Overview

File libvirt.apparmor-fixes.patch of Package libvirt

From: Olaf Hering <olaf@aepfle.de>
Date: Wed, 21 Feb 2018 10:03:48 +0000
Subject: apparmor-fixes

---
 src/security/apparmor/libvirt-qemu          | 2 ++
 src/security/apparmor/usr.sbin.libvirtd.in  | 2 ++
 src/security/apparmor/usr.sbin.virtqemud.in | 2 ++
 src/security/apparmor/usr.sbin.virtxend.in  | 2 ++
 4 files changed, 8 insertions(+)

--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -170,24 +170,26 @@
   /usr/bin/qemu-system-unicore32 rmix,
   /usr/bin/qemu-system-x86_64 rmix,
   /usr/bin/qemu-system-xtensa rmix,
   /usr/bin/qemu-system-xtensaeb rmix,
   /usr/bin/qemu-unicore32 rmix,
   /usr/bin/qemu-x86_64 rmix,
   # Debian 12 has a wrapper script in /usr/bin while the actual
   # binary lives in /usr/libexec (Debian: #1030926)
   /usr/libexec/qemu-system-i386 rmix,
   # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761)
   /usr/{lib,lib64}/qemu/*.so mr,
   /usr/lib/@{multiarch}/qemu/*.so mr,
+  /usr/lib64/qemu-*.*/bin/qemu-system-i386 rmix,
+  /usr/lib64/qemu-*.*/bin/qemu-system-x86_64 rmix,
 
   # let qemu load old shared objects after upgrades (LP: #1847361)
   /{var/,}run/qemu/*/*.so mr,
   # but explicitly deny writing to these files
   audit deny /{var/,}run/qemu/*/*.so w,
 
   # swtpm
   /{usr/,}bin/swtpm rmpix,
   /usr/{lib,lib64}/libswtpm_libtpms.so mr,
   /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
 
   # support for passt network back-end
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -90,24 +90,26 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
   /bin/* PUx,
   /sbin/* PUx,
   /usr/bin/* PUx,
   @sbindir@/virtlogd pix,
   @sbindir@/* PUx,
   /{usr/,}lib/udev/scsi_id PUx,
   /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
   /usr/{lib,lib64,libexec}/xen/bin/* Ux,
   /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx,
   /usr/{lib,libexec}/xen-*/bin/pygrub PUx,
   /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
   /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
+  /usr/lib64/qemu-*.*/bin/qemu-system-i386 rmix,
+  /usr/lib64/qemu-*.*/bin/qemu-system-x86_64 rmix,
 
   # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
   # read and run an ebtables script.
   /var/lib/libvirt/virtd* ixr,
 
   # force the use of virt-aa-helper
   audit deny /{usr/,}sbin/apparmor_parser rwxl,
   audit deny /etc/apparmor.d/libvirt/** wxl,
   audit deny /sys/kernel/security/apparmor/features rwxl,
   audit deny /sys/kernel/security/apparmor/matching rwxl,
   audit deny /sys/kernel/security/apparmor/.* rwxl,
   /sys/kernel/security/apparmor/profiles r,
--- a/src/security/apparmor/usr.sbin.virtqemud.in
+++ b/src/security/apparmor/usr.sbin.virtqemud.in
@@ -126,15 +126,17 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) {
    network inet stream,
 
    # For communication/control from virtqemud
    unix (send, receive) type=stream addr=none peer=(label=virtqemud),
    signal (receive) set=(term) peer=virtqemud,
 
    /dev/net/tun rw,
    /etc/qemu/** r,
    owner @{PROC}/*/status r,
 
    /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper rmix,
   }
+  /usr/lib64/qemu-*.*/bin/qemu-system-i386 rmix,
+  /usr/lib64/qemu-*.*/bin/qemu-system-x86_64 rmix,
 
   include if exists <local/usr.sbin.virtqemud>
 }
--- a/src/security/apparmor/usr.sbin.virtxend.in
+++ b/src/security/apparmor/usr.sbin.virtxend.in
@@ -32,24 +32,26 @@ profile virtxend @sbindir@/virtxend flags=(attach_disconnected) {
   /** rwmkl,
 
   /bin/* PUx,
   /sbin/* PUx,
   /usr/bin/* PUx,
   @sbindir@/virtlogd pix,
   @sbindir@/* PUx,
   /{usr/,}lib/udev/scsi_id PUx,
   /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
   /usr/{lib,lib64,libexec}/xen/bin/* Ux,
   /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx,
   /usr/{lib,libexec}/xen-*/bin/pygrub PUx,
+  /usr/lib64/qemu-*.*/bin/qemu-system-i386 rmix,
+  /usr/lib64/qemu-*.*/bin/qemu-system-x86_64 rmix,
 
   # force the use of virt-aa-helper
   audit deny /{usr/,}sbin/apparmor_parser rwxl,
   audit deny /etc/apparmor.d/libvirt/** wxl,
   audit deny /sys/kernel/security/apparmor/features rwxl,
   audit deny /sys/kernel/security/apparmor/matching rwxl,
   audit deny /sys/kernel/security/apparmor/.* rwxl,
   /sys/kernel/security/apparmor/profiles r,
   @libexecdir@/* PUxr,
   @libexecdir@/libvirt_parthelper ix,
   @libexecdir@/libvirt_iohelper ix,
   /etc/libvirt/hooks/** rmix,
openSUSE Build Service is sponsored by
Places