From b9f149814bf1b35d5682b7e091706cae9d9c783a3902a7af5b75be925f50ab97 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= Date: Sun, 10 Jun 2012 12:13:56 +0000 Subject: [PATCH] Accepting request 124357 from home:a_faerber:branches:Virtualization - Set up bridge helper as a setuid executable - Add patch for specifying --libexecdir * Fixes having to specify the path to qemu-bridge-helper manually - Drop superfluous `make qemu-img` - Move qemu-bridge-helper to its own subpackage, to share with KVM OBS-URL: https://build.opensuse.org/request/show/124357 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=78 --- ...-use-libexecdir-instead-of-ignoring-.patch | 83 +++++++++++++++++++ bridge.conf | 11 +++ qemu | 5 ++ qemu-tools-rpmlintrc | 4 + qemu.changes | 13 +++ qemu.paranoid | 5 ++ qemu.spec | 62 ++++++++++++-- qemu.spec.in | 60 ++++++++++++-- 8 files changed, 231 insertions(+), 12 deletions(-) create mode 100644 0022-use-libexecdir-instead-of-ignoring-.patch create mode 100644 bridge.conf create mode 100644 qemu create mode 100644 qemu-tools-rpmlintrc create mode 100644 qemu.paranoid diff --git a/0022-use-libexecdir-instead-of-ignoring-.patch b/0022-use-libexecdir-instead-of-ignoring-.patch new file mode 100644 index 00000000..6ef17ae0 --- /dev/null +++ b/0022-use-libexecdir-instead-of-ignoring-.patch @@ -0,0 +1,83 @@ +From 57fd4d50146ef90693d569ee799f7e9e9d606e05 Mon Sep 17 00:00:00 2001 +From: Michael Tokarev +Date: Thu, 7 Jun 2012 01:11:00 +0400 +Subject: [PATCH] use --libexecdir instead of ignoring it first and + reinventing it later +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Commit 7b93fadf3a38d1ed65ea5536a52efc2772c6e3b8 "Add basic version +of bridge helper" put the bridge helper executable into a fixed +${prefix}/libexec/ location, instead of using ${libexecdir} for +this. At the same time, --libexecdir is being happily ignored +by ./configure. Even more, the same patch sets unused $libexecdir +variable in the generated config-host.mak, and uses fixed string +(\${prefix}/libexecdir) for the bridge helper binary. + +Fix this braindamage by introducing $libexecdir variable, using +it for the bridge helper binary, and recognizing --libexecdir. + +This patch is applicable to stable-1.1. + +Signed-off-by: Michael Tokarev +Signed-off-by: Andreas Färber +--- + configure | 10 +++++++--- + 1 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/configure b/configure +index de92ac2..850821b 100755 +--- a/configure ++++ b/configure +@@ -159,6 +159,7 @@ datadir="\${prefix}/share" + qemu_docdir="\${prefix}/share/doc/qemu" + bindir="\${prefix}/bin" + libdir="\${prefix}/lib" ++libexecdir="\${prefix}/libexec" + includedir="\${prefix}/include" + sysconfdir="\${prefix}/etc" + confsuffix="/qemu" +@@ -587,6 +588,8 @@ for opt do + ;; + --libdir=*) libdir="$optarg" + ;; ++ --libexecdir=*) libexecdir="$optarg" ++ ;; + --includedir=*) includedir="$optarg" + ;; + --datadir=*) datadir="$optarg" +@@ -597,7 +600,7 @@ for opt do + ;; + --sysconfdir=*) sysconfdir="$optarg" + ;; +- --sbindir=*|--libexecdir=*|--sharedstatedir=*|--localstatedir=*|\ ++ --sbindir=*|--sharedstatedir=*|--localstatedir=*|\ + --oldincludedir=*|--datarootdir=*|--infodir=*|--localedir=*|\ + --htmldir=*|--dvidir=*|--pdfdir=*|--psdir=*) + # These switches are silently ignored, for compatibility with +@@ -2945,6 +2948,7 @@ echo "Install prefix $prefix" + echo "BIOS