subject:"\[libvirt\] \[PATCH\/RFC\] Add missing delta from Ubuntu to apparmor profiles"

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

2016-05-25 Thread Stefan Bader

On 09.05.2016 21:00, intrigeri wrote:
> Hi,
> 
>> Stefan Bader wrote (20 May 2015 10:11:45 GMT) :
>> intrigeri wrote (15 Jun 2015 15:09:11 GMT) :
>> My (possibly incomplete) records say that I've tested the latest
>> proposed patch set back in February (<85iof8v6j5@boum.org>).
> 
>>> Since I lost most context by now, I will try to find my most recent proposal
>>> again and try to get it moved into present state of packages.
> 
> Ping?

*sigh* yeah (/me look guilty). I am on that now. This time approaching things
from the bottom. So I actually have something that seems somehow working with
the Ubuntu packaging. I just want to get some internal feedback first. But I
should be sending out something around next Monday.
The good thing would be that this is against libvirt 1.3.4 which Serge got
closer to Debian than ever before. So there is hope that it can be tried in
Debian without much problem.

-Stefan
> 
> Cheers,
> 

signature.asc
Description: OpenPGP digital signature
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

2016-05-09 Thread intrigeri

Hi,

> Stefan Bader wrote (20 May 2015 10:11:45 GMT) :
> intrigeri wrote (15 Jun 2015 15:09:11 GMT) :
> My (possibly incomplete) records say that I've tested the latest
> proposed patch set back in February (<85iof8v6j5@boum.org>).

>> Since I lost most context by now, I will try to find my most recent proposal
>> again and try to get it moved into present state of packages.

Ping?

Cheers,
-- 
intrigeri

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

2015-06-15 Thread intrigeri

Hi,

Stefan Bader wrote (20 May 2015 10:11:45 GMT) :
 Hm was there not something which I was waiting for feedback
 from you?

My (possibly incomplete) records say that I've tested the latest
proposed patch set back in February (85iof8v6j5@boum.org).

 Since I lost most context by now, I will try to find my most recent proposal
 again and try to get it moved into present state of packages.

Thanks!

Cheers,
-- 
intrigeri

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

2015-05-20 Thread Stefan Bader

On 19.05.2015 11:54, intrigeri wrote:
 Hi Stefan,
 
 any news on what follows? Now that Ubuntu 15.04 has been released,
 perhaps you'll be able to allocate some cycles to it? :)

Hm was there not something which I was waiting for feedback from you? Though I
forgot what exactly that was. And after release is before release, the treadmill
never stops... ;-P
Since I lost most context by now, I will try to find my most recent proposal
again and try to get it moved into present state of packages.

-Stefan

 
 intrigeri wrote (11 Feb 2015 14:58:54 GMT) :
 Hi Stefan and others,
 
 Stefan Bader wrote (21 Oct 2014 11:50:24 GMT) :
 On 20.10.2014 12:48, Stefan Bader wrote:
 On 19.10.2014 17:07, intrigeri wrote:
 Cool, I've tested this. I've imported these two patches in Debian's
 1.2.9-3 quilt series, made the build system use dh-autoreconf (the
 build system in the tarball wants aclocal 1.13, while Debian sid has
 1.14), and added a build-dep on libapparmor-dev to get the needed
 pkg-config file.
 
 I've given a try to your last set of patches. Sorry for the delay.
 Here's what I did:
 
 1. Checkout the Vcs-Git libvirt packaging repo for Debian unstable,
currently at 1.2.9-9
 2. Make the build system use dh-autoreconf as previously
 3. Added the build-dep on libapparmor-dev as previously
 4. Hacked debian/rules to make examples/apparmor/profile-preprocess
(created by your patches) executable before it's executed.
This won't be needed anymore once the patches are upstreamed.
 5. Build in a clean Debian unstable chroot, which now works.
Progress :)
 6. Install the resulting binary packages on a sid system with
a working libvirt setup.
 7. In /etc/libvirt/qemu.conf, set security_driver = apparmor
 8. Restart libvirtd.
 9. Start a VM with virsh or virt-manager
 
 = here's what I see:
 
   error: Failed to start domain tails-dev
   error: internal error: cannot load AppArmor profile 
 'libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef'
 
 And the Journal says:
 
   libvirtd[20351]: internal error: Child process 
 (/usr/lib/libvirt/virt-aa-helper -p 0 -c -u 
 libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef) unexpected exit status 1: 
 virt-aa-helper: error: template does not exist
virt-aa-helper: error: could not create profile
   libvirtd[20351]: internal error: cannot load AppArmor profile 
 'libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef'
 
 So I naively tried to do it by hand:
 
   $ virsh dumpxml tails-dev | sudo /usr/lib/libvirt/virt-aa-helper -p 0 -c 
 -u libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef 
   virt-aa-helper: error: template does not exist
   virt-aa-helper: error: could not create profile
 
 I do have a template in place:
 
   $ cat /etc/apparmor.d/libvirt/TEMPLATE.qemu
   #
   # This profile is for the domain whose UUID matches this file.
   #
 
   #include tunables/global
 
   profile LIBVIRT_TEMPLATE {
 #include abstractions/libvirt-qemu
   }
 
 What other information can I provide, or what else should I test?
 
 Also note that I had to add the following line to
 usr.lib.libvirt.virt-aa-helper, in order to silence an AppArmor denial
 log:
 
   /etc/libnl-3/classid r,
 
 Should this be added to the upstream profile, as is or prefixed by
 deny?
 
 Cheers,
 




signature.asc
Description: OpenPGP digital signature
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

2015-05-19 Thread intrigeri

Hi Stefan,

any news on what follows? Now that Ubuntu 15.04 has been released,
perhaps you'll be able to allocate some cycles to it? :)

intrigeri wrote (11 Feb 2015 14:58:54 GMT) :
 Hi Stefan and others,

 Stefan Bader wrote (21 Oct 2014 11:50:24 GMT) :
 On 20.10.2014 12:48, Stefan Bader wrote:
 On 19.10.2014 17:07, intrigeri wrote:
 Cool, I've tested this. I've imported these two patches in Debian's
 1.2.9-3 quilt series, made the build system use dh-autoreconf (the
 build system in the tarball wants aclocal 1.13, while Debian sid has
 1.14), and added a build-dep on libapparmor-dev to get the needed
 pkg-config file.

