SHA256
1
0
forked from pool/libvirt
libvirt/install-apparmor-profiles.patch
James Fehlig 278a149fdc Accepting request 253577 from home:jfehlig:branches:Virtualization
Note:  tarball verification is now done using %gpg_verify, along
with the .asc file the upstream libvirt maintainer now generates
for each release.  This approach requires using the upstream .gz
tarball, which is slightly larger than the regenerated .bz2 one.

- Update to libvirt 1.2.9
  - Introduce virNodeAllocPages
  - event: introduce new event for tunable values
  - Add support for fetching statistics of completed jobs
  - CVE-2014-3657: domain_conf: fix domain deadlock
  - CVE-2014-3633: qemu: blkiotune: Use correct definition when
    looking up disk
  - Many incremental improvements and bug fixes, see
    http://libvirt.org/news.html
  - Drop upstream patches: 3e745e8f-CVE-2014-3633.patch,
    libvirt-guests-wait-for-ntp.patch
- Verify tarball with associated .asc file
  Add: libvirt.keyring, libvirt-1.2.9.tar.gz.asc
  Use upstream .gz tarball instead of locally generated .bz2

OBS-URL: https://build.opensuse.org/request/show/253577
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=411
2014-10-01 22:29:37 +00:00

277 lines
7.5 KiB
Diff

Index: libvirt-1.2.9/examples/apparmor/Makefile.am
===================================================================
--- libvirt-1.2.9.orig/examples/apparmor/Makefile.am
+++ libvirt-1.2.9/examples/apparmor/Makefile.am
@@ -19,10 +19,22 @@ EXTRA_DIST= \
TEMPLATE.lxc \
libvirt-qemu \
libvirt-lxc \
- usr.lib.libvirt.virt-aa-helper \
- usr.sbin.libvirtd
+ usr.lib.libvirt.virt-aa-helper.in \
+ usr.sbin.libvirtd.in
if WITH_APPARMOR_PROFILES
+usr.lib.libvirt.virt-aa-helper: usr.lib.libvirt.virt-aa-helper.in
+ sed \
+ -e 's![@]libdir[@]!$(libdir)!g' \
+ < $< > $@-t
+ mv $@-t $@
+
+usr.sbin.libvirtd: usr.sbin.libvirtd.in
+ sed \
+ -e 's![@]libdir[@]!$(libdir)!g' \
+ < $< > $@-t
+ mv $@-t $@
+
apparmordir = $(sysconfdir)/apparmor.d/
apparmor_DATA = \
usr.lib.libvirt.virt-aa-helper \
Index: libvirt-1.2.9/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
===================================================================
--- /dev/null
+++ libvirt-1.2.9/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -0,0 +1,48 @@
+# Last Modified: Mon Apr 5 15:10:27 2010
+#include <tunables/global>
+
+@libdir@/libvirt/virt-aa-helper {
+ #include <abstractions/base>
+
+ # needed for searching directories
+ capability dac_override,
+ capability dac_read_search,
+
+ # needed for when disk is on a network filesystem
+ network inet,
+
+ deny @{PROC}/[0-9]*/mounts r,
+ @{PROC}/[0-9]*/net/psched r,
+ owner @{PROC}/[0-9]*/status r,
+ @{PROC}/filesystems r,
+
+ # for hostdev
+ /sys/devices/ r,
+ /sys/devices/** r,
+
+ @libdir@/libvirt/virt-aa-helper mr,
+ /sbin/apparmor_parser Ux,
+
+ /etc/apparmor.d/libvirt/* r,
+ /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+
+ # for backingstore -- allow access to non-hidden files in @{HOME} as well
+ # as storage pools
+ audit deny @{HOME}/.* mrwkl,
+ audit deny @{HOME}/.*/ rw,
+ audit deny @{HOME}/.*/** mrwkl,
+ audit deny @{HOME}/bin/ rw,
+ audit deny @{HOME}/bin/** mrwkl,
+ @{HOME}/ r,
+ @{HOME}/** r,
+ /var/lib/libvirt/images/ r,
+ /var/lib/libvirt/images/** r,
+ /{media,mnt,opt,srv}/** r,
+
+ /**.img r,
+ /**.qcow{,2} r,
+ /**.qed r,
+ /**.vmdk r,
+ /**.[iI][sS][oO] r,
+ /**/disk{,.*} r,
+}
Index: libvirt-1.2.9/examples/apparmor/usr.sbin.libvirtd.in
===================================================================
--- /dev/null
+++ libvirt-1.2.9/examples/apparmor/usr.sbin.libvirtd.in
@@ -0,0 +1,68 @@
+# Last Modified: Mon Apr 5 15:03:58 2010
+#include <tunables/global>
+@{LIBVIRT}="libvirt"
+
+/usr/sbin/libvirtd {
+ #include <abstractions/base>
+ #include <abstractions/dbus>
+
+ capability kill,
+ capability net_admin,
+ capability net_raw,
+ capability setgid,
+ capability sys_admin,
+ capability sys_module,
+ capability sys_ptrace,
+ capability sys_nice,
+ capability sys_chroot,
+ capability setuid,
+ capability dac_override,
+ capability dac_read_search,
+ capability fowner,
+ capability chown,
+ capability setpcap,
+ capability mknod,
+ capability fsetid,
+ capability audit_write,
+
+ # Needed for vfio
+ capability sys_resource,
+
+ network inet stream,
