Hello community, here is the log from the commit of package libvirt for openSUSE:Factory checked in at 2014-11-18 22:47:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libvirt (Old) and /work/SRC/openSUSE:Factory/.libvirt.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libvirt" Changes: -------- --- /work/SRC/openSUSE:Factory/libvirt/libvirt.changes 2014-11-13 09:17:49.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.libvirt.new/libvirt.changes 2014-11-18 22:49:09.000000000 +0100 @@ -8,0 +9,8 @@ +Thu Nov 6 16:00:24 UTC 2014 - [email protected] + +- Fix Qemu AppArmor abstraction. + - qemu-block.so was denied on x86_64. install-apparmor-profiles.patch + - Temporary fix access to screenshot temporary file. bsc#904426. + qemu-apparmor-screenshot.patch + +------------------------------------------------------------------- New: ---- qemu-apparmor-screenshot.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libvirt.spec ++++++ --- /var/tmp/diff_new_pack.JjJHVn/_old 2014-11-18 22:49:11.000000000 +0100 +++ /var/tmp/diff_new_pack.JjJHVn/_new 2014-11-18 22:49:11.000000000 +0100 @@ -457,6 +457,7 @@ %if %{with_apparmor} Patch250: install-apparmor-profiles.patch Patch251: apparmor-no-mount.patch +Patch252: qemu-apparmor-screenshot.patch %endif %if %{with_netcontrol} Patch300: libvirt-suse-netcontrol.patch @@ -985,6 +986,7 @@ %if %{with_apparmor} %patch250 -p1 %patch251 -p1 +%patch252 -p1 %endif %if %{with_netcontrol} %patch300 -p1 ++++++ install-apparmor-profiles.patch ++++++ --- /var/tmp/diff_new_pack.JjJHVn/_old 2014-11-18 22:49:11.000000000 +0100 +++ /var/tmp/diff_new_pack.JjJHVn/_new 2014-11-18 22:49:11.000000000 +0100 @@ -2,9 +2,12 @@ =================================================================== --- libvirt-1.2.10.orig/examples/apparmor/Makefile.am +++ libvirt-1.2.10/examples/apparmor/Makefile.am -@@ -19,10 +19,22 @@ EXTRA_DIST= \ +@@ -17,12 +17,30 @@ + EXTRA_DIST= \ + TEMPLATE.qemu \ TEMPLATE.lxc \ - libvirt-qemu \ +- libvirt-qemu \ ++ libvirt-qemu.in \ libvirt-lxc \ - usr.lib.libvirt.virt-aa-helper \ - usr.sbin.libvirtd @@ -24,6 +27,12 @@ + < $< > $@-t + mv $@-t $@ + ++libvirt-qemu: libvirt-qemu.in ++ sed \ ++ -e 's![@]libdir[@]!$(libdir)!g' \ ++ < $< > $@-t ++ mv $@-t $@ ++ apparmordir = $(sysconfdir)/apparmor.d/ apparmor_DATA = \ usr.lib.libvirt.virt-aa-helper \ @@ -274,3 +283,301 @@ - change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, - -} +Index: libvirt-1.2.10/examples/apparmor/libvirt-qemu +=================================================================== +--- libvirt-1.2.10.orig/examples/apparmor/libvirt-qemu ++++ /dev/null +@@ -1,144 +0,0 @@ +-# Last Modified: Wed Sep 3 21:52:03 2014 +- +- #include <abstractions/base> +- #include <abstractions/consoles> +- #include <abstractions/nameservice> +- +- # required for reading disk images +- capability dac_override, +- capability dac_read_search, +- capability chown, +- +- # needed to drop privileges +- capability setgid, +- capability setuid, +- +- network inet stream, +- network inet6 stream, +- +- /dev/net/tun rw, +- /dev/kvm rw, +- /dev/ptmx rw, +- /dev/kqemu rw, +- @{PROC}/*/status r, +- @{PROC}/sys/kernel/cap_last_cap r, +- +- # For hostdev access. The actual devices will be added dynamically +- /sys/bus/usb/devices/ r, +- /sys/devices/**/usb[0-9]*/** r, +- +- # WARNING: this gives the guest direct access to host hardware and specific +- # portions of shared memory. This is required for sound using ALSA with kvm, +- # but may constitute a security risk. If your environment does not require +- # the use of sound in your VMs, feel free to comment out or prepend 'deny' to +- # the rules for files in /dev. +- /{dev,run}/shm r, +- /{dev,run}/shmpulse-shm* r, +- /{dev,run}/shmpulse-shm* rwk, +- /dev/snd/* rw, +- capability ipc_lock, +- # spice +- owner /{dev,run}/shm/spice.