 I've given a try to your last set of patches. Sorry for the delay.
 Here's what I did:

 1. Checkout the Vcs-Git libvirt packaging repo for Debian unstable,
currently at 1.2.9-9
 2. Make the build system use dh-autoreconf as previously
 3. Added the build-dep on libapparmor-dev as previously
 4. Hacked debian/rules to make examples/apparmor/profile-preprocess
(created by your patches) executable before it's executed.
This won't be needed anymore once the patches are upstreamed.
 5. Build in a clean Debian unstable chroot, which now works.
Progress :)
 6. Install the resulting binary packages on a sid system with
a working libvirt setup.
 7. In /etc/libvirt/qemu.conf, set security_driver = apparmor
 8. Restart libvirtd.
 9. Start a VM with virsh or virt-manager

 = here's what I see:

   error: Failed to start domain tails-dev
   error: internal error: cannot load AppArmor profile 
 'libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef'

 And the Journal says:

   libvirtd[20351]: internal error: Child process 
 (/usr/lib/libvirt/virt-aa-helper -p 0 -c -u 
 libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef) unexpected exit status 1: 
 virt-aa-helper: error: template does not exist
virt-aa-helper: error: could not create profile
   libvirtd[20351]: internal error: cannot load AppArmor profile 
 'libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef'

 So I naively tried to do it by hand:

   $ virsh dumpxml tails-dev | sudo /usr/lib/libvirt/virt-aa-helper -p 0 -c -u 
 libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef 
   virt-aa-helper: error: template does not exist
   virt-aa-helper: error: could not create profile

 I do have a template in place:

   $ cat /etc/apparmor.d/libvirt/TEMPLATE.qemu
   #
   # This profile is for the domain whose UUID matches this file.
   #

   #include tunables/global

   profile LIBVIRT_TEMPLATE {
 #include abstractions/libvirt-qemu
   }

 What other information can I provide, or what else should I test?

 Also note that I had to add the following line to
 usr.lib.libvirt.virt-aa-helper, in order to silence an AppArmor denial
 log:

   /etc/libnl-3/classid r,

 Should this be added to the upstream profile, as is or prefixed by
 deny?

 Cheers,

-- 
intrigeri

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

2015-02-11 Thread intrigeri

Hi Stefan and others,

Stefan Bader wrote (21 Oct 2014 11:50:24 GMT) :
 On 20.10.2014 12:48, Stefan Bader wrote:
 On 19.10.2014 17:07, intrigeri wrote:
 Cool, I've tested this. I've imported these two patches in Debian's
 1.2.9-3 quilt series, made the build system use dh-autoreconf (the
 build system in the tarball wants aclocal 1.13, while Debian sid has
 1.14), and added a build-dep on libapparmor-dev to get the needed
 pkg-config file.

I've given a try to your last set of patches. Sorry for the delay.
Here's what I did:

1. Checkout the Vcs-Git libvirt packaging repo for Debian unstable,
   currently at 1.2.9-9
2. Make the build system use dh-autoreconf as previously
3. Added the build-dep on libapparmor-dev as previously
4. Hacked debian/rules to make examples/apparmor/profile-preprocess
   (created by your patches) executable before it's executed.
   This won't be needed anymore once the patches are upstreamed.
5. Build in a clean Debian unstable chroot, which now works.
   Progress :)
6. Install the resulting binary packages on a sid system with
   a working libvirt setup.
7. In /etc/libvirt/qemu.conf, set security_driver = apparmor
8. Restart libvirtd.
9. Start a VM with virsh or virt-manager

= here's what I see:

  error: Failed to start domain tails-dev
  error: internal error: cannot load AppArmor profile 
'libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef'

And the Journal says:

  libvirtd[20351]: internal error: Child process 
(/usr/lib/libvirt/virt-aa-helper -p 0 -c -u 
libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef) unexpected exit status 1: 
virt-aa-helper: error: template does not exist
   virt-aa-helper: error: could not create profile
  libvirtd[20351]: internal error: cannot load AppArmor profile 
'libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef'

So I naively tried to do it by hand:

  $ virsh dumpxml tails-dev | sudo /usr/lib/libvirt/virt-aa-helper -p 0 -c -u 
libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef 
  virt-aa-helper: error: template does not exist
  virt-aa-helper: error: could not create profile

I do have a template in place:

  $ cat /etc/apparmor.d/libvirt/TEMPLATE.qemu
  #
  # This profile is for the domain whose UUID matches this file.
  #
  
  #include tunables/global
  
  profile LIBVIRT_TEMPLATE {
#include abstractions/libvirt-qemu
  }


What other information can I provide, or what else should I test?


Also note that I had to add the following line to
usr.lib.libvirt.virt-aa-helper, in order to silence an AppArmor denial
log:

  /etc/libnl-3/classid r,

Should this be added to the upstream profile, as is or prefixed by
deny?

Cheers,
-- 
intrigeri

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

2014-10-21 Thread Stefan Bader

On 20.10.2014 12:48, Stefan Bader wrote:
 On 19.10.2014 17:07, intrigeri wrote:
 Hi Stefan,

 Stefan Bader wrote (19 Oct 2014 11:07:40 GMT) :
 Yeah, I actually did but it felt a bit hackish but then I am told anything 
 looks
 a bit hackish when it involves autoconf. These are again against upstream
 libvirt mostly because the last touch timestamps always clash otherwise.

 Cool, I've tested this. I've imported these two patches in Debian's
 1.2.9-3 quilt series, made the build system use dh-autoreconf (the
 build system in the tarball wants aclocal 1.13, while Debian sid has
 1.14), and added a build-dep on libapparmor-dev to get the needed
 pkg-config file.

