diff options
| author |   Matthias Maier <tamiko@gentoo.org> | 2017-12-07 09:54:55 -0600 |
|---|---|---|
| committer | Matthias Maier <tamiko@gentoo.org> | 2017-12-07 10:02:12 -0600 |
| commit | 24cd72c425327c6e1267416c9f170eefdd7affb7 (patch) | |
| tree | db917be1f14339e95faa5cc360b6aeda35486287 /app-emulation | |
| parent | app-emulation/libvirt: drop version 3.9.0 (diff) | |
| download | gentoo-24cd72c425327c6e1267416c9f170eefdd7affb7.tar.gz gentoo-24cd72c425327c6e1267416c9f170eefdd7affb7.tar.bz2 gentoo-24cd72c425327c6e1267416c9f170eefdd7affb7.zip | |
app-emulation/libvirt: Update apparmor profiles
Closes: https://bugs.gentoo.org/629718
Package-Manager: Portage-2.3.16, Repoman-2.3.6
Diffstat (limited to 'app-emulation')
| -rw-r--r-- | app-emulation/libvirt/files/libvirt-3.10.0-fix_paths_for_apparmor.patch | 118 | ||||
| -rw-r--r-- | app-emulation/libvirt/libvirt-3.10.0.ebuild | 2 |
2 files changed, 119 insertions, 1 deletions
diff --git a/app-emulation/libvirt/files/libvirt-3.10.0-fix_paths_for_apparmor.patch b/app-emulation/libvirt/files/libvirt-3.10.0-fix_paths_for_apparmor.patch new file mode 100644 index 000000000000..0e386c1e00b0 --- /dev/null +++ b/app-emulation/libvirt/files/libvirt-3.10.0-fix_paths_for_apparmor.patch @@ -0,0 +1,118 @@ +diff --git a/examples/Makefile.am b/examples/Makefile.am +index ef2f79d..d8cdb9b 100644 +--- a/examples/Makefile.am ++++ b/examples/Makefile.am +@@ -23,7 +23,7 @@ EXTRA_DIST = \ + apparmor/TEMPLATE.lxc \ + apparmor/libvirt-qemu \ + apparmor/libvirt-lxc \ +- apparmor/usr.lib.libvirt.virt-aa-helper \ ++ apparmor/usr.libexec.virt-aa-helper \ + apparmor/usr.sbin.libvirtd \ + lxcconvert/virt-lxc-convert \ + polkit/libvirt-acl.rules \ +@@ -70,7 +70,7 @@ admin_logging_SOURCES = admin/logging.c + if WITH_APPARMOR_PROFILES + apparmordir = $(sysconfdir)/apparmor.d/ + apparmor_DATA = \ +- apparmor/usr.lib.libvirt.virt-aa-helper \ ++ apparmor/usr.libexec.virt-aa-helper \ + apparmor/usr.sbin.libvirtd \ + $(NULL) + +diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu +index d4fad85..0b22009 100644 +--- a/examples/apparmor/libvirt-qemu ++++ b/examples/apparmor/libvirt-qemu +@@ -86,6 +86,8 @@ + /usr/share/AAVMF/** r, + /usr/share/qemu-efi/** r, + /usr/share/slof/** r, ++ /usr/share/seavgabios/** r, ++ /usr/share/edk2-ovmf/** r, + + # access PKI infrastructure + /etc/pki/libvirt-vnc/** r, +diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper +deleted file mode 100644 +index bd6181d..0000000 +--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper ++++ /dev/null +@@ -1,60 +0,0 @@ +-# Last Modified: Mon Apr 5 15:10:27 2010 +-#include <tunables/global> +- +-profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { +- #include <abstractions/base> +- +- # needed for searching directories +- capability dac_override, +- capability dac_read_search, +- +- # needed for when disk is on a network filesystem +- network inet, +- network inet6, +- +- deny @{PROC}/[0-9]*/mounts r, +- @{PROC}/[0-9]*/net/psched r, +- owner @{PROC}/[0-9]*/status r, +- @{PROC}/filesystems r, +- +- /etc/libnl-3/classid r, +- +- # for hostdev +- /sys/devices/ r, +- /sys/devices/** r, +- deny /dev/sd* r, +- deny /dev/vd* r, +- deny /dev/dm-* r, +- deny /dev/drbd[0-9]* r, +- deny /dev/dasd* r, +- deny /dev/nvme* r, +- deny /dev/zd[0-9]* r, +- deny /dev/mapper/ r, +- deny /dev/mapper/* r, +- +- /usr/{lib,lib64}/libvirt/virt-aa-helper mr, +- /{usr/,}sbin/apparmor_parser Ux, +- +- /etc/apparmor.d/libvirt/* r, +- /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, +- +- # for backingstore -- allow access to non-hidden files in @{HOME} as well +- # as storage pools +- audit deny @{HOME}/.* mrwkl, +- audit deny @{HOME}/.*/ rw, +- audit deny @{HOME}/.*/** mrwkl, +- audit deny @{HOME}/bin/ rw, +- audit deny @{HOME}/bin/** mrwkl, +- @{HOME}/ r, +- @{HOME}/** r, +- /var/lib/libvirt/images/ r, +- /var/lib/libvirt/images/** r, +- /{media,mnt,opt,srv}/** r, +- +- /**.img r, +- /**.qcow{,2} r, +- /**.qed r, +- /**.vmdk r, +- /**.[iI][sS][oO] r, +- /**/disk{,.*} r, +-} +diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd +index 8d61d15..656a559 100644 +--- a/examples/apparmor/usr.sbin.libvirtd ++++ b/examples/apparmor/usr.sbin.libvirtd +@@ -84,8 +84,10 @@ + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + /usr/{lib,lib64}/libvirt/* PUxr, +- /usr/{lib,lib64}/libvirt/libvirt_parthelper ix, +- /usr/{lib,lib64}/libvirt/libvirt_iohelper ix, ++ /usr/libexec/virt-aa-helper PUxr, ++ /usr/libexec/libvirt_lxc PUxr, ++ /usr/libexec/libvirt_parthelper ix, ++ /usr/libexec/libvirt_iohelper ix, + /etc/libvirt/hooks/** rmix, + /etc/xen/scripts/** rmix, + diff --git a/app-emulation/libvirt/libvirt-3.10.0.ebuild b/app-emulation/libvirt/libvirt-3.10.0.ebuild index 06b849546b50..c8d9893516a7 100644 --- a/app-emulation/libvirt/libvirt-3.10.0.ebuild +++ b/app-emulation/libvirt/libvirt-3.10.0.ebuild @@ -124,7 +124,7 @@ DEPEND="${RDEPEND} PATCHES=( "${FILESDIR}"/${PN}-1.3.0-do_not_use_sysconf.patch "${FILESDIR}"/${PN}-1.2.16-fix_paths_in_libvirt-guests_sh.patch - "${FILESDIR}"/${PN}-3.0.0-fix_paths_for_apparmor.patch + "${FILESDIR}"/${PN}-3.10.0-fix_paths_for_apparmor.patch "${FILESDIR}"/${PN}-1.3.4-glibc-2.23.patch "${FILESDIR}"/${PN}-3.1.0-musl-fix-includes.patch # bug #609488 ) |