+ network inet dgram,
+ network inet6 stream,
+ network inet6 dgram,
+ network packet dgram,
+ network packet raw,
+
+ # Very lenient profile for libvirtd since we want to first focus on confining
+ # the guests. Guests will have a very restricted profile.
+ / r,
+ /** rwmkl,
+
+ /bin/* PUx,
+ /sbin/* PUx,
+ /usr/bin/* PUx,
+ /usr/sbin/* PUx,
+ /lib/udev/scsi_id PUx,
+ /usr/lib/xen/bin/* Ux,
+ /usr/lib64/xen/bin/* Ux,
+ /usr/lib/polkit-1/polkit-agent-helper Px,
+
+ # force the use of virt-aa-helper
+ audit deny /sbin/apparmor_parser rwxl,
+ audit deny /etc/apparmor.d/libvirt/** wxl,
+ audit deny /sys/kernel/security/apparmor/features rwxl,
+ audit deny /sys/kernel/security/apparmor/matching rwxl,
+ audit deny /sys/kernel/security/apparmor/.* rwxl,
+ /sys/kernel/security/apparmor/profiles r,
+ @libdir@/libvirt/* PUxr,
+ /etc/libvirt/hooks/** rmix,
+ /etc/xen/scripts/** rmix,
+ @libdir@/libvirt/libvirt_parthelper Ux,
+ @libdir@/libvirt/libvirt_iohelper Ux,
+
+ # allow changing to our UUID-based named profiles
+ change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+
+}
Index: libvirt-1.2.9/examples/apparmor/usr.lib.libvirt.virt-aa-helper
===================================================================
--- libvirt-1.2.9.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ /dev/null
@@ -1,48 +0,0 @@
-# Last Modified: Mon Apr 5 15:10:27 2010
-#include <tunables/global>
-
-/usr/lib/libvirt/virt-aa-helper {
- #include <abstractions/base>
-
- # needed for searching directories
- capability dac_override,
- capability dac_read_search,
-
- # needed for when disk is on a network filesystem
- network inet,
-
- deny @{PROC}/[0-9]*/mounts r,
- @{PROC}/[0-9]*/net/psched r,
- owner @{PROC}/[0-9]*/status r,
- @{PROC}/filesystems r,
-
- # for hostdev
- /sys/devices/ r,
- /sys/devices/** r,
-
- /usr/lib/libvirt/virt-aa-helper mr,
- /sbin/apparmor_parser Ux,
-
- /etc/apparmor.d/libvirt/* r,
- /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
-
- # for backingstore -- allow access to non-hidden files in @{HOME} as well
- # as storage pools
- audit deny @{HOME}/.* mrwkl,
- audit deny @{HOME}/.*/ rw,
- audit deny @{HOME}/.*/** mrwkl,
- audit deny @{HOME}/bin/ rw,
- audit deny @{HOME}/bin/** mrwkl,
- @{HOME}/ r,
- @{HOME}/** r,
- /var/lib/libvirt/images/ r,
- /var/lib/libvirt/images/** r,
- /{media,mnt,opt,srv}/** r,
-
- /**.img r,
- /**.qcow{,2} r,
- /**.qed r,
- /**.vmdk r,
- /**.[iI][sS][oO] r,
- /**/disk{,.*} r,
-}
Index: libvirt-1.2.9/examples/apparmor/usr.sbin.libvirtd
===================================================================
--- libvirt-1.2.9.orig/examples/apparmor/usr.sbin.libvirtd
+++ /dev/null
@@ -1,63 +0,0 @@
-# Last Modified: Mon Apr 5 15:03:58 2010
-#include <tunables/global>
-@{LIBVIRT}="libvirt"
-
-/usr/sbin/libvirtd {
- #include <abstractions/base>
- #include <abstractions/dbus>
-
- capability kill,
- capability net_admin,
- capability net_raw,
- capability setgid,
- capability sys_admin,
- capability sys_module,
- capability sys_ptrace,
- capability sys_nice,
- capability sys_chroot,
- capability setuid,
- capability dac_override,
- capability dac_read_search,
- capability fowner,
- capability chown,
- capability setpcap,
- capability mknod,
- capability fsetid,
- capability audit_write,
-
- # Needed for vfio
- capability sys_resource,
-
- network inet stream,
- network inet dgram,
- network inet6 stream,
- network inet6 dgram,
- network packet dgram,
-
- # Very lenient profile for libvirtd since we want to first focus on confining
- # the guests. Guests will have a very restricted profile.
- / r,
- /** rwmkl,
-
- /bin/* PUx,
- /sbin/* PUx,
- /usr/bin/* PUx,
- /usr/sbin/* PUx,
- /lib/udev/scsi_id PUx,
- /usr/lib/xen-common/bin/xen-toolstack PUx,
-
- # force the use of virt-aa-helper
- audit deny /sbin/apparmor_parser rwxl,
- audit deny /etc/apparmor.d/libvirt/** wxl,
- audit deny /sys/kernel/security/apparmor/features rwxl,
- audit deny /sys/kernel/security/apparmor/matching rwxl,
- audit deny /sys/kernel/security/apparmor/.* rwxl,
- /sys/kernel/security/apparmor/profiles r,
- /usr/lib/libvirt/* PUxr,
- /etc/libvirt/hooks/** rmix,
- /etc/xen/scripts/** rmix,
-
- # allow changing to our UUID-based named profiles
- change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
-
-}