 Attempting to build the resulting source package in a clean sid chroot
 fails here:

   Making all in examples/apparmor
   make[3]: Entering directory 
 '/tmp/buildd/libvirt-1.2.9/debian/build/examples/apparmor'
   make[3]: Circular ../../config.h - ../../config.h dependency dropped.
   ./profile-preprocess ../../../../examples/apparmor/libvirt-qemu.in 
 libvirt-qemu
   ./profile-preprocess ../../../../examples/apparmor/libvirt-lxc.in 
 libvirt-lxc
   ./profile-preprocess 
 ../../../../examples/apparmor/usr.lib.libvirt.virt-aa-helper.in 
 usr.lib.libvirt.virt-aa-helper
   ./profile-preprocess ../../../../examples/apparmor/usr.sbin.libvirtd.in 
 usr.sbin.libvirtd
   make[3]: *** No rule to make target 'local-usr.sbin.libvirtd', needed by 
 'all-am'.  Stop.
   make[3]: *** Waiting for unfinished jobs
   /bin/bash: ./profile-preprocess: No such file or directory
   /bin/bash: ./profile-preprocess: No such file or directory
   Makefile:2068: recipe for target 'libvirt-qemu' failed
   make[3]: *** [libvirt-qemu] Error 127
   Makefile:2068: recipe for target 'libvirt-lxc' failed
   make[3]: *** [libvirt-lxc] Error 127
   /bin/bash: ./profile-preprocess: No such file or directory
   /bin/bash: ./profile-preprocess: No such file or directory
   Makefile:2068: recipe for target 'usr.lib.libvirt.virt-aa-helper' failed
   make[3]: *** [usr.lib.libvirt.virt-aa-helper] Error 127
   Makefile:2068: recipe for target 'usr.sbin.libvirtd' failed
   make[3]: *** [usr.sbin.libvirtd] Error 127
   make[3]: Leaving directory 
 '/tmp/buildd/libvirt-1.2.9/debian/build/examples/apparmor'
   Makefile:1979: recipe for target 'all-recursive' failed
   make[2]: *** [all-recursive] Error 1
   make[2]: Leaving directory '/tmp/buildd/libvirt-1.2.9/debian/build'
   Makefile:1877: recipe for target 'all' failed
   make[1]: *** [all] Error 2
   make[1]: Leaving directory '/tmp/buildd/libvirt-1.2.9/debian/build'
   dh_auto_build: make -j5 returned exit code 2
   debian/rules:126: recipe for target 'build' failed
   make: *** [build] Error 2

 Any hint?
 
 Hm, partially this sounds like the preprocess script is not where it should be
 and the other part looks like not finding any local-usr-sbin. Could likely be
 that I need to do something better to make things work in place (as the 
 upstream
 libvirt instructions suggest) as well as with separate object tree (as it is 
 in
 Debian). I also saw something about circular dependency on config.h which
 probably slipped my attention. For most of the problems I guess adding 
 something
 like $(srcdir) (need to look what this would be actually called) to the
 pre-process scripts path as well as to the .in files..

Turns out that this first attempt was not too good at all. First it does not
help to mis-name the new local .in file. Then, using the wildcard form actually
causes many more files to be touched than intended (the circular reference
hinted that). Lastly I found it might be good to also do something about 
cleanup.
Hope this version works better in general.

-Stefan

From 3715e3a3aa29543e38afc6ec97296866b2977e11 Mon Sep 17 00:00:00 2001
From: Stefan Bader stefan.ba...@canonical.com
Date: Mon, 13 Oct 2014 11:31:59 +0200
Subject: [PATCH 1/2] examples/apparmor: Add ability to add versioned features

Adds APPARMOR_VERSION_NUMBER to config.h which by default is set to the
apparmor library version (major*1000+minor). It can be overriden by
the distro by supplyig --with-apparmor-profiles-version=version.

Signed-off-by: Stefan Bader stefan.ba...@canonical.com
---
 configure.ac   |  22 
 examples/apparmor/Makefile.am  |  18 +++
 examples/apparmor/libvirt-lxc  | 116 -
 examples/apparmor/libvirt-lxc.in   | 116 +
 examples/apparmor/libvirt-qemu | 144 -
 examples/apparmor/libvirt-qemu.in  | 144 +
 examples/apparmor/profile-preprocess   |  21 +++
 examples/apparmor/usr.lib.libvirt.virt-aa-helper   |  48 ---
 .../apparmor/usr.lib.libvirt.virt-aa-helper.in |  48 +++
 examples/apparmor/usr.sbin.libvirtd|  63 -
 examples/apparmor/usr.sbin.libvirtd.in |  63 +
 11 files changed,

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

2014-10-20 Thread Stefan Bader

On 19.10.2014 17:07, intrigeri wrote:
 Hi Stefan,
 
 Stefan Bader wrote (19 Oct 2014 11:07:40 GMT) :
 Yeah, I actually did but it felt a bit hackish but then I am told anything 
 looks
 a bit hackish when it involves autoconf. These are again against upstream
 libvirt mostly because the last touch timestamps always clash otherwise.
 
 Cool, I've tested this. I've imported these two patches in Debian's
 1.2.9-3 quilt series, made the build system use dh-autoreconf (the
 build system in the tarball wants aclocal 1.13, while Debian sid has
 1.14), and added a build-dep on libapparmor-dev to get the needed
 pkg-config file.
 
 Attempting to build the resulting source package in a clean sid chroot
 fails here:
 
