Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:olh:xen-4.10
libvirt
libvirt.apparmor-fixes.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File libvirt.apparmor-fixes.patch of Package libvirt
From: Olaf Hering <olaf@aepfle.de> Date: Wed, 21 Feb 2018 10:03:48 +0000 Subject: apparmor-fixes --- src/security/apparmor/libvirt-qemu.in | 2 ++ src/security/apparmor/usr.sbin.libvirtd.in | 2 ++ src/security/apparmor/usr.sbin.virtqemud.in | 2 ++ src/security/apparmor/usr.sbin.virtxend.in | 2 ++ 4 files changed, 8 insertions(+) --- a/src/security/apparmor/libvirt-qemu.in +++ b/src/security/apparmor/libvirt-qemu.in @@ -165,24 +165,26 @@ /usr/bin/qemu-system-sparc rmix, /usr/bin/qemu-system-sparc64 rmix, /usr/bin/qemu-system-tricore rmix, /usr/bin/qemu-system-unicore32 rmix, /usr/bin/qemu-system-x86_64 rmix, /usr/bin/qemu-system-xtensa rmix, /usr/bin/qemu-system-xtensaeb rmix, /usr/bin/qemu-unicore32 rmix, /usr/bin/qemu-x86_64 rmix, # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761) /usr/{lib,lib64}/qemu/*.so mr, /usr/lib/@{multiarch}/qemu/*.so mr, + /usr/lib64/qemu-*.*/bin/qemu-system-i386 rmix, + /usr/lib64/qemu-*.*/bin/qemu-system-x86_64 rmix, # let qemu load old shared objects after upgrades (LP: #1847361) /{var/,}run/qemu/*/*.so mr, # but explicitly deny writing to these files audit deny /{var/,}run/qemu/*/*.so w, # swtpm /{usr/,}bin/swtpm rmpix, /usr/{lib,lib64}/libswtpm_libtpms.so mr, /usr/lib/@{multiarch}/libswtpm_libtpms.so mr, @BEGIN_APPARMOR_3@ --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -86,24 +86,26 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { /bin/* PUx, /sbin/* PUx, /usr/bin/* PUx, @sbindir@/virtlogd pix, @sbindir@/* PUx, /{usr/,}lib/udev/scsi_id PUx, /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, /usr/{lib,lib64,libexec}/xen/bin/* Ux, /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx, /usr/{lib,libexec}/xen-*/bin/pygrub PUx, /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx, /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx, + /usr/lib64/qemu-*.*/bin/qemu-system-i386 rmix, + /usr/lib64/qemu-*.*/bin/qemu-system-x86_64 rmix, # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to # read and run an ebtables script. /var/lib/libvirt/virtd* ixr, # force the use of virt-aa-helper audit deny /{usr/,}sbin/apparmor_parser rwxl, audit deny /etc/apparmor.d/libvirt/** wxl, audit deny /sys/kernel/security/apparmor/features rwxl, audit deny /sys/kernel/security/apparmor/matching rwxl, audit deny /sys/kernel/security/apparmor/.* rwxl, /sys/kernel/security/apparmor/profiles r, --- a/src/security/apparmor/usr.sbin.virtqemud.in +++ b/src/security/apparmor/usr.sbin.virtqemud.in @@ -123,17 +123,19 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) { network inet stream, # For communication/control from virtqemud unix (send, receive) type=stream addr=none peer=(label=virtqemud), signal (receive) set=(term) peer=virtqemud, /dev/net/tun rw, /etc/qemu/** r, owner @{PROC}/*/status r, /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, } + /usr/lib64/qemu-*.*/bin/qemu-system-i386 rmix, + /usr/lib64/qemu-*.*/bin/qemu-system-x86_64 rmix, @BEGIN_APPARMOR_3@ include if exists <local/usr.sbin.virtqemud> @END_APPARMOR_3@ } --- a/src/security/apparmor/usr.sbin.virtxend.in +++ b/src/security/apparmor/usr.sbin.virtxend.in @@ -30,24 +30,26 @@ profile virtxend @sbindir@/virtxend flags=(attach_disconnected) { /** rwmkl, /bin/* PUx, /sbin/* PUx, /usr/bin/* PUx, @sbindir@/virtlogd pix, @sbindir@/* PUx, /{usr/,}lib/udev/scsi_id PUx, /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, /usr/{lib,lib64,libexec}/xen/bin/* Ux, /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx, /usr/{lib,libexec}/xen-*/bin/pygrub PUx, + /usr/lib64/qemu-*.*/bin/qemu-system-i386 rmix, + /usr/lib64/qemu-*.*/bin/qemu-system-x86_64 rmix, # force the use of virt-aa-helper audit deny /{usr/,}sbin/apparmor_parser rwxl, audit deny /etc/apparmor.d/libvirt/** wxl, audit deny /sys/kernel/security/apparmor/features rwxl, audit deny /sys/kernel/security/apparmor/matching rwxl, audit deny /sys/kernel/security/apparmor/.* rwxl, /sys/kernel/security/apparmor/profiles r, @libexecdir@/* PUxr, @libexecdir@/libvirt_parthelper ix, @libexecdir@/libvirt_iohelper ix, /etc/libvirt/hooks/** rmix,
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor