forked from pool/libvirt
9d8a1a2b86
- apparmor: add rules for new mediation features apparmor-rules-for-new-mediation-features.patch, apparmor-fine-grained-mount-rules.patch bsc#1066124, boo#1065123 - spec: unconditionally enable the wireshark dissector OBS-URL: https://build.opensuse.org/request/show/540060 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=636
50 lines
1.5 KiB
Diff
50 lines
1.5 KiB
Diff
commit 141103378a74c68cbd775a306cdfd641119debbd
|
|
Author: intrigeri <intrigeri+libvirt@boum.org>
|
|
Date: Sun Nov 5 15:29:57 2017 +0000
|
|
|
|
AppArmor: add rules needed with additional mediation features brought by Linux 4.14.
|
|
|
|
Index: libvirt-3.9.0/examples/apparmor/libvirt-qemu
|
|
===================================================================
|
|
--- libvirt-3.9.0.orig/examples/apparmor/libvirt-qemu
|
|
+++ libvirt-3.9.0/examples/apparmor/libvirt-qemu
|
|
@@ -16,6 +16,10 @@
|
|
network inet stream,
|
|
network inet6 stream,
|
|
|
|
+ ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
|
|
+
|
|
+ signal (receive) peer=/usr/sbin/libvirtd,
|
|
+
|
|
/dev/net/tun rw,
|
|
/dev/kvm rw,
|
|
/dev/ptmx rw,
|
|
Index: libvirt-3.9.0/examples/apparmor/usr.sbin.libvirtd
|
|
===================================================================
|
|
--- libvirt-3.9.0.orig/examples/apparmor/usr.sbin.libvirtd
|
|
+++ libvirt-3.9.0/examples/apparmor/usr.sbin.libvirtd
|
|
@@ -30,10 +30,13 @@
|
|
# Needed for vfio
|
|
capability sys_resource,
|
|
|
|
+ mount,
|
|
+
|
|
network inet stream,
|
|
network inet dgram,
|
|
network inet6 stream,
|
|
network inet6 dgram,
|
|
+ network netlink raw,
|
|
network packet dgram,
|
|
network packet raw,
|
|
|
|
@@ -42,6 +45,9 @@
|
|
ptrace (trace) peer=/usr/sbin/dnsmasq,
|
|
ptrace (trace) peer=libvirt-*,
|
|
|
|
+ signal (send) peer=/usr/sbin/dnsmasq,
|
|
+ signal (read, send) peer=libvirt-*,
|
|
+
|
|
# Very lenient profile for libvirtd since we want to first focus on confining
|
|
# the guests. Guests will have a very restricted profile.
|
|
/ r,
|