   Making all in examples/apparmor
   make[3]: Entering directory 
 '/tmp/buildd/libvirt-1.2.9/debian/build/examples/apparmor'
   make[3]: Circular ../../config.h - ../../config.h dependency dropped.
   ./profile-preprocess ../../../../examples/apparmor/libvirt-qemu.in 
 libvirt-qemu
   ./profile-preprocess ../../../../examples/apparmor/libvirt-lxc.in 
 libvirt-lxc
   ./profile-preprocess 
 ../../../../examples/apparmor/usr.lib.libvirt.virt-aa-helper.in 
 usr.lib.libvirt.virt-aa-helper
   ./profile-preprocess ../../../../examples/apparmor/usr.sbin.libvirtd.in 
 usr.sbin.libvirtd
   make[3]: *** No rule to make target 'local-usr.sbin.libvirtd', needed by 
 'all-am'.  Stop.
   make[3]: *** Waiting for unfinished jobs
   /bin/bash: ./profile-preprocess: No such file or directory
   /bin/bash: ./profile-preprocess: No such file or directory
   Makefile:2068: recipe for target 'libvirt-qemu' failed
   make[3]: *** [libvirt-qemu] Error 127
   Makefile:2068: recipe for target 'libvirt-lxc' failed
   make[3]: *** [libvirt-lxc] Error 127
   /bin/bash: ./profile-preprocess: No such file or directory
   /bin/bash: ./profile-preprocess: No such file or directory
   Makefile:2068: recipe for target 'usr.lib.libvirt.virt-aa-helper' failed
   make[3]: *** [usr.lib.libvirt.virt-aa-helper] Error 127
   Makefile:2068: recipe for target 'usr.sbin.libvirtd' failed
   make[3]: *** [usr.sbin.libvirtd] Error 127
   make[3]: Leaving directory 
 '/tmp/buildd/libvirt-1.2.9/debian/build/examples/apparmor'
   Makefile:1979: recipe for target 'all-recursive' failed
   make[2]: *** [all-recursive] Error 1
   make[2]: Leaving directory '/tmp/buildd/libvirt-1.2.9/debian/build'
   Makefile:1877: recipe for target 'all' failed
   make[1]: *** [all] Error 2
   make[1]: Leaving directory '/tmp/buildd/libvirt-1.2.9/debian/build'
   dh_auto_build: make -j5 returned exit code 2
   debian/rules:126: recipe for target 'build' failed
   make: *** [build] Error 2
 
 Any hint?

Hm, partially this sounds like the preprocess script is not where it should be
and the other part looks like not finding any local-usr-sbin. Could likely be
that I need to do something better to make things work in place (as the upstream
libvirt instructions suggest) as well as with separate object tree (as it is in
Debian). I also saw something about circular dependency on config.h which
probably slipped my attention. For most of the problems I guess adding something
like $(srcdir) (need to look what this would be actually called) to the
pre-process scripts path as well as to the .in files..

-Stefan
 
 Cheers,
 




signature.asc
Description: OpenPGP digital signature
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

2014-10-19 Thread Stefan Bader

On 18.10.2014 23:12, intrigeri wrote:
 Hi,
 
 Daniel P. Berrange wrote (01 Oct 2014 14:54:43 GMT) :
 Agreed, the libvirt upstream distributed file should do version checks
 based on official apparmor releases, and distros can tweak versions if
 they have backported features.
 
 So, it seems that we've reached a consensus that adding version
 checking machinery makes sense. Great :)
 
 Stefan, do you plan to implement it? One way to go could be to
 implement and upload it first in Ubuntu: the rest of the delta is
 already there anyway, so it's not as if it changed the current
 situation much; and then, it also makes it easy to test the version
 checks on Debian, for added confidence, before submitting the
 patch upstream.
 
 Note: once this machinery is in place, ideally distros should rebuild
 their libvirt binary packages when they introduce new AppArmor parser
 features -- which is effectively a transition, in Debian-speak.
 
 Cheers,
 
Yeah, I actually did but it felt a bit hackish but then I am told anything looks
a bit hackish when it involves autoconf. These are again against upstream
libvirt mostly because the last touch timestamps always clash otherwise. I tried
to do two steps, one introducing the machinery and the second to add the
changes. That way the vast looking delta of the first patch boils down to mostly
renames.

-Stefan


From 5d0c61d3e9df6a4f58ac933d1fadc9b36eff2dce Mon Sep 17 00:00:00 2001
From: Stefan Bader stefan.ba...@canonical.com
Date: Mon, 13 Oct 2014 11:31:59 +0200
Subject: [PATCH 1/2] examples/apparmor: Add ability to add versioned features

Adds APPARMOR_VERSION_NUMBER to config.h which by default is set to the
apparmor library version (major*1000+minor). It can be overriden by
the distro by supplyig --with-apparmor-profiles-version=version.

Signed-off-by: Stefan Bader stefan.ba...@canonical.com
---
 configure.ac   |  22 
 examples/apparmor/Makefile.am  |   3 +
 examples/apparmor/libvirt-lxc  | 116 -
 examples/apparmor/libvirt-lxc.in   | 116 +
 examples/apparmor/libvirt-qemu | 144 -
 examples/apparmor/libvirt-qemu.in  | 144 +
 examples/apparmor/profile-preprocess   |  21 +++
 examples/apparmor/usr.lib.libvirt.virt-aa-helper   |  48 ---
 .../apparmor/usr.lib.libvirt.virt-aa-helper.in |  48 +++
 examples/apparmor/usr.sbin.libvirtd|  63 -
 examples/apparmor/usr.sbin.libvirtd.in |  63 +
 11 files changed, 417 insertions(+), 371 deletions(-)
 delete mode 100644 examples/apparmor/libvirt-lxc
 create mode 100644 examples/apparmor/libvirt-lxc.in
 delete mode 100644 examples/apparmor/libvirt-qemu
 create mode 100644 examples/apparmor/libvirt-qemu.in
 create mode 100755 examples/apparmor/profile-preprocess
 delete mode 100644 examples/apparmor/usr.lib.libvirt.virt-aa-helper
 create mode 100644 examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
 delete mode 100644 examples/apparmor/usr.sbin.libvirtd
 create mode 100644 examples/apparmor/usr.sbin.libvirtd.in

diff --git a/configure.ac b/configure.ac
index f7b02ff..42cf073 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1490,6 +1490,28 @@ if test $with_apparmor = no; then
 fi
 AM_CONDITIONAL([WITH_APPARMOR_PROFILES], [test $with_apparmor_profiles != no])
 
