Package: release.debian.org Severity: normal Tags: buster User: [email protected] Usertags: pu
Hi, i'd like to update libvirt in pu adding a single new apparmor rule to allow pygrub which helps xen based setups. Debdiff is attached. Cheers, -- Guido -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386, armhf Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog index 5618e49bd1..29d4aeb690 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +libvirt (5.0.0-4+deb10u1) buster; urgency=medium + + [ Tobias Wolter ] + * [711f612] apparmor: Allow to run pygrup + (Closes: #931768) + + -- Guido Günther <[email protected]> Sat, 31 Aug 2019 13:38:31 +0200 + libvirt (5.0.0-4) unstable; urgency=medium * [0fdc2af] Fix multiple CVEs related to privilege escalations on R/O diff --git a/debian/patches/apparmor-Allow-run-pygrup.patch b/debian/patches/apparmor-Allow-run-pygrup.patch new file mode 100644 index 0000000000..5678aad517 --- /dev/null +++ b/debian/patches/apparmor-Allow-run-pygrup.patch @@ -0,0 +1,20 @@ +From: Tobias Wolter <[email protected]> +Date: Wed, 21 Aug 2019 10:27:05 +0200 +Subject: apparmor: Allow run pygrup + +--- + src/security/apparmor/usr.sbin.libvirtd | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd +index c7c52c6..477788e 100644 +--- a/src/security/apparmor/usr.sbin.libvirtd ++++ b/src/security/apparmor/usr.sbin.libvirtd +@@ -85,6 +85,7 @@ + /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, + /usr/{lib,lib64}/xen/bin/* Ux, + /usr/lib/xen-*/bin/libxl-save-helper PUx, ++ /usr/lib/xen-*/bin/pygrub PUx, + + # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to + # read and run an ebtables script. diff --git a/debian/patches/series b/debian/patches/series index 3d1d86906d..1d298fab6e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -34,3 +34,4 @@ security/api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch security/api-disallow-virConnectGetDomainCapabilities-on-read-only.patch security/api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch Include-etc-pki-qemu-in-apparmor.patch +apparmor-Allow-run-pygrup.patch
