Hello community, here is the log from the commit of package virt-sandbox for openSUSE:Factory checked in at 2014-12-10 23:45:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/virt-sandbox (Old) and /work/SRC/openSUSE:Factory/.virt-sandbox.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "virt-sandbox" Changes: -------- --- /work/SRC/openSUSE:Factory/virt-sandbox/virt-sandbox.changes 2014-10-05 20:31:34.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.virt-sandbox.new/virt-sandbox.changes 2014-12-10 23:45:00.000000000 +0100 @@ -1,0 +2,10 @@ +Tue Nov 18 16:06:58 UTC 2014 - [email protected] + +- Add AppArmor support. bsc#909249. + 6ec0460c-apparmor-support.patch +- virt-sandbox-service: /var needs to be the last to be mounted + bsc#909249. 2053d552-service-mount-var-last.patch +- Renamed systemd-path-fix.patch into 92412e9c-systemd-path-fix.patch + as patch went upstream + +------------------------------------------------------------------- @@ -4 +14 @@ -- Run autoreconf before configure whn building to avoid problems +- Run autoreconf before configure when building to avoid problems Old: ---- systemd-path-fix.patch New: ---- 2053d552-service-mount-var-last.patch 6ec0460c-apparmor-support.patch 92412e9c-systemd-path-fix.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ virt-sandbox.spec ++++++ --- /var/tmp/diff_new_pack.KGaWnS/_old 2014-12-10 23:45:01.000000000 +0100 +++ /var/tmp/diff_new_pack.KGaWnS/_new 2014-12-10 23:45:01.000000000 +0100 @@ -34,12 +34,16 @@ Patch1: 945e8e71-selinux-only-if-supported.patch Patch2: baf47f5b-service-check-secmodel.patch Patch3: a54e094b-service-suse-paths.patch +Patch4: 6ec0460c-apparmor-support.patch +Patch5: 2053d552-service-mount-var-last.patch +Patch6: 92412e9c-systemd-path-fix.patch # Patches pending upstream review -Patch100: systemd-path-fix.patch + +# Need to go upstream # Our patches -Patch150: no-libexec.patch +Patch200: no-libexec.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: glib2-devel >= 2.32.0 @@ -98,8 +102,10 @@ %patch1 -p1 %patch2 -p1 %patch3 -p1 -%patch100 -p1 -%patch150 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch200 -p1 %build # We may have a more recent version of automake when building ++++++ 2053d552-service-mount-var-last.patch ++++++ >From 7c8193242cd6d283163fa594e085f362bf201794 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <[email protected]> Date: Mon, 24 Nov 2014 17:49:37 +0100 Subject: [PATCH] virt-sandbox-service: mount /var after all other file systems When creating a sandbox with an image file, the /var folder contains the mounted image. If we mount it before other file systems, how could we possibly mount them? The new /var won't contain the mounted image. --- bin/virt-sandbox-service | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service index 7f72107..701bd6e 100755 --- a/bin/virt-sandbox-service +++ b/bin/virt-sandbox-service @@ -658,7 +658,7 @@ WantedBy=multi-user.target self.config.add_mount(mount) for d in self.BIND_SYSTEM_DIRS: - if os.path.exists(d): + if d != "/var" and os.path.exists(d): source = "%s%s" % ( self.dest, d) self.add_bind_mount(source, d) @@ -677,6 +677,10 @@ WantedBy=multi-user.target if not found: source = "%s%s" % ( self.dest, d) self.add_bind_mount(source, d) + + # /var contains the mounted image if there is an image: should be the + # last thing to mount + self.add_bind_mount("%s/var" % self.dest, "/var") self.add_mounts() def get_expanded_unit_template(self, unit): -- 2.1.2 ++++++ 6ec0460c-apparmor-support.patch ++++++ >From 6ec0460cf87e129c1b5b2bfbf1348a060624f374 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <[email protected]> Date: Tue, 18 Nov 2014 13:09:15 +0100 Subject: [PATCH] AppArmor support Implement construction of apparmor security labels. The choice between selinux and apparmor model isn't exposed to the user, but guessed depending on what the host supports. --- bin/virt-sandbox-service | 15 ++++++++------- libvirt-sandbox/libvirt-sandbox-builder.c | 32 +++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 7 deletions(-) diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service index 5a3f6ab..7f72107 100755 --- a/bin/virt-sandbox-service +++ b/bin/virt-sandbox-service @@ -315,24 +315,25 @@ class Container: context.undefine() def get_security_model(self): - # XXX selinux is the default for the while, needs to be configurable someday - model = "selinux" - supported = False + model = None # Make sure we have a connection self.connect() # Loop over the security models from the host capabilities + # The first in "selinux" and "apparmor" will be the returned model + # Those two models can't coexist on a machine configCaps = self.conn.get_capabilities() hostCaps = configCaps.get_host() secmodels = hostCaps.get_secmodels() for secmodel in secmodels: - if secmodel.get_model() == model: - supported = True + if secmodel.get_model() == "selinux": + model = "selinux" + break + elif secmodel.get_model() == "apparmor": + model = "apparmor" break - if not supported: - model = None return model diff --git a/libvirt-sandbox/libvirt-sandbox-builder.c b/libvirt-sandbox/libvirt-sandbox-builder.c index 48fc9bc..bcad652 100644 --- a/libvirt-sandbox/libvirt-sandbox-builder.c +++ b/libvirt-sandbox/libvirt-sandbox-builder.c @@ -358,6 +358,31 @@ static gboolean gvir_sandbox_builder_construct_security_selinux (GVirSandboxBuil return TRUE; } +static gboolean gvir_sandbox_builder_construct_security_apparmor(GVirSandboxBuilder *builder, + GVirSandboxConfig *config, + GVirConfigDomain *domain, + GError **error) +{ + GVirConfigDomainSeclabel *sec = gvir_config_domain_seclabel_new(); + const char *label = gvir_sandbox_config_get_security_label(config); + + gvir_config_domain_seclabel_set_model(sec, "apparmor"); + if (gvir_sandbox_config_get_security_dynamic(config)) { + gvir_config_domain_seclabel_set_type(sec, + GVIR_CONFIG_DOMAIN_SECLABEL_DYNAMIC); + } else { + gvir_config_domain_seclabel_set_type(sec, + GVIR_CONFIG_DOMAIN_SECLABEL_STATIC); + if (label) + gvir_config_domain_seclabel_set_label(sec, label); + } + + gvir_config_domain_set_seclabel(domain, sec); + g_object_unref(sec); + + return TRUE; +} + static gboolean gvir_sandbox_builder_construct_security(GVirSandboxBuilder *builder, GVirSandboxConfig *config, const gchar *statedir G_GNUC_UNUSED, @@ -369,6 +394,7 @@ static gboolean gvir_sandbox_builder_construct_security(GVirSandboxBuilder *buil GVirConfigCapabilitiesHost *hostCapabilities; GList *secmodels, *iter; gboolean supportsSelinux = FALSE; + gboolean supportsAppArmor = FALSE; /* What security models are available on the host? */ if (!(configCapabilities = gvir_connection_get_capabilities(connection, error))) { @@ -383,6 +409,9 @@ static gboolean gvir_sandbox_builder_construct_security(GVirSandboxBuilder *buil if (g_str_equal(gvir_config_capabilities_host_secmodel_get_model( GVIR_CONFIG_CAPABILITIES_HOST_SECMODEL(iter->data)), "selinux")) supportsSelinux = TRUE; + if (g_str_equal(gvir_config_capabilities_host_secmodel_get_model( + GVIR_CONFIG_CAPABILITIES_HOST_SECMODEL(iter->data)), "apparmor")) + supportsAppArmor = TRUE; g_object_unref(iter->data); } @@ -394,6 +423,9 @@ static gboolean gvir_sandbox_builder_construct_security(GVirSandboxBuilder *buil if (supportsSelinux) return gvir_sandbox_builder_construct_security_selinux(builder, config, domain, error); + else if (supportsAppArmor) + return gvir_sandbox_builder_construct_security_apparmor(builder, config, + domain, error); return TRUE; } -- 2.1.2 ++++++ 92412e9c-systemd-path-fix.patch ++++++ Index: libvirt-sandbox-0.5.1/libvirt-sandbox/libvirt-sandbox-config-service-systemd.c =================================================================== --- libvirt-sandbox-0.5.1.orig/libvirt-sandbox/libvirt-sandbox-config-service-systemd.c +++ libvirt-sandbox-0.5.1/libvirt-sandbox/libvirt-sandbox-config-service-systemd.c @@ -219,7 +219,7 @@ static gchar **gvir_sandbox_config_servi GVirSandboxConfigServiceSystemdPrivate *priv = sconfig->priv; gchar **command = g_new(gchar *, 7); - command[0] = g_strdup("/lib/systemd/systemd"); + command[0] = g_strdup("/usr/lib/systemd/systemd"); command[1] = g_strdup("--unit"); command[2] = g_strdup(priv->bootTarget); command[3] = g_strdup("--log-target"); ++++++ no-libexec.patch ++++++ --- /var/tmp/diff_new_pack.KGaWnS/_old 2014-12-10 23:45:02.000000000 +0100 +++ /var/tmp/diff_new_pack.KGaWnS/_new 2014-12-10 23:45:02.000000000 +0100 @@ -2,7 +2,7 @@ =================================================================== --- libvirt-sandbox-0.5.1.orig/bin/virt-sandbox-service +++ /dev/null -@@ -1,1279 +0,0 @@ +@@ -1,1284 +0,0 @@ -#!/usr/bin/python -Es -# -# Authors: Dan Walsh <[email protected]> @@ -313,24 +313,25 @@ - context.undefine() - - def get_security_model(self): -- # XXX selinux is the default for the while, needs to be configurable someday -- model = "selinux" -- supported = False +- model = None - - # Make sure we have a connection - self.connect() - - # Loop over the security models from the host capabilities +- # The first in "selinux" and "apparmor" will be the returned model +- # Those two models can't coexist on a machine - configCaps = self.conn.get_capabilities() - hostCaps = configCaps.get_host() - secmodels = hostCaps.get_secmodels() - for secmodel in secmodels: -- if secmodel.get_model() == model: -- supported = True +- if secmodel.get_model() == "selinux": +- model = "selinux" +- break +- elif secmodel.get_model() == "apparmor": +- model = "apparmor" - break - -- if not supported: -- model = None - return model - - @@ -655,7 +656,7 @@ - self.config.add_mount(mount) - - for d in self.BIND_SYSTEM_DIRS: -- if os.path.exists(d): +- if d != "/var" and os.path.exists(d): - source = "%s%s" % ( self.dest, d) - self.add_bind_mount(source, d) - @@ -674,6 +675,10 @@ - if not found: - source = "%s%s" % ( self.dest, d) - self.add_bind_mount(source, d) +- +- # /var contains the mounted image if there is an image: should be the +- # last thing to mount +- self.add_bind_mount("%s/var" % self.dest, "/var") - self.add_mounts() - - def get_expanded_unit_template(self, unit): @@ -1302,7 +1307,7 @@ =================================================================== --- /dev/null +++ libvirt-sandbox-0.5.1/bin/virt-sandbox-service.in -@@ -0,0 +1,1279 @@ +@@ -0,0 +1,1284 @@ +#!/usr/bin/python -Es +# +# Authors: Dan Walsh <[email protected]> @@ -1613,24 +1618,25 @@ + context.undefine() + + def get_security_model(self): -+ # XXX selinux is the default for the while, needs to be configurable someday -+ model = "selinux" -+ supported = False ++ model = None + + # Make sure we have a connection + self.connect() + + # Loop over the security models from the host capabilities ++ # The first in "selinux" and "apparmor" will be the returned model ++ # Those two models can't coexist on a machine + configCaps = self.conn.get_capabilities() + hostCaps = configCaps.get_host() + secmodels = hostCaps.get_secmodels() + for secmodel in secmodels: -+ if secmodel.get_model() == model: -+ supported = True ++ if secmodel.get_model() == "selinux": ++ model = "selinux" ++ break ++ elif secmodel.get_model() == "apparmor": ++ model = "apparmor" + break + -+ if not supported: -+ model = None + return model + + @@ -1955,7 +1961,7 @@ + self.config.add_mount(mount) + + for d in self.BIND_SYSTEM_DIRS: -+ if os.path.exists(d): ++ if d != "/var" and os.path.exists(d): + source = "%s%s" % ( self.dest, d) + self.add_bind_mount(source, d) + @@ -1974,6 +1980,10 @@ + if not found: + source = "%s%s" % ( self.dest, d) + self.add_bind_mount(source, d) ++ ++ # /var contains the mounted image if there is an image: should be the ++ # last thing to mount ++ self.add_bind_mount("%s/var" % self.dest, "/var") + self.add_mounts() + + def get_expanded_unit_template(self, unit): -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
