Package: libvirt-daemon-system Version: 3.8.0-3 Severity: important Tags: patch User: [email protected] Usertags: linux-4.14
Hi! Linux 4.14 brings quite a few new AppArmor mediation features that the libvirt policy is not ready for. I've been running this kernel for 10+ days and the attached patch fixed all the issues I've noticed so far. It would be nice to have this in sid before Linux 4.14 lands there, in order to avoid any "OMG AppArmor breaks everything" effect. Note, if you want to test this: currently more stuff is broken due to the combination of a kernel bug + a long-term fix of mine (https://lists.alioth.debian.org/pipermail/pkg-apparmor-team/2017-October/001823.html). So if you test it locally, please: - use apparmor 2.11.1 and a recent linux 4.14-rcN - disable features-files= in /etc/apparmor/parser.conf (until that kernel bug is fixed) Cheers, -- intrigeri
>From d4fe9f6729565205b90df8a5165da284f6a852f8 Mon Sep 17 00:00:00 2001 From: intrigeri <[email protected]> Date: Wed, 25 Oct 2017 16:05:00 +0000 Subject: [PATCH] AppArmor-add-rules-needed-with-additional-mediation-featu.patch: new patch, adding mediation rules needed with additional mediation features brought by Linux 4.14. Submitted upstream: https://www.redhat.com/archives/libvir-list/2017-October/msg01153.html --- ...es-needed-with-additional-mediation-featu.patch | 55 ++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 56 insertions(+) create mode 100644 debian/patches/AppArmor-add-rules-needed-with-additional-mediation-featu.patch diff --git a/debian/patches/AppArmor-add-rules-needed-with-additional-mediation-featu.patch b/debian/patches/AppArmor-add-rules-needed-with-additional-mediation-featu.patch new file mode 100644 index 0000000000..f9ae6983ff --- /dev/null +++ b/debian/patches/AppArmor-add-rules-needed-with-additional-mediation-featu.patch @@ -0,0 +1,55 @@ +From: intrigeri <[email protected]> +Date: Wed, 25 Oct 2017 15:54:36 +0000 +Subject: AppArmor: add rules needed with additional mediation features + brought by Linux 4.14. + +--- + examples/apparmor/libvirt-qemu | 2 ++ + examples/apparmor/usr.sbin.libvirtd | 9 +++++++++ + 2 files changed, 11 insertions(+) + +diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu +index dcfb1a5..0d76bc6 100644 +--- a/examples/apparmor/libvirt-qemu ++++ b/examples/apparmor/libvirt-qemu +@@ -16,6 +16,8 @@ + network inet stream, + network inet6 stream, + ++ signal (receive) set=("term") peer=/usr/sbin/libvirtd, ++ + /dev/net/tun rw, + /dev/kvm rw, + /dev/ptmx rw, +diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd +index 70b70bb..104d635 100644 +--- a/examples/apparmor/usr.sbin.libvirtd ++++ b/examples/apparmor/usr.sbin.libvirtd +@@ -30,6 +30,8 @@ + # Needed for vfio + capability sys_resource, + ++ mount, ++ + network inet stream, + network inet dgram, + network inet6 stream, +@@ -37,11 +39,18 @@ + network packet dgram, + network packet raw, + ++ network netlink raw, ++ network unix dgram, ++ network unix stream, ++ + ptrace (trace) peer=unconfined, + ptrace (trace) peer=/usr/sbin/libvirtd, + ptrace (trace) peer=/usr/sbin/dnsmasq, + ptrace (trace) peer=libvirt-*, + ++ signal (send) set=("hup") peer=/usr/sbin/dnsmasq, ++ signal (send) set=("term") peer=libvirt-*, ++ + # Very lenient profile for libvirtd since we want to first focus on confining + # the guests. Guests will have a very restricted profile. + / r, diff --git a/debian/patches/series b/debian/patches/series index f13b179c7a..1859385b9b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -19,3 +19,4 @@ Pass-GPG_TTY-env-var-to-the-ssh-binary.patch apparmor-add-dnsmasq-ptrace-rule-to-libvirtd-profile.patch virt-host-validate-require-fuse-for-LXC-if-compiled-in.patch qemu-ensure-TLS-clients-always-verify-the-server-certific.patch +AppArmor-add-rules-needed-with-additional-mediation-featu.patch -- 2.15.0.rc2