directory `eval echo $qemu_datadir`" + echo "binary directory `eval echo $bindir`" + echo "library directory `eval echo $libdir`" ++echo "libexec directory `eval echo $libexecdir`" + echo "include directory `eval echo $includedir`" + echo "config directory `eval echo $sysconfdir`" + if test "$mingw32" = "no" ; then +@@ -3048,14 +3052,14 @@ echo all: >> $config_host_mak + echo "prefix=$prefix" >> $config_host_mak + echo "bindir=$bindir" >> $config_host_mak + echo "libdir=$libdir" >> $config_host_mak ++echo "libexecdir=$libexecdir" >> $config_host_mak + echo "includedir=$includedir" >> $config_host_mak + echo "mandir=$mandir" >> $config_host_mak + echo "sysconfdir=$sysconfdir" >> $config_host_mak + echo "qemu_confdir=$qemu_confdir" >> $config_host_mak + echo "qemu_datadir=$qemu_datadir" >> $config_host_mak + echo "qemu_docdir=$qemu_docdir" >> $config_host_mak +-echo "libexecdir=\${prefix}/libexec" >> $config_host_mak +-echo "CONFIG_QEMU_HELPERDIR=\"$prefix/libexec\"" >> $config_host_mak ++echo "CONFIG_QEMU_HELPERDIR=\"$libexecdir\"" >> $config_host_mak + + echo "ARCH=$ARCH" >> $config_host_mak + if test "$debug_tcg" = "yes" ; then diff --git a/bridge.conf b/bridge.conf new file mode 100644 index 00000000..49caf5b1 --- /dev/null +++ b/bridge.conf @@ -0,0 +1,11 @@ +# Access control file for qemu bridge helper +# Syntax consists of: +# # comment (ignored) +# allow all +# allow +# deny all +# deny +# include /path/to/additional/ACL/file +# Users are blacklisted by default and 'deny' takes precedence over 'allow'. +# Including additional ACL files allows file access permissions to be used as +# a component of the policy to allow access or deny access to specific bridges. diff --git a/qemu b/qemu new file mode 100644 index 00000000..698d43aa --- /dev/null +++ b/qemu @@ -0,0 +1,5 @@ +# /etc/permissions.d/qemu + +# qemu / kvm (bnc#765948) +/usr/lib/qemu-bridge-helper root:root 4755 +/usr/lib64/qemu-bridge-helper root:root 4755 diff --git a/qemu-tools-rpmlintrc b/qemu-tools-rpmlintrc new file mode 100644 index 00000000..fc521fb9 --- /dev/null +++ b/qemu-tools-rpmlintrc @@ -0,0 +1,4 @@ +# This line is mandatory to access the configuration functions +from Config import * + +setBadness('permissions-unauthorized-file', 0) diff --git a/qemu.changes b/qemu.changes index 5a79e246..312ab6e3 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Sat Jun 9 19:09:39 UTC 2012 - brogers@suse.com + +- Set up bridge helper as a setuid executable + +------------------------------------------------------------------- +Sat Jun 9 12:17:45 UTC 2012 - afaerber@suse.de + +- Add patch for specifying --libexecdir +* Fixes having to specify the path to qemu-bridge-helper manually +- Drop superfluous `make qemu-img` +- Move qemu-bridge-helper to its own subpackage, to share with KVM + ------------------------------------------------------------------- Tue Jun 5 13:25:43 UTC 2012 - afaerber@suse.de diff --git a/qemu.paranoid b/qemu.paranoid new file mode 100644 index 00000000..97e8421d --- /dev/null +++ b/qemu.paranoid @@ -0,0 +1,5 @@ +# /etc/permissions.d/qemu.paranoid + +# qemu / kvm (bnc#765948) +/usr/lib/qemu-bridge-helper root:root 0755 +/usr/lib64/qemu-bridge-helper root:root 0755 diff --git a/qemu.spec b/qemu.spec index d8568568..fcfb581e 100644 --- a/qemu.spec +++ b/qemu.spec @@ -45,8 +45,13 @@ Patch0018: 0018-linux-user-binfmt-support-host-bina.patch Patch0019: 