+AC_ARG_WITH([apparmor-profiles-version],
+  [AS_HELP_STRING([--with-apparmor-profiles-version],
+[install apparmor profiles for apparmor version @:@default=check@:@])],
+  [],
+  [with_apparmor_profiles_version=check])
+if test $with_apparmor_profiles = no; then
+  with_apparmor_profiles_version=no
+fi
+if test $with_apparmor_profiles_version = check; then
+  APPARMOR_VERSION=`pkg-config --modversion libapparmor|cut -d. -f1-2`
+elif test $with_apparmor_profiles_version != no; then
+  APPARMOR_VERSION=$withval
+fi
+if test $with_apparmor_profiles_version != no; then
+  APPARMOR_MAJOR_VERSION=`echo $APPARMOR_VERSION|cut -d. -f1`
+  APPARMOR_MINOR_VERSION=`echo $APPARMOR_VERSION|cut -d. -f2`
+  APPARMOR_VERSION_NUMBER=`expr $APPARMOR_MAJOR_VERSION \* 1000 + $APPARMOR_MINOR_VERSION`
+  AC_DEFINE_UNQUOTED([APPARMOR_VERSION_NUMBER],
+$APPARMOR_VERSION_NUMBER,
+[Version number of apparmor library (for profile features)])
+fi
+
 dnl DTrace static probes
 AC_ARG_WITH([dtrace],
   [AS_HELP_STRING([--with-dtrace],
diff --git a/examples/apparmor/Makefile.am b/examples/apparmor/Makefile.am
index 7a20e16..4712b8d 100644
--- a/examples/apparmor/Makefile.am
+++ b/examples/apparmor/Makefile.am
@@ -40,4 +40,7 @@ templates_DATA = \
 	TEMPLATE.qemu \
 	TEMPLATE.lxc \
 	$(NULL)
+
+%:	%.in profile-preprocess ../../config.h
+	./profile-preprocess $ $@
 endif WITH_APPARMOR_PROFILES
diff --git a/examples/apparmor/libvirt-lxc b/examples/apparmor/libvirt-lxc
deleted file mode 100644
index 4bfb503..000
---

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

2014-10-19 Thread intrigeri

Hi Stefan,

Stefan Bader wrote (19 Oct 2014 11:07:40 GMT) :
 Yeah, I actually did but it felt a bit hackish but then I am told anything 
 looks
 a bit hackish when it involves autoconf. These are again against upstream
 libvirt mostly because the last touch timestamps always clash otherwise.

Cool, I've tested this. I've imported these two patches in Debian's
1.2.9-3 quilt series, made the build system use dh-autoreconf (the
build system in the tarball wants aclocal 1.13, while Debian sid has
1.14), and added a build-dep on libapparmor-dev to get the needed
pkg-config file.

Attempting to build the resulting source package in a clean sid chroot
fails here:

  Making all in examples/apparmor
  make[3]: Entering directory 
'/tmp/buildd/libvirt-1.2.9/debian/build/examples/apparmor'
  make[3]: Circular ../../config.h - ../../config.h dependency dropped.
  ./profile-preprocess ../../../../examples/apparmor/libvirt-qemu.in 
libvirt-qemu
  ./profile-preprocess ../../../../examples/apparmor/libvirt-lxc.in libvirt-lxc
  ./profile-preprocess 
../../../../examples/apparmor/usr.lib.libvirt.virt-aa-helper.in 
usr.lib.libvirt.virt-aa-helper
  ./profile-preprocess ../../../../examples/apparmor/usr.sbin.libvirtd.in 
usr.sbin.libvirtd
  make[3]: *** No rule to make target 'local-usr.sbin.libvirtd', needed by 
'all-am'.  Stop.
  make[3]: *** Waiting for unfinished jobs
  /bin/bash: ./profile-preprocess: No such file or directory
  /bin/bash: ./profile-preprocess: No such file or directory
  Makefile:2068: recipe for target 'libvirt-qemu' failed
  make[3]: *** [libvirt-qemu] Error 127
  Makefile:2068: recipe for target 'libvirt-lxc' failed
  make[3]: *** [libvirt-lxc] Error 127
  /bin/bash: ./profile-preprocess: No such file or directory
  /bin/bash: ./profile-preprocess: No such file or directory
  Makefile:2068: recipe for target 'usr.lib.libvirt.virt-aa-helper' failed
  make[3]: *** [usr.lib.libvirt.virt-aa-helper] Error 127
  Makefile:2068: recipe for target 'usr.sbin.libvirtd' failed
  make[3]: *** [usr.sbin.libvirtd] Error 127
  make[3]: Leaving directory 
'/tmp/buildd/libvirt-1.2.9/debian/build/examples/apparmor'
  Makefile:1979: recipe for target 'all-recursive' failed
  make[2]: *** [all-recursive] Error 1
  make[2]: Leaving directory '/tmp/buildd/libvirt-1.2.9/debian/build'
  Makefile:1877: recipe for target 'all' failed
  make[1]: *** [all] Error 2
  make[1]: Leaving directory '/tmp/buildd/libvirt-1.2.9/debian/build'
  dh_auto_build: make -j5 returned exit code 2
  debian/rules:126: recipe for target 'build' failed
  make: *** [build] Error 2

Any hint?

Cheers,
-- 
intrigeri

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

2014-10-18 Thread intrigeri

Hi,

Daniel P. Berrange wrote (01 Oct 2014 14:54:43 GMT) :
 Agreed, the libvirt upstream distributed file should do version checks
 based on official apparmor releases, and distros can tweak versions if
 they have backported features.

So, it seems that we've reached a consensus that adding version
checking machinery makes sense. Great :)

Stefan, do you plan to implement it? One way to go could be to
implement and upload it first in Ubuntu: the rest of the delta is
already there anyway, so it's not as if it changed the current
situation much; and then, it also makes it easy to test the version
checks on Debian, for added confidence, before submitting the
patch upstream.

Note: once this machinery is in place, ideally distros should rebuild
their libvirt binary packages when they introduce new AppArmor parser
features -- which is effectively a transition, in Debian-speak.

Cheers,
-- 
intrigeri

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

2014-10-06 Thread intrigeri

Hi,

Daniel P. Berrange wrote (01 Oct 2014 09:04:09 GMT) :
 I think it would be pretty reasonable to rename the files in have '.in'
 suffixes, and then have a build script that expands 'if APPARMOR_VERSION'
 conditionals to generate the final file.

I agree it's the way to go, to avoid that each distro shipping
a different version writes the same kind of hacks.

Cheers,
-- 
intrigeri

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

2014-10-01 Thread Stefan Bader

This had been on the Debian package list before but its time to take
this onwards. So the goal would be to have one set to rule them all
(when using apparmor) and drop the seperate set of definitions which
exist at least in the Ubuntu packaging.

Right now the patch would be at a state which adds all missing files
and rules to the current examples in libvirt and installs them when
using --with-apparmor-profiles.

