commit: 24cd72c425327c6e1267416c9f170eefdd7affb7 Author: Matthias Maier <tamiko <AT> gentoo <DOT> org> AuthorDate: Thu Dec 7 15:54:55 2017 +0000 Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org> CommitDate: Thu Dec 7 16:02:12 2017 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=24cd72c4
app-emulation/libvirt: Update apparmor profiles Closes: https://bugs.gentoo.org/629718 Package-Manager: Portage-2.3.16, Repoman-2.3.6 .../libvirt-3.10.0-fix_paths_for_apparmor.patch | 118 +++++++++++++++++++++ app-emulation/libvirt/libvirt-3.10.0.ebuild | 2 +- 2 files changed, 119 insertions(+), 1 deletion(-) diff --git a/app-emulation/libvirt/files/libvirt-3.10.0-fix_paths_for_apparmor.patch b/app-emulation/libvirt/files/libvirt-3.10.0-fix_paths_for_apparmor.patch new file mode 100644 index 00000000000..0e386c1e00b --- /dev/null +++ b/app-emulation/libvirt/files/libvirt-3.10.0-fix_paths_for_apparmor.patch @@ -0,0 +1,118 @@ +diff --git a/examples/Makefile.am b/examples/Makefile.am +index ef2f79d..d8cdb9b 100644 +--- a/examples/Makefile.am ++++ b/examples/Makefile.am +@@ -23,7 +23,7 @@ EXTRA_DIST = \ + apparmor/TEMPLATE.lxc \ + apparmor/libvirt-qemu \ + apparmor/libvirt-lxc \ +- apparmor/usr.lib.libvirt.virt-aa-helper \ ++ apparmor/usr.libexec.virt-aa-helper \ + apparmor/usr.sbin.libvirtd \ + lxcconvert/virt-lxc-convert \ + polkit/libvirt-acl.rules \ +@@ -70,7 +70,7 @@ admin_logging_SOURCES = admin/logging.c + if WITH_APPARMOR_PROFILES + apparmordir = $(sysconfdir)/apparmor.d/ + apparmor_DATA = \ +- apparmor/usr.lib.libvirt.virt-aa-helper \ ++ apparmor/usr.libexec.virt-aa-helper \ + apparmor/usr.sbin.libvirtd \ + $(NULL) + +diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu +index d4fad85..0b22009 100644 +--- a/examples/apparmor/libvirt-qemu ++++ b/examples/apparmor/libvirt-qemu +@@ -86,6 +86,8 @@ + /usr/share/AAVMF/** r, + /usr/share/qemu-efi/** r, + /usr/share/slof/** r, ++ /usr/share/seavgabios/** r, ++ /usr/share/edk2-ovmf/** r, + + # access PKI infrastructure + /etc/pki/libvirt-vnc/** r, +diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper +deleted file mode 100644 +index bd6181d..0000000 +--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper ++++ /dev/null +@@ -1,60 +0,0 @@ +-# Last Modified: Mon Apr 5 15:10:27 2010 +-#include <tunables/global> +- +-profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { +- #include <abstractions/base> +- +- # needed for searching directories +- capability dac_override, +- capability dac_read_search, +- +- # needed for when disk is on a network filesystem +- network inet, +- network inet6, +- +- deny @{PROC}/[0-9]*/mounts r, +- @{PROC}/[0-9]*/net/psched r, +- owner @{PROC}/[0-9]*/status r, +- @{PROC}/filesystems r, +- +- /etc/libnl-3/classid r, +- +- # for hostdev +- /sys/devices/ r, +- /sys/devices/** r, +- deny /dev/sd* r, +- deny /dev/vd* r, +- deny /dev/dm-* r, +- deny /dev/drbd[0-9]* r, +- deny /dev/dasd* r, +- deny /dev/nvme* r, +- deny /dev/zd[0-9]* r, +- deny /dev/mapper/ r, +- deny /dev/mapper/* r, +- +- /usr/{lib,lib64}/libvirt/virt-aa-helper mr, +- /{usr/,}sbin/apparmor_parser Ux, +- +- /etc/apparmor.d/libvirt/* r, +- /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, +- +- # for backingstore -- allow access to non-hidden files in @{HOME} as well +- # as storage pools +- audit deny @{HOME}/.* mrwkl, +- audit deny @{HOME}/.*/ rw, +- audit deny @{HOME}/.*/** mrwkl, +- audit deny @{HOME}/bin/ rw, +- audit deny @{HOME}/bin/** mrwkl, +- @{HOME}/ r, +- @{HOME}/** r, +- /var/lib/libvirt/images/ r, +- /var/lib/libvirt/images/** r, +- /{media,mnt,opt,srv}/** r, +- +- /**.img r, +- /**.qcow{,2} r, +- /**.qed r, +- /**.vmdk r, +- /**.[iI][sS][oO] r, +- /**/disk{,.*} r, +-} +diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd +index 8d61d15..656a559 100644 +--- a/examples/apparmor/usr.sbin.libvirtd ++++ b/examples/apparmor/usr.sbin.libvirtd +@@ -84,8 +84,10 @@ + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + /usr/{lib,lib64}/libvirt/* PUxr, +- /usr/{lib,lib64}/libvirt/libvirt_parthelper ix, +- /usr/{lib,lib64}/libvirt/libvirt_iohelper ix, ++ /usr/libexec/virt-aa-helper PUxr, ++ /usr/libexec/libvirt_lxc PUxr, ++ /usr/libexec/libvirt_parthelper ix, ++ /usr/libexec/libvirt_iohelper ix, + /etc/libvirt/hooks/** rmix, + /etc/xen/scripts/** rmix, + diff --git a/app-emulation/libvirt/libvirt-3.10.0.ebuild b/app-emulation/libvirt/libvirt-3.10.0.ebuild index 06b849546b5..c8d9893516a 100644 --- a/app-emulation/libvirt/libvirt-3.10.0.ebuild +++ b/app-emulation/libvirt/libvirt-3.10.0.ebuild @@ -124,7 +124,7 @@ DEPEND="${RDEPEND} PATCHES=( "${FILESDIR}"/${PN}-1.3.0-do_not_use_sysconf.patch "${FILESDIR}"/${PN}-1.2.16-fix_paths_in_libvirt-guests_sh.patch - "${FILESDIR}"/${PN}-3.0.0-fix_paths_for_apparmor.patch + "${FILESDIR}"/${PN}-3.10.0-fix_paths_for_apparmor.patch "${FILESDIR}"/${PN}-1.3.4-glibc-2.23.patch "${FILESDIR}"/${PN}-3.1.0-musl-fix-includes.patch # bug #609488 )
