Hello community,
here is the log from the commit of package libvirt for openSUSE:Factory checked
in at 2017-09-29 11:51:22
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libvirt (Old)
and /work/SRC/openSUSE:Factory/.libvirt.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libvirt"
Fri Sep 29 11:51:22 2017 rev:236 rq:528890 version:3.7.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/libvirt/libvirt.changes 2017-09-25
13:53:51.885700856 +0200
+++ /work/SRC/openSUSE:Factory/.libvirt.new/libvirt.changes 2017-09-29
11:51:35.078967797 +0200
@@ -1,0 +2,13 @@
+Tue Sep 26 22:38:42 UTC 2017 - jfeh...@suse.com
+
+- apparmor: Add rules for kernel 4.13 ptrace checks
+ b482925c-apparmor-ptrace-support.patch
+ Drop temporary workaround apparmor-ptrace-support.patch
+ bsc#1058847
+- apparmor: Add rules for denial encountered when starting
+ confined domains
+ f305d8a1-apparmor-attach_disconnected.patch,
+ suse-apparmor-libnl-paths.patch
+ Drop old, useless, undocumented apparmor-fixes.patch
+
+-------------------------------------------------------------------
Old:
----
apparmor-fixes.patch
apparmor-ptrace-support.patch
New:
----
b482925c-apparmor-ptrace-support.patch
f305d8a1-apparmor-attach_disconnected.patch
suse-apparmor-libnl-paths.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libvirt.spec ++++++
--- /var/tmp/diff_new_pack.x6NvCA/_old 2017-09-29 11:51:36.442775480 +0200
+++ /var/tmp/diff_new_pack.x6NvCA/_new 2017-09-29 11:51:36.446774915 +0200
@@ -307,10 +307,11 @@
Patch0: 92bd87a2-ryzen-test-data.patch
Patch1: 5c83b360-epyc-test-data.patch
Patch2: a0b62843-epyc-cpu-model.patch
+Patch3: f305d8a1-apparmor-attach_disconnected.patch
+Patch4: b482925c-apparmor-ptrace-support.patch
# Patches pending upstream review
Patch100: libxl-dom-reset.patch
Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch
-Patch102: apparmor-ptrace-support.patch
# Need to go upstream
Patch150: xen-pv-cdrom.patch
Patch151: blockcopy-check-dst-identical-device.patch
@@ -318,7 +319,6 @@
Patch153: ppc64le-canonical-name.patch
Patch154: libxl-set-migration-constraints.patch
Patch155: libxl-set-cach-mode.patch
-Patch156: apparmor-fixes.patch
# Our patches
Patch200: suse-libvirtd-disable-tls.patch
Patch201: suse-libvirtd-sysconfig-settings.patch
@@ -328,14 +328,15 @@
Patch205: suse-libvirtd-service-xen.patch
Patch206: suse-qemu-conf.patch
Patch207: suse-ovmf-paths.patch
-Patch208: support-managed-pci-xen-driver.patch
-Patch209: xen-sxpr-disk-type.patch
-Patch210: libxl-support-block-script.patch
-Patch211: apparmor-no-mount.patch
-Patch212: qemu-apparmor-screenshot.patch
-Patch213: libvirt-suse-netcontrol.patch
-Patch214: lxc-wait-after-eth-del.patch
-Patch215: libxl-qemu-emulator-caps.patch
+Patch208: suse-apparmor-libnl-paths.patch
+Patch209: support-managed-pci-xen-driver.patch
+Patch210: xen-sxpr-disk-type.patch
+Patch211: libxl-support-block-script.patch
+Patch212: apparmor-no-mount.patch
+Patch213: qemu-apparmor-screenshot.patch
+Patch214: libvirt-suse-netcontrol.patch
+Patch215: lxc-wait-after-eth-del.patch
+Patch216: libxl-qemu-emulator-caps.patch
# SLES-Only patches
%if %{with_sle_build}
Patch400: virt-create-rootfs.patch
@@ -876,16 +877,16 @@
%patch0 -p1
%patch1 -p1
%patch2 -p1
+%patch3 -p1
+%patch4 -p1
%patch100 -p1
%patch101 -p1
-%patch102 -p1
%patch150 -p1
%patch151 -p1
%patch152 -p1
%patch153 -p1
%patch154 -p1
%patch155 -p1
-%patch156 -p1
%patch200 -p1
%patch201 -p1
%patch202 -p1
@@ -902,6 +903,7 @@
%patch213 -p1
%patch214 -p1
%patch215 -p1
+%patch216 -p1
%if %{with_sle_build}
%patch400 -p1
%endif
++++++ apparmor-no-mount.patch ++++++
--- /var/tmp/diff_new_pack.x6NvCA/_old 2017-09-29 11:51:36.514765328 +0200
+++ /var/tmp/diff_new_pack.x6NvCA/_new 2017-09-29 11:51:36.518764764 +0200
@@ -2,15 +2,12 @@
===================================================================
--- libvirt-3.7.0.orig/examples/apparmor/libvirt-lxc
+++ libvirt-3.7.0/examples/apparmor/libvirt-lxc
-@@ -2,42 +2,19 @@
+@@ -2,39 +2,15 @@
#include <abstractions/base>
- umount,
- dbus,
- signal,
- ptrace,
-
+-
- # ignore DENIED message on / remount
- deny mount options=(ro, remount) -> /,
-
++++++ b482925c-apparmor-ptrace-support.patch ++++++
commit b482925c2277e906542faea52ef587a5c0aa1f5f
Author: Jim Fehlig <jfeh...@suse.com>
Date: Fri Sep 22 17:02:42 2017 -0600
apparmor: support ptrace checks
Kernel 4.13 introduced finer-grained ptrace checks
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07
With kernel 4.13 and apparmor 2.11, simply starting libvirtd
results in the following apparmor denial
type=AVC msg=audit(1506112085.645:954): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=6984
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="unconfined"
Attempting to start an unconfined domain results in
type=AVC msg=audit(1506112301.227:1112): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=7498
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="/usr/sbin/libvirtd"
And attempting to start a confined domain results in
type=AVC msg=audit(1506112631.408:1312): apparmor="DENIED"
operation="open" profile="virt-aa-helper" name="/etc/libnl/classid"
pid=8283 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
fsuid=0 ouid=0
type=AVC msg=audit(1506112631.530:1319): apparmor="DENIED"
operation="open" profile="virt-aa-helper" name="/etc/libnl/classid"
pid=8289 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
fsuid=0 ouid=0
type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=8342
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
Add ptrace rules to allow the trace operations.
Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847
Signed-off-by: Jim Fehlig <jfeh...@suse.com>
Reviewed-by: Guido Günther <a...@sigxcpu.org>
Index: libvirt-3.7.0/examples/apparmor/usr.sbin.libvirtd
===================================================================
--- libvirt-3.7.0.orig/examples/apparmor/usr.sbin.libvirtd
+++ libvirt-3.7.0/examples/apparmor/usr.sbin.libvirtd
@@ -37,6 +37,10 @@
network packet dgram,
network packet raw,
+ ptrace (trace) peer=unconfined,
+ ptrace (trace) peer=/usr/sbin/libvirtd,
+ ptrace (trace) peer=libvirt-*,
+
# Very lenient profile for libvirtd since we want to first focus on confining
# the guests. Guests will have a very restricted profile.
/ r,
++++++ f305d8a1-apparmor-attach_disconnected.patch ++++++
commit f305d8a191941d1ea6e036ae9fc02a3164b3e746
Author: Guido Günther <a...@sigxcpu.org>
Date: Fri Sep 15 17:13:16 2017 +0200
apparmor: add attach_disconnected
Otherwise we fail to reconnect to /dev/net/tun opened by libvirtd
like
[ 8144.507756] audit: type=1400 audit(1505488162.386:38069121):
apparmor="DENIED" operation="file_perm" info="Failed name lookup - disconnected
path" error=-13 profile="libvirt-5dfcc8a7-b79a-4fa9-a41f-f6271651934c"
name="dev/net/tun" pid=9607 comm="qemu-system-x86" requested_mask="r"
denied_mask="r" fsuid=117 ouid=0
Reviewed-By: Jamie Strandboge <ja...@canonical.com>
Acked-By: Michal Privoznik <mpriv...@redhat.com>
Index: libvirt-3.7.0/examples/apparmor/TEMPLATE.lxc
===================================================================
--- libvirt-3.7.0.orig/examples/apparmor/TEMPLATE.lxc
+++ libvirt-3.7.0/examples/apparmor/TEMPLATE.lxc
@@ -4,7 +4,7 @@
#include <tunables/global>
-profile LIBVIRT_TEMPLATE {
+profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
#include <abstractions/libvirt-lxc>
# Globally allows everything to run under this profile
Index: libvirt-3.7.0/examples/apparmor/TEMPLATE.qemu
===================================================================
--- libvirt-3.7.0.orig/examples/apparmor/TEMPLATE.qemu
+++ libvirt-3.7.0/examples/apparmor/TEMPLATE.qemu
@@ -4,6 +4,6 @@
#include <tunables/global>
-profile LIBVIRT_TEMPLATE {
+profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
#include <abstractions/libvirt-qemu>
}
++++++ qemu-apparmor-screenshot.patch ++++++
--- /var/tmp/diff_new_pack.x6NvCA/_old 2017-09-29 11:51:36.646746717 +0200
+++ /var/tmp/diff_new_pack.x6NvCA/_new 2017-09-29 11:51:36.646746717 +0200
@@ -2,7 +2,7 @@
===================================================================
--- libvirt-3.7.0.orig/examples/apparmor/libvirt-qemu
+++ libvirt-3.7.0/examples/apparmor/libvirt-qemu
-@@ -181,3 +181,6 @@
+@@ -176,3 +176,6 @@
/sys/devices/system/node/ r,
/sys/devices/system/node/node[0-9]*/meminfo r,
/sys/module/vhost/parameters/max_mem_regions r,
++++++ suse-apparmor-libnl-paths.patch ++++++
Apparmor: Adjust libnl paths
In SUSE distros, libnl paths generally contain only 'libnl', and
not an embedded version number such as 'libnl-3'. Use 'libnl*' in
the virt-aa-helper profile to accommodate all libnl path variants.
It was also noticed that the per-domain profiles need a libnl rule
to squelch a denial when starting confined domains.
Found while investigating bsc#1058847
Index: libvirt-3.7.0/examples/apparmor/usr.lib.libvirt.virt-aa-helper
===================================================================
--- libvirt-3.7.0.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ libvirt-3.7.0/examples/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -16,7 +16,7 @@ profile virt-aa-helper /usr/{lib,lib64}/
owner @{PROC}/[0-9]*/status r,
@{PROC}/filesystems r,
- /etc/libnl-3/classid r,
+ /etc/libnl*/classid r,
# for hostdev
/sys/devices/ r,
Index: libvirt-3.7.0/examples/apparmor/libvirt-qemu
===================================================================
--- libvirt-3.7.0.orig/examples/apparmor/libvirt-qemu
+++ libvirt-3.7.0/examples/apparmor/libvirt-qemu
@@ -50,6 +50,7 @@
#/dev/fb* rw,
/etc/pulse/client.conf r,
+ /etc/libnl*/classid r,
@{HOME}/.pulse-cookie rwk,
owner /root/.pulse-cookie rwk,
owner /root/.pulse/ rw,