One problem seems to be that some of the definitions might cause
parse failures on certain versions of apparmor. I checked this morning
and this looks a bit hairy. So some apparmor 2.8 versions potentially
have issues, but not all apparmor 2.8 are the same (gah).

I could imagine (but John, we really could use some guidance here ;))
that at least some changes could be related to version 2.8.95~2430:

+ debian/patches/mediate-signals.patch,
  debian/patches/change-signal-syntax.patch: Parse signal rules with
  apparmor_parser. See the apparmor.d(5) man page for syntax details.
+ debian/patches/change-ptrace-syntax.patch,
  debian/patches/mediate-ptrace.patch: Parse ptrace rules with
  apparmor_parser. See the apparmor.d(5) man page for syntax details.

But, regardless of the when, the apparmor rules maybe need a way to handle
versioned features of the parser. One proposal was to comment out problematic
rules and allow the packager to re-enable things. Maybe going one step
further and have some pre-processing that handles version based sections
(like #if (APPARMOR_VERSION = xxx)).

So that is where we stand. Ideas are very welcome.

-Stefan

---

From aec5cf8cc30c80492a37856626264c3d4c27a31f Mon Sep 17 00:00:00 2001
From: Stefan Bader stefan.ba...@canonical.com
Date: Thu, 18 Sep 2014 14:15:17 +0200
Subject: [PATCH] Add missing delta from Ubuntu to apparmor profiles

This fixes up the upstream profiles and would allow to drop apparmor
related delta from the Ubuntu package.
Thanks to Serge Hallyn for the Makefile.am install hook that allows
to rename the local file.

Signed-off-by: Stefan Bader stefan.ba...@canonical.com
---
 examples/apparmor/Makefile.am| 10 
 examples/apparmor/libvirt-lxc| 15 +++-
 examples/apparmor/libvirt-qemu   | 31 +++-
 examples/apparmor/local-usr.sbin.libvirtd|  2 ++
 examples/apparmor/usr.lib.libvirt.virt-aa-helper | 25 ---
 examples/apparmor/usr.sbin.libvirtd  | 17 -
 6 files changed, 94 insertions(+), 6 deletions(-)
 create mode 100644 examples/apparmor/local-usr.sbin.libvirtd

diff --git a/examples/apparmor/Makefile.am b/examples/apparmor/Makefile.am
index 7a20e16..aa46cb9 100644
--- a/examples/apparmor/Makefile.am
+++ b/examples/apparmor/Makefile.am
@@ -20,6 +20,7 @@ EXTRA_DIST=   \
libvirt-qemu\
libvirt-lxc \
usr.lib.libvirt.virt-aa-helper  \
+   local-usr.sbin.libvirtd \
usr.sbin.libvirtd
 
 if WITH_APPARMOR_PROFILES
@@ -29,6 +30,15 @@ apparmor_DATA = \
usr.sbin.libvirtd \
$(NULL)
 
+localdir = $(apparmordir)/local
+local_DATA = \
+   local-usr.sbin.libvirtd \
+   $(NULL)
+
+install-data-hook:
+   mv $(DESTDIR)$(localdir)/local-usr.sbin.libvirtd \
+  $(DESTDIR)$(localdir)/usr.sbin.libvirtd
+
 abstractionsdir = $(apparmordir)/abstractions
 abstractions_DATA = \
libvirt-qemu \
diff --git a/examples/apparmor/libvirt-lxc b/examples/apparmor/libvirt-lxc
index 4bfb503..4705e0a 100644
--- a/examples/apparmor/libvirt-lxc
+++ b/examples/apparmor/libvirt-lxc
@@ -1,12 +1,18 @@
-# Last Modified: Fri Feb  7 13:01:36 2014
+# Last Modified: Thu, 18 Sep 2014 13:56:49 +0200
 
   #include abstractions/base
 
   umount,
+  dbus,
+  signal,
+  ptrace,
 
   # ignore DENIED message on / remount
   deny mount options=(ro, remount) - /,
 
+  # support use of cgmanager proxy
+  mount options=(move) /sys/fs/cgroup/cgmanager/ - 
/sys/fs/cgroup/cgmanager.lower/,
+
   # allow tmpfs mounts everywhere
   mount fstype=tmpfs,
 
@@ -33,8 +39,15 @@
   mount fstype=fusectl - /sys/fs/fuse/connections/,
   mount fstype=securityfs - /sys/kernel/security/,
   mount fstype=debugfs - /sys/kernel/debug/,
+  deny mount fstype=debugfs - /var/lib/ureadahead/debugfs/,
   mount fstype=proc - /proc/,
   mount fstype=sysfs - /sys/,
+
+  mount options=(rw nosuid nodev noexec remount) - /sys/,
+  mount options=(rw remount) - /sys/kernel/security/,
+  mount options=(rw remount) - /sys/fs/pstore/,
+  mount options=(ro remount) - /sys/fs/pstore/,
+
   deny /sys/firmware/efi/efivars/** rwklx,
   deny /sys/kernel/security/** rwklx,
 
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index c6de6dd..b69e64c 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -1,4 +1,4 @@
-# Last Modified: Wed Sep 3 21:52:03 2014
+# Last Modified: Thu, 18 Sep 2014 16:41:21

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

2014-10-01 Thread Daniel P. Berrange

On Wed, Oct 01, 2014 at 10:30:58AM +0200, Stefan Bader wrote:
 This had been on the Debian package list before but its time to take
 this onwards. So the goal would be to have one set to rule them all
 (when using apparmor) and drop the seperate set of definitions which
 exist at least in the Ubuntu packaging.
 
 Right now the patch would be at a state which adds all missing files
 and rules to the current examples in libvirt and installs them when
 using --with-apparmor-profiles.
 
 One problem seems to be that some of the definitions might cause
 parse failures on certain versions of apparmor. I checked this morning
 and this looks a bit hairy. So some apparmor 2.8 versions potentially
 have issues, but not all apparmor 2.8 are the same (gah).

What versions of apparmour are present in the currently supported
versions of Debian  Ubuntu ?