0019-linux-user-ARM-Ignore-immediate-val.patch Patch0020: 0020-linux-user-arm-no-tb_flush-on-reset.patch Patch0021: 0021-linux-user-fix-multi-threaded-proc-.patch +Patch0022: 0022-use-libexecdir-instead-of-ignoring-.patch # this is to make lint happy Source300: rpmlintrc +Source301: qemu-tools-rpmlintrc +Source302: bridge.conf +Source303: qemu +Source304: qemu.paranoid Source400: update_git.sh BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: SDL-devel @@ -86,7 +91,11 @@ BuildRequires: spice-protocol-devel BuildRequires: fdupes BuildRequires: glib2-devel BuildRequires: libvdeplug3-devel +BuildRequires: pwdutils BuildRequires: python +Requires: /usr/sbin/groupadd +Requires: pwdutils +Requires: qemu-tools Requires: timezone Requires: virt-utils @@ -97,6 +106,21 @@ binaries for different architectures under your native operating system. It currently emulates x86, ARM, PowerPC and SPARC CPUs as well as PC and PowerMac systems. +%package tools +Summary: Universal CPU emulator -- Tools +Group: System/Emulators/PC +Provides: qemu:%_libexecdir/qemu-bridge-helper +Requires: permissions + +%description tools +QEMU is an extremely well-performing CPU emulator that allows you to +choose between simulating an entire system and running userspace +binaries for different architectures under your native operating +system. It currently emulates x86, ARM, PowerPC and SPARC CPUs as well +as PC and PowerMac systems. + +This sub-package contains various tools, including a bridge helper. + %package linux-user Summary: Universal CPU emulator -- Linux User binaries Group: System/Emulators/PC @@ -109,9 +133,9 @@ binaries for different architectures under your native operating system. It currently emulates x86, ARM, PowerPC and SPARC CPUs as well as PC and PowerMac systems. -This sub package contains static linked binaries for runnign linux-user +This sub-package contains statically linked binaries for running linux-user emulations. This can be used together with the OBS build script to -run cross architectures builds +run cross-architecture builds. %prep %setup -q @@ -136,12 +160,14 @@ run cross architectures builds %patch0019 -p1 %patch0020 -p1 %patch0021 -p1 +%patch0022 -p1 %build # build QEMU mkdir -p dynamic # build qemu-system ./configure --prefix=%_prefix --sysconfdir=%_sysconfdir \ + --libexecdir=%_libexecdir \ --audio-card-list="ac97 es1370 sb16 cs4231a adlib gus" \ --audio-drv-list="alsa sdl" --enable-mixemu --enable-vde \ --enable-curl \ @@ -156,11 +182,11 @@ mkdir -p dynamic --disable-spice %endif make %{?jobs:-j%jobs} V=1 -make qemu-img V=1 mv *-softmmu/qemu-system-* qemu-io qemu-bridge-helper dynamic || true make clean # build userland emus ./configure --prefix=%_prefix --sysconfdir=%_sysconfdir \ + --libexecdir=%_libexecdir \ --enable-linux-user \ --disable-system \ --static --disable-linux-aio \ @@ -172,7 +198,7 @@ sed -i "s/-lglib-2.0/-lglib-2.0 -lrt/" config-host.mak make %{?jobs:-j%jobs} V=1 %install -make install DESTDIR=$RPM_BUILD_ROOT libexecdir=%_libexecdir +make install DESTDIR=$RPM_BUILD_ROOT rm -f $RPM_BUILD_ROOT/%_mandir/man1/qemu-img.1 rm -f $RPM_BUILD_ROOT/%_mandir/man8/qemu-nbd.8 rm -fr $RPM_BUILD_ROOT/%_datadir/doc @@ -182,6 +208,9 @@ install -d -m 755 $RPM_BUILD_ROOT/%_sbindir install -m 755 scripts/qemu-binfmt-conf.sh $RPM_BUILD_ROOT/%_sbindir install -d -m 755 $RPM_BUILD_ROOT/%_libexecdir install -m 755 