Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/app-emulation/libvirt/files/libvirt-8.2.0-fix-paths-for-apparmor.patch
blob: 331a49aa44978a81ef4974c24d8d6ac5bf11c1f7 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140

From afcb8e32343d662d74ccb7b6596ddf03104c8e41 Mon Sep 17 00:00:00 2001
Message-Id: <afcb8e32343d662d74ccb7b6596ddf03104c8e41.1646212419.git.mprivozn@redhat.com>
From: Michal Privoznik <mprivozn@redhat.com>
Date: Wed, 2 Mar 2022 10:12:44 +0100
Subject: [PATCH] libvirt-8.2.0-fix-paths-for-apparmor.patch

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/security/apparmor/libvirt-qemu            |  1 +
 src/security/apparmor/meson.build             |  6 +-
 .../usr.lib.libvirt.virt-aa-helper.in         | 75 -------------------
 .../usr.lib.libvirt.virt-aa-helper.local      |  1 -
 4 files changed, 4 insertions(+), 79 deletions(-)
 delete mode 100644 src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
 delete mode 100644 src/security/apparmor/usr.lib.libvirt.virt-aa-helper.local

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 8cd76d48ec..39f8f04c03 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -95,6 +95,7 @@
   /usr/share/sgabios/** r,
   /usr/share/slof/** r,
   /usr/share/vgabios/** r,
+  /usr/share/seavgabios/** r,
 
   # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140)
   /etc/pki/CA/ r,
diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meson.build
index 990f00b4f3..2a2235c89a 100644
--- a/src/security/apparmor/meson.build
+++ b/src/security/apparmor/meson.build
@@ -1,5 +1,5 @@
 apparmor_gen_profiles = [
-  'usr.lib.libvirt.virt-aa-helper',
+  'usr.libexec.libvirt.virt-aa-helper',
   'usr.sbin.libvirtd',
   'usr.sbin.virtqemud',
   'usr.sbin.virtxend',
@@ -34,7 +34,7 @@ install_data(
 )
 
 install_data(
-  'usr.lib.libvirt.virt-aa-helper.local',
+  'usr.libexec.libvirt.virt-aa-helper.local',
   install_dir: apparmor_dir / 'local',
-  rename: 'usr.lib.libvirt.virt-aa-helper',
+  rename: 'usr.libexec.libvirt.virt-aa-helper',
 )
diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
deleted file mode 100644
index ff1d46bebe..0000000000
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ /dev/null
@@ -1,75 +0,0 @@
-#include <tunables/global>
-
-profile virt-aa-helper @libexecdir@/virt-aa-helper {
-  #include <abstractions/base>
-  #include <abstractions/openssl>
-
-  # needed for searching directories
-  capability dac_override,
-  capability dac_read_search,
-
-  # needed for when disk is on a network filesystem
-  network inet,
-  network inet6,
-
-  deny @{PROC}/[0-9]*/mounts r,
-  @{PROC}/[0-9]*/net/psched r,
-  owner @{PROC}/[0-9]*/status r,
-  @{PROC}/filesystems r,
-
-  # Used when internally running another command (namely apparmor_parser)
-  @{PROC}/@{pid}/fd/ r,
-
-  # allow reading libnl's classid file
-  @sysconfdir@/libnl{,-3}/classid r,
-
-  # for gl enabled graphics
-  /dev/dri/{,*} r,
-
-  # for hostdev
-  /sys/devices/ r,
-  /sys/devices/** r,
-  /sys/bus/usb/devices/ r,
-  deny /dev/sd* r,
-  deny /dev/vd* r,
-  deny /dev/dm-* r,
-  deny /dev/drbd[0-9]* r,
-  deny /dev/dasd* r,
-  deny /dev/nvme* r,
-  deny /dev/zd[0-9]* r,
-  deny /dev/mapper/ r,
-  deny /dev/mapper/* r,
-
-  @libexecdir@/virt-aa-helper mr,
-  /{usr/,}sbin/apparmor_parser Ux,
-
-  @sysconfdir@/apparmor.d/libvirt/* r,
-  @sysconfdir@/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
-
-  # for backingstore -- allow access to non-hidden files in @{HOME} as well
-  # as storage pools
-  audit deny @{HOME}/.* mrwkl,
-  audit deny @{HOME}/.*/ rw,
-  audit deny @{HOME}/.*/** mrwkl,
-  audit deny @{HOME}/bin/ rw,
-  audit deny @{HOME}/bin/** mrwkl,
-  @{HOME}/ r,
-  @{HOME}/** r,
-  /var/lib/libvirt/images/ r,
-  /var/lib/libvirt/images/** r,
-  /var/lib/nova/instances/_base/* r,
-  /{media,mnt,opt,srv}/** r,
-  # For virt-sandbox
-  /{,var/}run/libvirt/**/[sv]d[a-z] r,
-
-  /**.img r,
-  /**.raw r,
-  /**.qcow{,2} r,
-  /**.qed r,
-  /**.vmdk r,
-  /**.vhd r,
-  /**.[iI][sS][oO] r,
-  /**/disk{,.*} r,
-
-  #include <local/usr.lib.libvirt.virt-aa-helper>
-}
diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.local b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.local
deleted file mode 100644
index c0990e51d0..0000000000
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.local
+++ /dev/null
@@ -1 +0,0 @@
-# Site-specific additions and overrides for 'usr.lib.libvirt.virt-aa-helper'
-- 
2.34.1