many incremental improvements and bug fixes, see http://libvirt.org/news.html - Drop upstream patches: 3e745e8f-CVE-2014-3633.patch, libvirt-guests-wait-for-ntp.patch - Verify tarball with associated .asc file Add: libvirt.keyring, libvirt-1.2.9.tar.gz.asc Use upstream .gz tarball instead of locally generated .bz2 OBS-URL: https://build.opensuse.org/request/show/253577 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=411
277 lines
7.5 KiB
Diff
277 lines
7.5 KiB
Diff
Index: libvirt-1.2.9/examples/apparmor/Makefile.am
|
|
===================================================================
|
|
--- libvirt-1.2.9.orig/examples/apparmor/Makefile.am
|
|
+++ libvirt-1.2.9/examples/apparmor/Makefile.am
|
|
@@ -19,10 +19,22 @@ EXTRA_DIST= \
|
|
TEMPLATE.lxc \
|
|
libvirt-qemu \
|
|
libvirt-lxc \
|
|
- usr.lib.libvirt.virt-aa-helper \
|
|
- usr.sbin.libvirtd
|
|
+ usr.lib.libvirt.virt-aa-helper.in \
|
|
+ usr.sbin.libvirtd.in
|
|
|
|
if WITH_APPARMOR_PROFILES
|
|
+usr.lib.libvirt.virt-aa-helper: usr.lib.libvirt.virt-aa-helper.in
|
|
+ sed \
|
|
+ -e 's![@]libdir[@]!$(libdir)!g' \
|
|
+ < $< > $@-t
|
|
+ mv $@-t $@
|
|
+
|
|
+usr.sbin.libvirtd: usr.sbin.libvirtd.in
|
|
+ sed \
|
|
+ -e 's![@]libdir[@]!$(libdir)!g' \
|
|
+ < $< > $@-t
|
|
+ mv $@-t $@
|
|
+
|
|
apparmordir = $(sysconfdir)/apparmor.d/
|
|
apparmor_DATA = \
|
|
usr.lib.libvirt.virt-aa-helper \
|
|
Index: libvirt-1.2.9/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
|
|
===================================================================
|
|
--- /dev/null
|
|
+++ libvirt-1.2.9/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
|
|
@@ -0,0 +1,48 @@
|
|
+# Last Modified: Mon Apr 5 15:10:27 2010
|
|
+#include <tunables/global>
|
|
+
|
|
+@libdir@/libvirt/virt-aa-helper {
|
|
+ #include <abstractions/base>
|
|
+
|
|
+ # needed for searching directories
|
|
+ capability dac_override,
|
|
+ capability dac_read_search,
|
|
+
|
|
+ # needed for when disk is on a network filesystem
|
|
+ network inet,
|
|
+
|
|
+ deny @{PROC}/[0-9]*/mounts r,
|
|
+ @{PROC}/[0-9]*/net/psched r,
|
|
+ owner @{PROC}/[0-9]*/status r,
|
|
+ @{PROC}/filesystems r,
|
|
+
|
|
+ # for hostdev
|
|
+ /sys/devices/ r,
|
|
+ /sys/devices/** r,
|
|
+
|
|
+ @libdir@/libvirt/virt-aa-helper mr,
|
|
+ /sbin/apparmor_parser Ux,
|
|
+
|
|
+ /etc/apparmor.d/libvirt/* r,
|
|
+ /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
|
|
+
|
|
+ # for backingstore -- allow access to non-hidden files in @{HOME} as well
|
|
+ # as storage pools
|
|
+ audit deny @{HOME}/.* mrwkl,
|
|
+ audit deny @{HOME}/.*/ rw,
|
|
+ audit deny @{HOME}/.*/** mrwkl,
|
|
+ audit deny @{HOME}/bin/ rw,
|
|
+ audit deny @{HOME}/bin/** mrwkl,
|
|
+ @{HOME}/ r,
|
|
+ @{HOME}/** r,
|
|
+ /var/lib/libvirt/images/ r,
|
|
+ /var/lib/libvirt/images/** r,
|
|
+ /{media,mnt,opt,srv}/** r,
|
|
+
|
|
+ /**.img r,
|
|
+ /**.qcow{,2} r,
|
|
+ /**.qed r,
|
|
+ /**.vmdk r,
|
|
+ /**.[iI][sS][oO] r,
|
|
+ /**/disk{,.*} r,
|
|
+}
|
|