 I could imagine (but John, we really could use some guidance here ;))
 that at least some changes could be related to version 2.8.95~2430:
 
 + debian/patches/mediate-signals.patch,
   debian/patches/change-signal-syntax.patch: Parse signal rules with
   apparmor_parser. See the apparmor.d(5) man page for syntax details.
 + debian/patches/change-ptrace-syntax.patch,
   debian/patches/mediate-ptrace.patch: Parse ptrace rules with
   apparmor_parser. See the apparmor.d(5) man page for syntax details.
 
 But, regardless of the when, the apparmor rules maybe need a way to handle
 versioned features of the parser. One proposal was to comment out problematic
 rules and allow the packager to re-enable things. Maybe going one step
 further and have some pre-processing that handles version based sections
 (like #if (APPARMOR_VERSION = xxx)).

I think it would be pretty reasonable to rename the files in have '.in'
suffixes, and then have a build script that expands 'if APPARMOR_VERSION'
conditionals to generate the final file.

Regards,
Daniel
-- 
|: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o- http://virt-manager.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org   -o-   http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

2014-10-01 Thread Stefan Bader

On 01.10.2014 11:04, Daniel P. Berrange wrote:
 On Wed, Oct 01, 2014 at 10:30:58AM +0200, Stefan Bader wrote:
 This had been on the Debian package list before but its time to take
 this onwards. So the goal would be to have one set to rule them all
 (when using apparmor) and drop the seperate set of definitions which
 exist at least in the Ubuntu packaging.

 Right now the patch would be at a state which adds all missing files
 and rules to the current examples in libvirt and installs them when
 using --with-apparmor-profiles.

 One problem seems to be that some of the definitions might cause
 parse failures on certain versions of apparmor. I checked this morning
 and this looks a bit hairy. So some apparmor 2.8 versions potentially
 have issues, but not all apparmor 2.8 are the same (gah).
 
 What versions of apparmour are present in the currently supported
 versions of Debian  Ubuntu ?

The way release are handled in Ubuntu (once released there is usually no
backporting) we would have to worry less about supported releases. For the
Debian side I would think this is similar (correct me if I am wrong, please). So
it looks to me that right now this would be down to Debian having 2.8.0 in
unstable/testing and Ubuntu having 2.8.96~2652 in Utopic (with the same version
in Debian experimental).

Right now I would expect it to boil down to those two. But I suppose the parser
can change again and so there might be a similar situation in the future.

-Stefan

 
 I could imagine (but John, we really could use some guidance here ;))
 that at least some changes could be related to version 2.8.95~2430:

 + debian/patches/mediate-signals.patch,
   debian/patches/change-signal-syntax.patch: Parse signal rules with
   apparmor_parser. See the apparmor.d(5) man page for syntax details.
 + debian/patches/change-ptrace-syntax.patch,
   debian/patches/mediate-ptrace.patch: Parse ptrace rules with
   apparmor_parser. See the apparmor.d(5) man page for syntax details.

 But, regardless of the when, the apparmor rules maybe need a way to handle
 versioned features of the parser. One proposal was to comment out problematic
 rules and allow the packager to re-enable things. Maybe going one step
 further and have some pre-processing that handles version based sections
 (like #if (APPARMOR_VERSION = xxx)).
 
 I think it would be pretty reasonable to rename the files in have '.in'
 suffixes, and then have a build script that expands 'if APPARMOR_VERSION'
 conditionals to generate the final file.
 
 Regards,
 Daniel
 




signature.asc
Description: OpenPGP digital signature
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

2014-10-01 Thread Serge Hallyn

Quoting Stefan Bader (stefan.ba...@canonical.com):
 On 01.10.2014 11:04, Daniel P. Berrange wrote:
  On Wed, Oct 01, 2014 at 10:30:58AM +0200, Stefan Bader wrote:
  This had been on the Debian package list before but its time to take
  this onwards. So the goal would be to have one set to rule them all
  (when using apparmor) and drop the seperate set of definitions which
  exist at least in the Ubuntu packaging.
 
  Right now the patch would be at a state which adds all missing files
  and rules to the current examples in libvirt and installs them when
  using --with-apparmor-profiles.
 
  One problem seems to be that some of the definitions might cause
  parse failures on certain versions of apparmor. I checked this morning
  and this looks a bit hairy. So some apparmor 2.8 versions potentially
  have issues, but not all apparmor 2.8 are the same (gah).
  
  What versions of apparmour are present in the currently supported
  versions of Debian  Ubuntu ?
 
 The way release are handled in Ubuntu (once released there is usually no
 backporting) we would have to worry less about supported releases. For the
 Debian side I would think this is similar (correct me if I am wrong, please). 
 So
 it looks to me that right now this would be down to Debian having 2.8.0 in
 unstable/testing and Ubuntu having 2.8.96~2652 in Utopic (with the same 
 version
 in Debian experimental).
 
 Right now I would expect it to boil down to those two. But I suppose the 
 parser
 can change again and so there might be a similar situation in the future.

There's also opensuse plus presumably people running hand-built systems.

 
 -Stefan
 
  
  I could imagine (but John, we really could use some guidance here ;))
  that at least some changes could be related to version 2.8.95~2430:
 
  + debian/patches/mediate-signals.patch,
debian/patches/change-signal-syntax.patch: Parse signal rules with
apparmor_parser. See the apparmor.d(5) man page for syntax details.
  + debian/patches/change-ptrace-syntax.patch,
debian/patches/mediate-ptrace.patch: Parse ptrace rules with
apparmor_parser. See the apparmor.d(5) man page for syntax details.
 
  But, regardless of the when, the apparmor rules maybe need a way to handle
  versioned features of the parser. One proposal was to comment out 
  problematic
  rules and allow the packager to re-enable things. Maybe going one step
  further and have some pre-processing that handles version based sections
  (like #if (APPARMOR_VERSION = xxx)).
  
  I think it would be pretty reasonable to rename the files in have '.in'
  suffixes, and then have a build script that expands 'if APPARMOR_VERSION'
  conditionals to generate the final file.

Yeah, I think we need to do that.  We just need to check the versions
for (1) dbus, (2) signal+ptrace, and (3) unix.

