calculate
/
gentoo-overlay
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ff90efc43e'
${ noResults }
gentoo-overlay/app-emulation/libvirt/files/libvirt-8.2.0-fix-paths-for...

141 lines
4.3 KiB
Raw Blame History

From afcb8e32343d662d74ccb7b6596ddf03104c8e41 Mon Sep 17 00:00:00 2001
Message-Id: <afcb8e32343d662d74ccb7b6596ddf03104c8e41.1646212419.git.mprivozn@redhat.com>
From: Michal Privoznik <mprivozn@redhat.com>
Date: Wed, 2 Mar 2022 10:12:44 +0100
Subject: [PATCH] libvirt-8.2.0-fix-paths-for-apparmor.patch
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
src/security/apparmor/libvirt-qemu | 1 +
src/security/apparmor/meson.build | 6 +-
.../usr.lib.libvirt.virt-aa-helper.in | 75 -------------------
.../usr.lib.libvirt.virt-aa-helper.local | 1 -
4 files changed, 4 insertions(+), 79 deletions(-)
delete mode 100644 src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
delete mode 100644 src/security/apparmor/usr.lib.libvirt.virt-aa-helper.local
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 8cd76d48ec..39f8f04c03 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -95,6 +95,7 @@
/usr/share/sgabios/** r,
/usr/share/slof/** r,
/usr/share/vgabios/** r,
+ /usr/share/seavgabios/** r,
# pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140)
/etc/pki/CA/ r,
diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meson.build
index 990f00b4f3..2a2235c89a 100644
--- a/src/security/apparmor/meson.build
+++ b/src/security/apparmor/meson.build
@@ -1,5 +1,5 @@
apparmor_gen_profiles = [
- 'usr.lib.libvirt.virt-aa-helper',
+ 'usr.libexec.libvirt.virt-aa-helper',
'usr.sbin.libvirtd',
'usr.sbin.virtqemud',
'usr.sbin.virtxend',
@@ -34,7 +34,7 @@ install_data(
)
install_data(
- 'usr.lib.libvirt.virt-aa-helper.local',
+ 'usr.libexec.libvirt.virt-aa-helper.local',
install_dir: apparmor_dir / 'local',
- rename: 'usr.lib.libvirt.virt-aa-helper',
+ rename: 'usr.libexec.libvirt.virt-aa-helper',
)
diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
deleted file mode 100644
index ff1d46bebe..0000000000
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ /dev/null
@@ -1,75 +0,0 @@
-#include <tunables/global>
-
-profile virt-aa-helper @libexecdir@/virt-aa-helper {
- #include <abstractions/base>
- #include <abstractions/openssl>
-
- # needed for searching directories
- capability dac_override,
- capability dac_read_search,
-
- # needed for when disk is on a network filesystem
- network inet,
- network inet6,
-
- deny @{PROC}/[0-9]*/mounts r,
- @{PROC}/[0-9]*/net/psched r,
- owner @{PROC}/[0-9]*/status r,
- @{PROC}/filesystems r,
-
- # Used when internally running another command (namely apparmor_parser)
- @{PROC}/@{pid}/fd/ r,
-
- # allow reading libnl's classid file
- @sysconfdir@/libnl{,-3}/classid r,
-
- # for gl enabled graphics
- /dev/dri/{,*} r,
-
- # for hostdev
- /sys/devices/ r,
- /sys/devices/** r,
- /sys/bus/usb/devices/ r,
- deny /dev/sd* r,
- deny /dev/vd* r,
- deny /dev/dm-* r,
- deny /dev/drbd[0-9]* r,
- deny /dev/dasd* r,
- deny /dev/nvme* r,
- deny /dev/zd[0-9]* r,
- deny /dev/mapper/ r,
- deny /dev/mapper/* r,
-
- @libexecdir@/virt-aa-helper mr,
- /{usr/,}sbin/apparmor_parser Ux,
-
- @sysconfdir@/apparmor.d/libvirt/* r,
- @sysconfdir@/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
-
- # for backingstore -- allow access to non-hidden files in @{HOME} as well
- # as storage pools
- audit deny @{HOME}/.* mrwkl,
- audit deny @{HOME}/.*/ rw,
- audit deny @{HOME}/.*/** mrwkl,
- audit deny @{HOME}/bin/ rw,
- audit deny @{HOME}/bin/** mrwkl,
- @{HOME}/ r,
- @{HOME}/** r,
- /var/lib/libvirt/images/ r,
- /var/lib/libvirt/images/** r,
- /var/lib/nova/instances/_base/* r,
- /{media,mnt,opt,srv}/** r,
- # For virt-sandbox
- /{,var/}run/libvirt/**/[sv]d[a-z] r,
-
- /**.img r,
- /**.raw r,
- /**.qcow{,2} r,
- /**.qed r,
- /**.vmdk r,
- /**.vhd r,
- /**.[iI][sS][oO] r,
- /**/disk{,.*} r,
-
- #include <local/usr.lib.libvirt.virt-aa-helper>
-}
diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.local b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.local
deleted file mode 100644
index c0990e51d0..0000000000
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.local
+++ /dev/null
@@ -1 +0,0 @@
-# Site-specific additions and overrides for 'usr.lib.libvirt.virt-aa-helper'
--
2.34.1
Reference in new issue View Git Blame Copy Permalink