Index: libvirt-1.2.9/examples/apparmor/usr.sbin.libvirtd.in
|
|
===================================================================
|
|
--- /dev/null
|
|
+++ libvirt-1.2.9/examples/apparmor/usr.sbin.libvirtd.in
|
|
@@ -0,0 +1,68 @@
|
|
+# Last Modified: Mon Apr 5 15:03:58 2010
|
|
+#include <tunables/global>
|
|
+@{LIBVIRT}="libvirt"
|
|
+
|
|
+/usr/sbin/libvirtd {
|
|
+ #include <abstractions/base>
|
|
+ #include <abstractions/dbus>
|
|
+
|
|
+ capability kill,
|
|
+ capability net_admin,
|
|
+ capability net_raw,
|
|
+ capability setgid,
|
|
+ capability sys_admin,
|
|
+ capability sys_module,
|
|
+ capability sys_ptrace,
|
|
+ capability sys_nice,
|
|
+ capability sys_chroot,
|
|
+ capability setuid,
|
|
+ capability dac_override,
|
|
+ capability dac_read_search,
|
|
+ capability fowner,
|
|
+ capability chown,
|
|
+ capability setpcap,
|
|
+ capability mknod,
|
|
+ capability fsetid,
|
|
+ capability audit_write,
|
|
+
|
|
+ # Needed for vfio
|
|
+ capability sys_resource,
|
|
+
|
|
+ network inet stream,
|
|
+ network inet dgram,
|
|
+ network inet6 stream,
|
|
+ network inet6 dgram,
|
|
+ network packet dgram,
|
|
+ network packet raw,
|
|
+
|
|
+ # Very lenient profile for libvirtd since we want to first focus on confining
|
|
+ # the guests. Guests will have a very restricted profile.
|
|
+ / r,
|
|
+ /** rwmkl,
|
|
+
|
|
+ /bin/* PUx,
|
|
+ /sbin/* PUx,
|
|
+ /usr/bin/* PUx,
|
|
+ /usr/sbin/* PUx,
|
|
+ /lib/udev/scsi_id PUx,
|
|
+ /usr/lib/xen/bin/* Ux,
|
|
+ /usr/lib64/xen/bin/* Ux,
|
|
+ /usr/lib/polkit-1/polkit-agent-helper Px,
|
|
+
|
|
+ # force the use of virt-aa-helper
|
|
+ audit deny /sbin/apparmor_parser rwxl,
|
|
+ audit deny /etc/apparmor.d/libvirt/** wxl,
|
|
+ audit deny /sys/kernel/security/apparmor/features rwxl,
|
|
+ audit deny /sys/kernel/security/apparmor/matching rwxl,
|
|
+ audit deny /sys/kernel/security/apparmor/.* rwxl,
|
|
+ /sys/kernel/security/apparmor/profiles r,
|
|
+ @libdir@/libvirt/* PUxr,
|
|
+ /etc/libvirt/hooks/** rmix,
|
|
+ /etc/xen/scripts/** rmix,
|
|
+ @libdir@/libvirt/libvirt_parthelper Ux,
|
|
+ @libdir@/libvirt/libvirt_iohelper Ux,
|
|
+
|
|
+ # allow changing to our UUID-based named profiles
|
|
+ change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
|
|
+
|
|
+}
|
|
Index: libvirt-1.2.9/examples/apparmor/usr.lib.libvirt.virt-aa-helper
|
|
===================================================================
|
|
--- libvirt-1.2.9.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper
|
|
+++ /dev/null
|
|
@@ -1,48 +0,0 @@
|
|
-# Last Modified: Mon Apr 5 15:10:27 2010
|
|
-#include <tunables/global>
|
|
-
|
|
-/usr/lib/libvirt/virt-aa-helper {
|
|
- #include <abstractions/base>
|
|
-
|
|
- # needed for searching directories
|
|
- capability dac_override,
|
|
- capability dac_read_search,
|
|
-
|
|
- # needed for when disk is on a network filesystem
|
|
- network inet,
|
|
-
|
|
- deny @{PROC}/[0-9]*/mounts r,
|
|
- @{PROC}/[0-9]*/net/psched r,
|
|