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

2014-10-01 Thread Jamie Strandboge

On 10/01/2014 04:04 AM, Daniel P. Berrange wrote:
 On Wed, Oct 01, 2014 at 10:30:58AM +0200, Stefan Bader wrote:
 This had been on the Debian package list before but its time to take
 this onwards. So the goal would be to have one set to rule them all
 (when using apparmor) and drop the seperate set of definitions which
 exist at least in the Ubuntu packaging.

 Right now the patch would be at a state which adds all missing files
 and rules to the current examples in libvirt and installs them when
 using --with-apparmor-profiles.

 One problem seems to be that some of the definitions might cause
 parse failures on certain versions of apparmor. I checked this morning
 and this looks a bit hairy. So some apparmor 2.8 versions potentially
 have issues, but not all apparmor 2.8 are the same (gah).
 
 What versions of apparmour are present in the currently supported
 versions of Debian  Ubuntu ?
 
 I could imagine (but John, we really could use some guidance here ;))
 that at least some changes could be related to version 2.8.95~2430:

 + debian/patches/mediate-signals.patch,
   debian/patches/change-signal-syntax.patch: Parse signal rules with
   apparmor_parser. See the apparmor.d(5) man page for syntax details.
 + debian/patches/change-ptrace-syntax.patch,
   debian/patches/mediate-ptrace.patch: Parse ptrace rules with
   apparmor_parser. See the apparmor.d(5) man page for syntax details.

 But, regardless of the when, the apparmor rules maybe need a way to handle
 versioned features of the parser. One proposal was to comment out problematic
 rules and allow the packager to re-enable things. Maybe going one step
 further and have some pre-processing that handles version based sections
 (like #if (APPARMOR_VERSION = xxx)).
 
 I think it would be pretty reasonable to rename the files in have '.in'
 suffixes, and then have a build script that expands 'if APPARMOR_VERSION'
 conditionals to generate the final file.
 
These are the rules that are problematic: dbus, ptrace, signal and unix. All of
these are not part of upstream apparmor 2.8 proper, but are part of the upcoming
2.9 release. Ubuntu is using prereleases of upstream apparmor 2.9 where 2.8.95
has dbus, ptrace and signal rules and 2.8.96 adds unix rules (unfortunately,
Ubuntu introduced dbus rules as a patch on top of apparmor 2.8.0 in
2.8.0-0ubuntu25 for Ubuntu 13.10-- however, Ubuntu 13.10 is EOL now so I think
it is fine to not consider this).

If we were to decide to adjust the rules based on apparmor version, then please
add dbus, ptrace, signal and unix rules based on APPARMOR_VERSION = 2.9.
Distributions like Ubuntu using a prerelease version of AppArmor can then choose
to adjust the APPARMOR_VERSION check. IIUC Debian and SUSE will continue to use
use official 2.8 until 2.9 becomes official[1].

Thanks

[1] AppArmor upstream is working on finalizing the 2.9 release now


-- 
Jamie Strandboge http://www.ubuntu.com/



signature.asc
Description: OpenPGP digital signature
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

2014-10-01 Thread Daniel P. Berrange

On Wed, Oct 01, 2014 at 09:46:08AM -0500, Jamie Strandboge wrote:
 On 10/01/2014 04:04 AM, Daniel P. Berrange wrote:
  On Wed, Oct 01, 2014 at 10:30:58AM +0200, Stefan Bader wrote:
  This had been on the Debian package list before but its time to take
  this onwards. So the goal would be to have one set to rule them all
  (when using apparmor) and drop the seperate set of definitions which
  exist at least in the Ubuntu packaging.
 
  Right now the patch would be at a state which adds all missing files
  and rules to the current examples in libvirt and installs them when
  using --with-apparmor-profiles.
 
  One problem seems to be that some of the definitions might cause
  parse failures on certain versions of apparmor. I checked this morning
  and this looks a bit hairy. So some apparmor 2.8 versions potentially
  have issues, but not all apparmor 2.8 are the same (gah).
  
  What versions of apparmour are present in the currently supported
  versions of Debian  Ubuntu ?
  
  I could imagine (but John, we really could use some guidance here ;))
  that at least some changes could be related to version 2.8.95~2430:
 
  + debian/patches/mediate-signals.patch,
debian/patches/change-signal-syntax.patch: Parse signal rules with
apparmor_parser. See the apparmor.d(5) man page for syntax details.
  + debian/patches/change-ptrace-syntax.patch,
debian/patches/mediate-ptrace.patch: Parse ptrace rules with
apparmor_parser. See the apparmor.d(5) man page for syntax details.
 
  But, regardless of the when, the apparmor rules maybe need a way to handle
  versioned features of the parser. One proposal was to comment out 
  problematic
  rules and allow the packager to re-enable things. Maybe going one step
  further and have some pre-processing that handles version based sections
  (like #if (APPARMOR_VERSION = xxx)).
  
  I think it would be pretty reasonable to rename the files in have '.in'
  suffixes, and then have a build script that expands 'if APPARMOR_VERSION'
  conditionals to generate the final file.
  
 These are the rules that are problematic: dbus, ptrace, signal and unix. All 
 of
 these are not part of upstream apparmor 2.8 proper, but are part of the 
 upcoming
 2.9 release. Ubuntu is using prereleases of upstream apparmor 2.9 where 2.8.95
 has dbus, ptrace and signal rules and 2.8.96 adds unix rules (unfortunately,
 Ubuntu introduced dbus rules as a patch on top of apparmor 2.8.0 in
 2.8.0-0ubuntu25 for Ubuntu 13.10-- however, Ubuntu 13.10 is EOL now so I think
 it is fine to not consider this).
 
 If we were to decide to adjust the rules based on apparmor version, then 
 please
 add dbus, ptrace, signal and unix rules based on APPARMOR_VERSION = 2.9.
 Distributions like Ubuntu using a prerelease version of AppArmor can then 
 choose
 to adjust the APPARMOR_VERSION check. IIUC Debian and SUSE will continue to 
 use
 use official 2.8 until 2.9 becomes official[1].

Agreed, the libvirt upstream distributed file should do version checks
based on official apparmor releases, and distros can tweak versions if
they have backported features.

Regards,
Daniel
-- 
|: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o- http://virt-manager.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org   -o-   http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

[libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

18 matches

Site Navigation

Mail list logo

Footer information