Hello community, here is the log from the commit of package libvirt for openSUSE:Factory checked in at 2017-09-25 13:53:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libvirt (Old) and /work/SRC/openSUSE:Factory/.libvirt.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libvirt" Mon Sep 25 13:53:47 2017 rev:235 rq:527593 version:3.7.0 Changes: -------- --- /work/SRC/openSUSE:Factory/libvirt/libvirt.changes 2017-09-18 19:51:30.420080923 +0200 +++ /work/SRC/openSUSE:Factory/.libvirt.new/libvirt.changes 2017-09-25 13:53:51.885700856 +0200 @@ -1,0 +2,7 @@ +Wed Sep 20 16:28:46 UTC 2017 - [email protected] + +- apparmor: add temporary profile fixes to allow starting domains + apparmor-ptrace-support.patch + bsc#1058847 + +------------------------------------------------------------------- New: ---- apparmor-ptrace-support.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libvirt.spec ++++++ --- /var/tmp/diff_new_pack.XJt4p2/_old 2017-09-25 13:53:53.049537106 +0200 +++ /var/tmp/diff_new_pack.XJt4p2/_new 2017-09-25 13:53:53.053536544 +0200 @@ -310,6 +310,7 @@ # Patches pending upstream review Patch100: libxl-dom-reset.patch Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch +Patch102: apparmor-ptrace-support.patch # Need to go upstream Patch150: xen-pv-cdrom.patch Patch151: blockcopy-check-dst-identical-device.patch @@ -877,6 +878,7 @@ %patch2 -p1 %patch100 -p1 %patch101 -p1 +%patch102 -p1 %patch150 -p1 %patch151 -p1 %patch152 -p1 ++++++ apparmor-no-mount.patch ++++++ --- /var/tmp/diff_new_pack.XJt4p2/_old 2017-09-25 13:53:53.133525290 +0200 +++ /var/tmp/diff_new_pack.XJt4p2/_new 2017-09-25 13:53:53.137524727 +0200 @@ -2,12 +2,15 @@ =================================================================== --- libvirt-3.7.0.orig/examples/apparmor/libvirt-lxc +++ libvirt-3.7.0/examples/apparmor/libvirt-lxc -@@ -2,39 +2,15 @@ +@@ -2,42 +2,19 @@ #include <abstractions/base> - umount, -- + dbus, + signal, + ptrace, + - # ignore DENIED message on / remount - deny mount options=(ro, remount) -> /, - ++++++ apparmor-ptrace-support.patch ++++++ commit e3bb609812776b30acfc0349b25b2e4d539c45c2 Author: Jim Fehlig <[email protected]> Date: Mon Sep 18 13:41:26 2017 -0600 apparmor: support ptrace checks Kernel 4.13 introduced finer-grained ptrace checks https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07 When Apparmor is enabled and libvirtd is confined, attempting to start a domain fails virsh start test error: Failed to start domain test error: internal error: child reported: Kernel does not provide mount namespace: Permission denied The audit log contains type=AVC msg=audit(1505466699.828:534): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=6621 comm="libvirtd" requested_mask="trace" denied_mask="trace" peer="/usr/sbin/libvirtd" It was also noticed that simply connecting to libvirtd (e.g. virsh list) resulted in the following entries in the audit log type=AVC msg=audit(1505755799.975:65): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418 comm="libvirtd" requested_mask="trace" denied_mask="trace" peer="unconfined" type=AVC msg=audit(1505755799.976:66): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418 comm="libvirtd" requested_mask="trace" denied_mask="trace" peer="unconfined" Both Apparmor denials can be fixed by supporting ptrace in the libvirtd, qemu, and lxc profiles. While at it, also add support for dbus, signal, and unix. Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847 diff --git a/examples/apparmor/libvirt-lxc b/examples/apparmor/libvirt-lxc index 4bfb503aa..0db137de0 100644 --- a/examples/apparmor/libvirt-lxc +++ b/examples/apparmor/libvirt-lxc @@ -3,6 +3,9 @@ #include <abstractions/base> umount, + dbus, + signal, + ptrace, # ignore DENIED message on / remount deny mount options=(ro, remount) -> /, diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index dcfb1a598..6a4a2335a 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -170,6 +170,9 @@ @{PROC}/device-tree/** r, /sys/firmware/devicetree/** r, + signal (receive) peer=/usr/sbin/libvirtd, + ptrace (tracedby) peer=/usr/sbin/libvirtd, + # for gathering information about available host resources /sys/devices/system/cpu/ r, /sys/devices/system/node/ r, diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index acb59e071..9aadba411 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -36,6 +36,12 @@ network inet6 dgram, network packet dgram, network packet raw, + network netlink, + + dbus bus=system, + signal, + ptrace, + unix, # Very lenient profile for libvirtd since we want to first focus on confining # the guests. Guests will have a very restricted profile. ++++++ qemu-apparmor-screenshot.patch ++++++ --- /var/tmp/diff_new_pack.XJt4p2/_old 2017-09-25 13:53:53.281504470 +0200 +++ /var/tmp/diff_new_pack.XJt4p2/_new 2017-09-25 13:53:53.281504470 +0200 @@ -2,7 +2,7 @@ =================================================================== --- libvirt-3.7.0.orig/examples/apparmor/libvirt-qemu +++ libvirt-3.7.0/examples/apparmor/libvirt-qemu -@@ -178,3 +178,6 @@ +@@ -181,3 +181,6 @@ /sys/devices/system/node/ r, /sys/devices/system/node/node[0-9]*/meminfo r, /sys/module/vhost/parameters/max_mem_regions r,
