forked from pool/libvirt
a5d02a488f
- Update to libvirt 5.5.0
- CVE-2019-10161, CVE-2019-10166, CVE-2019-10167, CVE-2019-10168
- Many incremental improvements and bug fixes, see
http://libvirt.org/news.html
- Dropped patches:
aed6a032-CVE-2019-10161.patch,
db0b7845-CVE-2019-10166.patch,
8afa68ba-CVE-2019-10167.patch,
bf6c2830-CVE-2019-10168.patch
OBS-URL: https://build.opensuse.org/request/show/718303
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=768
36 lines
1.3 KiB
Diff
36 lines
1.3 KiB
Diff
Apparmor: Adjust libnl paths
|
|
|
|
In SUSE distros, libnl paths generally contain only 'libnl', and
|
|
not an embedded version number such as 'libnl-3'. Use 'libnl*' in
|
|
the virt-aa-helper profile to accommodate all libnl path variants.
|
|
|
|
It was also noticed that the per-domain profiles need a libnl rule
|
|
to squelch a denial when starting confined domains.
|
|
|
|
Found while investigating bsc#1058847
|
|
Index: libvirt-5.5.0/src/security/apparmor/libvirt-qemu
|
|
===================================================================
|
|
--- libvirt-5.5.0.orig/src/security/apparmor/libvirt-qemu
|
|
+++ libvirt-5.5.0/src/security/apparmor/libvirt-qemu
|
|
@@ -63,6 +63,7 @@
|
|
#/dev/fb* rw,
|
|
|
|
/etc/pulse/client.conf r,
|
|
+ /etc/libnl*/classid r,
|
|
@{HOME}/.pulse-cookie rwk,
|
|
owner /root/.pulse-cookie rwk,
|
|
owner /root/.pulse/ rw,
|
|
Index: libvirt-5.5.0/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
|
|
===================================================================
|
|
--- libvirt-5.5.0.orig/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
|
|
+++ libvirt-5.5.0/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
|
|
@@ -17,7 +17,7 @@ profile virt-aa-helper /usr/{lib,lib64}/
|
|
owner @{PROC}/[0-9]*/status r,
|
|
@{PROC}/filesystems r,
|
|
|
|
- /etc/libnl-3/classid r,
|
|
+ /etc/libnl*/classid r,
|
|
|
|
# for gl enabled graphics
|
|
/dev/dri/{,*} r,
|