* rw, +- # 'kill' is not required for sound and is a security risk. Do not enable +- # unless you absolutely need it. +- deny capability kill, +- +- # Uncomment the following if you need access to /dev/fb* +- #/dev/fb* rw, +- +- /etc/pulse/client.conf r, +- @{HOME}/.pulse-cookie rwk, +- owner /root/.pulse-cookie rwk, +- owner /root/.pulse/ rw, +- owner /root/.pulse/* rw, +- /usr/share/alsa/** r, +- owner /tmp/pulse-*/ rw, +- owner /tmp/pulse-*/* rw, +- /var/lib/dbus/machine-id r, +- +- # access to firmware's etc +- /usr/share/kvm/** r, +- /usr/share/qemu/** r, +- /usr/share/bochs/** r, +- /usr/share/openbios/** r, +- /usr/share/openhackware/** r, +- /usr/share/proll/** r, +- /usr/share/vgabios/** r, +- /usr/share/seabios/** r, +- /usr/share/ovmf/** r, +- +- # access PKI infrastructure +- /etc/pki/libvirt-vnc/** r, +- +- # the various binaries +- /usr/bin/kvm rmix, +- /usr/bin/qemu rmix, +- /usr/bin/qemu-system-arm rmix, +- /usr/bin/qemu-system-cris rmix, +- /usr/bin/qemu-system-i386 rmix, +- /usr/bin/qemu-system-m68k rmix, +- /usr/bin/qemu-system-microblaze rmix, +- /usr/bin/qemu-system-microblazeel rmix, +- /usr/bin/qemu-system-mips rmix, +- /usr/bin/qemu-system-mips64 rmix, +- /usr/bin/qemu-system-mips64el rmix, +- /usr/bin/qemu-system-mipsel rmix, +- /usr/bin/qemu-system-ppc rmix, +- /usr/bin/qemu-system-ppc64 rmix, +- /usr/bin/qemu-system-ppcemb rmix, +- /usr/bin/qemu-system-sh4 rmix, +- /usr/bin/qemu-system-sh4eb rmix, +- /usr/bin/qemu-system-sparc rmix, +- /usr/bin/qemu-system-sparc64 rmix, +- /usr/bin/qemu-system-x86_64 rmix, +- /usr/bin/qemu-alpha rmix, +- /usr/bin/qemu-arm rmix, +- /usr/bin/qemu-armeb rmix, +- /usr/bin/qemu-cris rmix, +- /usr/bin/qemu-i386 rmix, +- /usr/bin/qemu-m68k rmix, +- /usr/bin/qemu-microblaze rmix, +- /usr/bin/qemu-microblazeel rmix, +- /usr/bin/qemu-mips rmix, +- /usr/bin/qemu-mipsel rmix, +- /usr/bin/qemu-ppc rmix, +- /usr/bin/qemu-ppc64 rmix, +- /usr/bin/qemu-ppc64abi32 rmix, +- /usr/bin/qemu-sh4 rmix, +- /usr/bin/qemu-sh4eb rmix, +- /usr/bin/qemu-sparc rmix, +- /usr/bin/qemu-sparc64 rmix, +- /usr/bin/qemu-sparc32plus rmix, +- /usr/bin/qemu-sparc64 rmix, +- /usr/bin/qemu-x86_64 rmix, +- /usr/lib/qemu/block-curl.so mr, +- +- # for save and resume +- /bin/dash rmix, +- /bin/dd rmix, +- /bin/cat rmix, +- +- # for usb access +- /dev/bus/usb/ r, +- /etc/udev/udev.conf r, +- /sys/bus/ r, +- /sys/class/ r, +- +- /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, +- # child profile for bridge helper process +- profile qemu_bridge_helper { +- #include <abstractions/base> +- +- capability setuid, +- capability setgid, +- capability setpcap, +- capability net_admin, +- +- network inet stream, +- +- /dev/net/tun rw, +- /etc/qemu/** r, +- owner @{PROC}/*/status r, +- +- /usr/{lib,libexec}/qemu-bridge-helper rmix, +- } +Index: libvirt-1.2.10/examples/apparmor/libvirt-qemu.in +=================================================================== +--- /dev/null ++++ libvirt-1.2.10/examples/apparmor/libvirt-qemu.in +@@ -0,0 +1,144 @@ ++# Last Modified: Wed Sep 3 21:52:03 2014 ++ ++ #include <abstractions/base> ++ #include <abstractions/consoles> ++ #include <abstractions/nameservice> ++ ++ # required for reading disk images ++ capability dac_override, ++ capability dac_read_search, ++ capability chown, ++ ++ # needed to drop privileges ++ capability setgid, ++ capability setuid, ++ ++ network inet stream, ++ network inet6 stream, ++ ++ /dev/net/tun rw, ++ /dev/kvm rw, ++ /dev/ptmx rw, ++ /dev/kqemu rw, ++ @{PROC}/*/status r, ++ @{PROC}/sys/kernel/cap_last_cap r, ++ ++ # For hostdev access. The actual devices will be added dynamically ++ /sys/bus/usb/devices/ r, ++ /sys/devices/**/usb[0-9]*/** r, ++ ++ # WARNING: this gives the guest direct access to host hardware and specific ++ # portions of shared memory. This is required for sound using ALSA with kvm, ++ # but may constitute a security risk. If your environment does not require ++ # the use of sound in your VMs, feel free to comment out or prepend 'deny' to ++ # the rules for files in /dev. ++ /{dev,run}/shm r, ++ /{dev,run}/shmpulse-shm* r, ++ /{dev,run}/shmpulse-shm* rwk, ++ /dev/snd/* rw, ++ capability ipc_lock, ++ # spice ++ owner /{dev,run}/shm/spice.