Hello community, here is the log from the commit of package libvirt for openSUSE:Factory checked in at 2015-11-22 11:00:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libvirt (Old) and /work/SRC/openSUSE:Factory/.libvirt.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libvirt" Changes: -------- --- /work/SRC/openSUSE:Factory/libvirt/libvirt.changes 2015-11-11 10:35:37.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.libvirt.new/libvirt.changes 2015-11-22 11:00:31.000000000 +0100 @@ -1,0 +2,6 @@ +Tue Nov 17 14:40:41 UTC 2015 - [email protected] + +- Don't add apparmor deny rw rule for 9P readonly mounts. + bsc#952849. virt-aa-helper-rw-mounts.patch + +------------------------------------------------------------------- New: ---- virt-aa-helper-rw-mounts.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libvirt.spec ++++++ --- /var/tmp/diff_new_pack.9NjjOX/_old 2015-11-22 11:00:34.000000000 +0100 +++ /var/tmp/diff_new_pack.9NjjOX/_new 2015-11-22 11:00:34.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package libvirt # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -456,6 +456,7 @@ Patch0: 703ec1b7-qemu-bridge-helper-fix.patch # Patches pending upstream review Patch100: add-with-login-shell.patch +Patch101: virt-aa-helper-rw-mounts.patch # Need to go upstream Patch150: xen-pv-cdrom.patch Patch151: blockcopy-check-dst-identical-device.patch @@ -971,6 +972,7 @@ %setup -q %patch0 -p1 %patch100 -p1 +%patch101 -p1 %patch150 -p1 %patch151 -p1 %patch152 -p1 ++++++ virt-aa-helper-rw-mounts.patch ++++++ >From 9abe699b0b91fd2c8a2870b36342a37fa97f7e36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <[email protected]> Date: Tue, 17 Nov 2015 10:11:30 +0100 Subject: [PATCH] virt-aa-helper: don't deny writes to readonly mounts There is no need to deny writes on a readonly mount: write still won't be accepted, even if the user remounts the folder as RW in the guest as qemu sets the 9p mount as ro. This deny rule was leading to problems for example with readonly /: The qemu process had to write to a bunch of files in / like logs, sockets, etc. This deny rule was also preventing auditing of these denials, making it harder to debug. --- src/security/virt-aa-helper.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 5de56e5..a2d7226 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1127,7 +1127,10 @@ get_files(vahControl * ctl) ctl->def->fss[i]->src) { virDomainFSDefPtr fs = ctl->def->fss[i]; - if (vah_add_path(&buf, fs->src, fs->readonly ? "r" : "rw", true) != 0) + /* We don't need to add deny rw rules for readonly mounts, + * this can only lead to troubles when mounting / readonly. + */ + if (vah_add_path(&buf, fs->src, "rw", true) != 0) goto cleanup; } } -- 2.1.4