- owner @{PROC}/[0-9]*/status r,
|
|
- @{PROC}/filesystems r,
|
|
-
|
|
- # for hostdev
|
|
- /sys/devices/ r,
|
|
- /sys/devices/** r,
|
|
-
|
|
- /usr/lib/libvirt/virt-aa-helper mr,
|
|
- /sbin/apparmor_parser Ux,
|
|
-
|
|
- /etc/apparmor.d/libvirt/* r,
|
|
- /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
|
|
-
|
|
- # for backingstore -- allow access to non-hidden files in @{HOME} as well
|
|
- # as storage pools
|
|
- audit deny @{HOME}/.* mrwkl,
|
|
- audit deny @{HOME}/.*/ rw,
|
|
- audit deny @{HOME}/.*/** mrwkl,
|
|
- audit deny @{HOME}/bin/ rw,
|
|
- audit deny @{HOME}/bin/** mrwkl,
|
|
- @{HOME}/ r,
|
|
- @{HOME}/** r,
|
|
- /var/lib/libvirt/images/ r,
|
|
- /var/lib/libvirt/images/** r,
|
|
- /{media,mnt,opt,srv}/** r,
|
|
-
|
|
- /**.img r,
|
|
- /**.qcow{,2} r,
|
|
- /**.qed r,
|
|
- /**.vmdk r,
|
|
- /**.[iI][sS][oO] r,
|
|
- /**/disk{,.*} r,
|
|
-}
|
|
Index: libvirt-1.2.9/examples/apparmor/usr.sbin.libvirtd
|
|
===================================================================
|
|
--- libvirt-1.2.9.orig/examples/apparmor/usr.sbin.libvirtd
|
|
+++ /dev/null
|
|
@@ -1,63 +0,0 @@
|
|
-# Last Modified: Mon Apr 5 15:03:58 2010
|
|
-#include <tunables/global>
|
|
-@{LIBVIRT}="libvirt"
|
|
-
|
|
-/usr/sbin/libvirtd {
|
|
- #include <abstractions/base>
|
|
- #include <abstractions/dbus>
|
|
-
|
|
- capability kill,
|
|
- capability net_admin,
|
|
- capability net_raw,
|
|
- capability setgid,
|
|
- capability sys_admin,
|
|
- capability sys_module,
|
|
- capability sys_ptrace,
|
|
- capability sys_nice,
|
|
- capability sys_chroot,
|
|
- capability setuid,
|
|
- capability dac_override,
|
|
- capability dac_read_search,
|
|
- capability fowner,
|
|
- capability chown,
|
|
- capability setpcap,
|
|
- capability mknod,
|
|
- capability fsetid,
|
|
- capability audit_write,
|
|
-
|
|
- # Needed for vfio
|
|
- capability sys_resource,
|
|
-
|
|
- network inet stream,
|
|
- network inet dgram,
|
|
- network inet6 stream,
|
|
- network inet6 dgram,
|
|
- network packet dgram,
|
|
-
|
|
- # Very lenient profile for libvirtd since we want to first focus on confining
|
|
- # the guests. Guests will have a very restricted profile.
|
|
- / r,
|
|
- /** rwmkl,
|
|
-
|
|
- /bin/* PUx,
|
|
- /sbin/* PUx,
|
|
- /usr/bin/* PUx,
|
|
- /usr/sbin/* PUx,
|
|
- /lib/udev/scsi_id PUx,
|
|
- /usr/lib/xen-common/bin/xen-toolstack PUx,
|
|
-
|
|
- # force the use of virt-aa-helper
|
|
- audit deny /sbin/apparmor_parser rwxl,
|
|
- audit deny /etc/apparmor.d/libvirt/** wxl,
|
|
- audit deny /sys/kernel/security/apparmor/features rwxl,
|
|
- audit deny /sys/kernel/security/apparmor/matching rwxl,
|
|
- audit deny /sys/kernel/security/apparmor/.* rwxl,
|
|
- /sys/kernel/security/apparmor/profiles r,
|
|
- /usr/lib/libvirt/* PUxr,
|
|
- /etc/libvirt/hooks/** rmix,
|
|
- /etc/xen/scripts/** rmix,
|
|
-
|
|
- # allow changing to our UUID-based named profiles
|
|
- change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
|
|
-
|
|
-}
|