dynamic/qemu-bridge-helper $RPM_BUILD_ROOT/%_libexecdir +install -D -m 644 %{SOURCE302} $RPM_BUILD_ROOT/%{_sysconfdir}/qemu/bridge.conf +install -D -m 644 %{SOURCE303} %{buildroot}%{_sysconfdir}/permissions.d/qemu +install -D -m 644 %{SOURCE304} %{buildroot}%{_sysconfdir}/permissions.d/qemu.paranoid %ifnarch %ix86 x86_64 ln -sf ../../../emul/ia32-linux $RPM_BUILD_ROOT/usr/share/qemu/qemu-i386 %endif @@ -193,12 +222,25 @@ mkdir -p $RPM_BUILD_ROOT/emul/ia32-linux %clean rm -rf ${RPM_BUILD_ROOT} +%pre +%{_bindir}/getent group kvm >/dev/null || %{_sbindir}/groupadd -r kvm 2>/dev/null +%{_bindir}/getent group qemu >/dev/null || %{_sbindir}/groupadd -r qemu 2>/dev/null +%{_bindir}/getent passwd qemu >/dev/null || \ + %{_sbindir}/useradd -r -g qemu -G kvm -d / -s /sbin/nologin \ + -c "qemu user" qemu + +%if 0%{?suse_version} >= 1130 +%post tools +%set_permissions %_libexecdir/qemu-bridge-helper + +%verifyscript tools +%verify_permissions %_libexecdir/qemu-bridge-helper +%endif + %files %defattr(-, root, root) %doc COPYING COPYING.LIB Changelog README TODO VERSION qemu-doc.html qemu-tech.html -%_bindir/qemu-io %_bindir/qemu-system-* -%_libexecdir/qemu-bridge-helper %doc %_mandir/man[18]/qemu*.[18].gz %_datadir/%name %ifnarch %ix86 x86_64 ia64 @@ -207,6 +249,14 @@ rm -rf ${RPM_BUILD_ROOT} %dir %_sysconfdir/%name %config %_sysconfdir/%name/target-x86_64.conf +%files tools +%defattr(-, root, root) +%_bindir/qemu-io +%verify(not mode) %attr(4755, root, root) %_libexecdir/qemu-bridge-helper +%config %_sysconfdir/%name/bridge.conf +%config %attr(644,root,root) %_sysconfdir/permissions.d/qemu +%config %attr(644,root,root) %_sysconfdir/permissions.d/qemu.paranoid + %files linux-user %defattr(-, root, root) %_bindir/qemu-alpha diff --git a/qemu.spec.in b/qemu.spec.in index e215a2f7..6b565902 100644 --- a/qemu.spec.in +++ b/qemu.spec.in @@ -27,6 +27,10 @@ Source: %name-%version-1.tar.bz2 PATCH_FILES # this is to make lint happy Source300: rpmlintrc +Source301: qemu-tools-rpmlintrc +Source302: bridge.conf +Source303: qemu +Source304: qemu.paranoid Source400: update_git.sh BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: SDL-devel @@ -66,9 +70,13 @@ BuildRequires: spice-protocol-devel BuildRequires: fdupes BuildRequires: glib2-devel BuildRequires: libvdeplug3-devel +BuildRequires: pwdutils BuildRequires: python +Requires: pwdutils +Requires: qemu-tools Requires: timezone Requires: virt-utils +Requires: /usr/sbin/groupadd %description QEMU is an extremely well-performing CPU emulator that allows you to @@ -77,6 +85,21 @@ binaries for different architectures under your native operating system. It currently emulates x86, ARM, PowerPC and SPARC CPUs as well as PC and PowerMac systems. +%package tools +Summary: Universal CPU emulator -- Tools +Group: System/Emulators/PC +Provides: qemu:%_libexecdir/qemu-bridge-helper +Requires: permissions + +%description tools +QEMU is an extremely well-performing CPU emulator that allows you to +choose between simulating an entire system and running userspace +binaries for different architectures under your native operating +system. It currently emulates x86, ARM, PowerPC and SPARC CPUs as well +as PC and PowerMac systems. + +This sub-package contains various tools, including a bridge helper. + %package linux-user Summary: Universal CPU emulator -- Linux User binaries Group: System/Emulators/PC @@ -89,9 +112,9 @@ binaries