* rw, ++ # 'kill' is not required for sound and is a security risk. Do not enable ++ # unless you absolutely need it. ++ deny capability kill, ++ ++ # Uncomment the following if you need access to /dev/fb* ++ #/dev/fb* rw, ++ ++ /etc/pulse/client.conf r, ++ @{HOME}/.pulse-cookie rwk, ++ owner /root/.pulse-cookie rwk, ++ owner /root/.pulse/ rw, ++ owner /root/.pulse/* rw, ++ /usr/share/alsa/** r, ++ owner /tmp/pulse-*/ rw, ++ owner /tmp/pulse-*/* rw, ++ /var/lib/dbus/machine-id r, ++ ++ # access to firmware's etc ++ /usr/share/kvm/** r, ++ /usr/share/qemu/** r, ++ /usr/share/bochs/** r, ++ /usr/share/openbios/** r, ++ /usr/share/openhackware/** r, ++ /usr/share/proll/** r, ++ /usr/share/vgabios/** r, ++ /usr/share/seabios/** r, ++ /usr/share/ovmf/** r, ++ ++ # access PKI infrastructure ++ /etc/pki/libvirt-vnc/** r, ++ ++ # the various binaries ++ /usr/bin/kvm rmix, ++ /usr/bin/qemu rmix, ++ /usr/bin/qemu-system-arm rmix, ++ /usr/bin/qemu-system-cris rmix, ++ /usr/bin/qemu-system-i386 rmix, ++ /usr/bin/qemu-system-m68k rmix, ++ /usr/bin/qemu-system-microblaze rmix, ++ /usr/bin/qemu-system-microblazeel rmix, ++ /usr/bin/qemu-system-mips rmix, ++ /usr/bin/qemu-system-mips64 rmix, ++ /usr/bin/qemu-system-mips64el rmix, ++ /usr/bin/qemu-system-mipsel rmix, ++ /usr/bin/qemu-system-ppc rmix, ++ /usr/bin/qemu-system-ppc64 rmix, ++ /usr/bin/qemu-system-ppcemb rmix, ++ /usr/bin/qemu-system-sh4 rmix, ++ /usr/bin/qemu-system-sh4eb rmix, ++ /usr/bin/qemu-system-sparc rmix, ++ /usr/bin/qemu-system-sparc64 rmix, ++ /usr/bin/qemu-system-x86_64 rmix, ++ /usr/bin/qemu-alpha rmix, ++ /usr/bin/qemu-arm rmix, ++ /usr/bin/qemu-armeb rmix, ++ /usr/bin/qemu-cris rmix, ++ /usr/bin/qemu-i386 rmix, ++ /usr/bin/qemu-m68k rmix, ++ /usr/bin/qemu-microblaze rmix, ++ /usr/bin/qemu-microblazeel rmix, ++ /usr/bin/qemu-mips rmix, ++ /usr/bin/qemu-mipsel rmix, ++ /usr/bin/qemu-ppc rmix, ++ /usr/bin/qemu-ppc64 rmix, ++ /usr/bin/qemu-ppc64abi32 rmix, ++ /usr/bin/qemu-sh4 rmix, ++ /usr/bin/qemu-sh4eb rmix, ++ /usr/bin/qemu-sparc rmix, ++ /usr/bin/qemu-sparc64 rmix, ++ /usr/bin/qemu-sparc32plus rmix, ++ /usr/bin/qemu-sparc64 rmix, ++ /usr/bin/qemu-x86_64 rmix, ++ @libdir@/qemu/block-curl.so mr, ++ ++ # for save and resume ++ /bin/dash rmix, ++ /bin/dd rmix, ++ /bin/cat rmix, ++ ++ # for usb access ++ /dev/bus/usb/ r, ++ /etc/udev/udev.conf r, ++ /sys/bus/ r, ++ /sys/class/ r, ++ ++ /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, ++ # child profile for bridge helper process ++ profile qemu_bridge_helper { ++ #include <abstractions/base> ++ ++ capability setuid, ++ capability setgid, ++ capability setpcap, ++ capability net_admin, ++ ++ network inet stream, ++ ++ /dev/net/tun rw, ++ /etc/qemu/** r, ++ owner @{PROC}/*/status r, ++ ++ /usr/{lib,libexec}/qemu-bridge-helper rmix, ++ } ++++++ qemu-apparmor-screenshot.patch ++++++ Index: libvirt-1.2.10/examples/apparmor/libvirt-qemu.in =================================================================== --- libvirt-1.2.10.orig/examples/apparmor/libvirt-qemu.in +++ libvirt-1.2.10/examples/apparmor/libvirt-qemu.in @@ -124,6 +124,9 @@ /sys/bus/ r, /sys/class/ r, + # Temporary screendump rule -- See bsc#904426 + /var/cache/libvirt/qemu/qemu.screendump.* rw, + /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, # child profile for bridge helper process profile qemu_bridge_helper { -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