for different architectures under your native operating system. It currently emulates x86, ARM, PowerPC and SPARC CPUs as well as PC and PowerMac systems. -This sub package contains static linked binaries for runnign linux-user +This sub-package contains statically linked binaries for running linux-user emulations. This can be used together with the OBS build script to -run cross architectures builds +run cross-architecture builds. %prep %setup -q @@ -102,6 +125,7 @@ PATCH_EXEC mkdir -p dynamic # build qemu-system ./configure --prefix=%_prefix --sysconfdir=%_sysconfdir \ + --libexecdir=%_libexecdir \ --audio-card-list="ac97 es1370 sb16 cs4231a adlib gus" \ --audio-drv-list="alsa sdl" --enable-mixemu --enable-vde \ --enable-curl \ @@ -116,11 +140,11 @@ mkdir -p dynamic --disable-spice %endif make %{?jobs:-j%jobs} V=1 -make qemu-img V=1 mv *-softmmu/qemu-system-* qemu-io qemu-bridge-helper dynamic || true make clean # build userland emus ./configure --prefix=%_prefix --sysconfdir=%_sysconfdir \ + --libexecdir=%_libexecdir \ --enable-linux-user \ --disable-system \ --static --disable-linux-aio \ @@ -132,7 +156,7 @@ sed -i "s/-lglib-2.0/-lglib-2.0 -lrt/" config-host.mak make %{?jobs:-j%jobs} V=1 %install -make install DESTDIR=$RPM_BUILD_ROOT libexecdir=%_libexecdir +make install DESTDIR=$RPM_BUILD_ROOT rm -f $RPM_BUILD_ROOT/%_mandir/man1/qemu-img.1 rm -f $RPM_BUILD_ROOT/%_mandir/man8/qemu-nbd.8 rm -fr $RPM_BUILD_ROOT/%_datadir/doc @@ -142,6 +166,9 @@ install -d -m 755 $RPM_BUILD_ROOT/%_sbindir install -m 755 scripts/qemu-binfmt-conf.sh $RPM_BUILD_ROOT/%_sbindir install -d -m 755 $RPM_BUILD_ROOT/%_libexecdir install -m 755 dynamic/qemu-bridge-helper $RPM_BUILD_ROOT/%_libexecdir +install -D -m 644 %{SOURCE302} $RPM_BUILD_ROOT/%{_sysconfdir}/qemu/bridge.conf +install -D -m 644 %{SOURCE303} %{buildroot}%{_sysconfdir}/permissions.d/qemu +install -D -m 644 %{SOURCE304} %{buildroot}%{_sysconfdir}/permissions.d/qemu.paranoid %ifnarch %ix86 x86_64 ln -sf ../../../emul/ia32-linux $RPM_BUILD_ROOT/usr/share/qemu/qemu-i386 %endif @@ -153,12 +180,25 @@ mkdir -p $RPM_BUILD_ROOT/emul/ia32-linux %clean rm -rf ${RPM_BUILD_ROOT} +%pre +%{_bindir}/getent group kvm >/dev/null || %{_sbindir}/groupadd -r kvm 2>/dev/null +%{_bindir}/getent group qemu >/dev/null || %{_sbindir}/groupadd -r qemu 2>/dev/null +%{_bindir}/getent passwd qemu >/dev/null || \ + %{_sbindir}/useradd -r -g qemu -G kvm -d / -s /sbin/nologin \ + -c "qemu user" qemu + +%if 0%{?suse_version} >= 1130 +%post tools +%set_permissions %_libexecdir/qemu-bridge-helper + +%verifyscript tools +%verify_permissions %_libexecdir/qemu-bridge-helper +%endif + %files %defattr(-, root, root) %doc COPYING COPYING.LIB Changelog README TODO VERSION qemu-doc.html qemu-tech.html -%_bindir/qemu-io %_bindir/qemu-system-* -%_libexecdir/qemu-bridge-helper %doc %_mandir/man[18]/qemu*.[18].gz %_datadir/%name %ifnarch %ix86 x86_64 ia64 @@ -167,6 +207,14 @@ rm -rf ${RPM_BUILD_ROOT} %dir %_sysconfdir/%name %config %_sysconfdir/%name/target-x86_64.conf +%files tools +%defattr(-, root, root) +%_bindir/qemu-io +%verify(not mode) %attr(4755, root, root) %_libexecdir/qemu-bridge-helper +%config %_sysconfdir/%name/bridge.conf +%config %attr(644,root,root) %_sysconfdir/permissions.d/qemu +%config %attr(644,root,root) %_sysconfdir/permissions.d/qemu.paranoid + %files linux-user %defattr(-, root, root) %_bindir/qemu-alpha