Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 407768 Details for
Bug 554628
app-emulation/libvirt without apparmor support
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
apparmor for libvirt
patch (text/plain), 5.03 KB, created by
aporilel
on 2015-07-28 04:36:04 UTC
(
hide
)
Description:
apparmor for libvirt
Filename:
MIME Type:
Creator:
aporilel
Created:
2015-07-28 04:36:04 UTC
Size:
5.03 KB
patch
obsolete
>diff -uraN libvirt-1.2.17-orig/examples/apparmor/Makefile.am libvirt-1.2.17/examples/apparmor/Makefile.am >--- libvirt-1.2.17-orig/examples/apparmor/Makefile.am 2015-01-23 14:46:24.000000000 +0300 >+++ libvirt-1.2.17/examples/apparmor/Makefile.am 2015-07-28 07:13:57.654566599 +0300 >@@ -19,13 +19,13 @@ > TEMPLATE.lxc \ > libvirt-qemu \ > libvirt-lxc \ >- usr.lib.libvirt.virt-aa-helper \ >+ usr.libexec.virt-aa-helper \ > usr.sbin.libvirtd > > if WITH_APPARMOR_PROFILES > apparmordir = $(sysconfdir)/apparmor.d/ > apparmor_DATA = \ >- usr.lib.libvirt.virt-aa-helper \ >+ usr.libexec.virt-aa-helper \ > usr.sbin.libvirtd \ > $(NULL) > >diff -uraN libvirt-1.2.17-orig/examples/apparmor/Makefile.in libvirt-1.2.17/examples/apparmor/Makefile.in >--- libvirt-1.2.17-orig/examples/apparmor/Makefile.in 2015-07-02 08:19:53.000000000 +0300 >+++ libvirt-1.2.17/examples/apparmor/Makefile.in 2015-07-28 07:14:18.187565254 +0300 >@@ -1762,12 +1762,12 @@ > TEMPLATE.lxc \ > libvirt-qemu \ > libvirt-lxc \ >- usr.lib.libvirt.virt-aa-helper \ >+ usr.libexec.virt-aa-helper \ > usr.sbin.libvirtd > > @WITH_APPARMOR_PROFILES_TRUE@apparmordir = $(sysconfdir)/apparmor.d/ > @WITH_APPARMOR_PROFILES_TRUE@apparmor_DATA = \ >-@WITH_APPARMOR_PROFILES_TRUE@ usr.lib.libvirt.virt-aa-helper \ >+@WITH_APPARMOR_PROFILES_TRUE@ usr.libexec.virt-aa-helper \ > @WITH_APPARMOR_PROFILES_TRUE@ usr.sbin.libvirtd \ > @WITH_APPARMOR_PROFILES_TRUE@ $(NULL) > >diff -uraN libvirt-1.2.17-orig/examples/apparmor/usr.libexec.virt-aa-helper libvirt-1.2.17/examples/apparmor/usr.libexec.virt-aa-helper >--- libvirt-1.2.17-orig/examples/apparmor/usr.libexec.virt-aa-helper 1970-01-01 03:00:00.000000000 +0300 >+++ libvirt-1.2.17/examples/apparmor/usr.libexec.virt-aa-helper 2015-07-28 07:13:25.789568686 +0300 >@@ -0,0 +1,48 @@ >+# Last Modified: Mon Apr 5 15:10:27 2010 >+#include <tunables/global> >+ >+profile virt-aa-helper /usr/libexec/virt-aa-helper { >+ #include <abstractions/base> >+ >+ # needed for searching directories >+ capability dac_override, >+ capability dac_read_search, >+ >+ # needed for when disk is on a network filesystem >+ network inet, >+ >+ deny @{PROC}/[0-9]*/mounts r, >+ @{PROC}/[0-9]*/net/psched r, >+ owner @{PROC}/[0-9]*/status r, >+ @{PROC}/filesystems r, >+ >+ # for hostdev >+ /sys/devices/ r, >+ /sys/devices/** r, >+ >+ /usr/libexec/virt-aa-helper mr, >+ /sbin/apparmor_parser Ux, >+ >+ /etc/apparmor.d/libvirt/* r, >+ /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, >+ >+ # for backingstore -- allow access to non-hidden files in @{HOME} as well >+ # as storage pools >+ audit deny @{HOME}/.* mrwkl, >+ audit deny @{HOME}/.*/ rw, >+ audit deny @{HOME}/.*/** mrwkl, >+ audit deny @{HOME}/bin/ rw, >+ audit deny @{HOME}/bin/** mrwkl, >+ @{HOME}/ r, >+ @{HOME}/** r, >+ /var/lib/libvirt/images/ r, >+ /var/lib/libvirt/images/** r, >+ /{media,mnt,opt,srv}/** r, >+ >+ /**.img r, >+ /**.qcow{,2} r, >+ /**.qed r, >+ /**.vmdk r, >+ /**.[iI][sS][oO] r, >+ /**/disk{,.*} r, >+} >diff -uraN libvirt-1.2.17-orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper libvirt-1.2.17/examples/apparmor/usr.lib.libvirt.virt-aa-helper >--- libvirt-1.2.17-orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper 2015-01-23 14:46:24.000000000 +0300 >+++ libvirt-1.2.17/examples/apparmor/usr.lib.libvirt.virt-aa-helper 1970-01-01 03:00:00.000000000 +0300 >@@ -1,48 +0,0 @@ >-# Last Modified: Mon Apr 5 15:10:27 2010 >-#include <tunables/global> >- >-profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { >- #include <abstractions/base> >- >- # needed for searching directories >- capability dac_override, >- capability dac_read_search, >- >- # needed for when disk is on a network filesystem >- network inet, >- >- deny @{PROC}/[0-9]*/mounts r, >- @{PROC}/[0-9]*/net/psched r, >- owner @{PROC}/[0-9]*/status r, >- @{PROC}/filesystems r, >- >- # for hostdev >- /sys/devices/ r, >- /sys/devices/** r, >- >- /usr/{lib,lib64}/libvirt/virt-aa-helper mr, >- /sbin/apparmor_parser Ux, >- >- /etc/apparmor.d/libvirt/* r, >- /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, >- >- # for backingstore -- allow access to non-hidden files in @{HOME} as well >- # as storage pools >- audit deny @{HOME}/.* mrwkl, >- audit deny @{HOME}/.*/ rw, >- audit deny @{HOME}/.*/** mrwkl, >- audit deny @{HOME}/bin/ rw, >- audit deny @{HOME}/bin/** mrwkl, >- @{HOME}/ r, >- @{HOME}/** r, >- /var/lib/libvirt/images/ r, >- /var/lib/libvirt/images/** r, >- /{media,mnt,opt,srv}/** r, >- >- /**.img r, >- /**.qcow{,2} r, >- /**.qed r, >- /**.vmdk r, >- /**.[iI][sS][oO] r, >- /**/disk{,.*} r, >-} >diff -uraN libvirt-1.2.17-orig/examples/apparmor/usr.sbin.libvirtd libvirt-1.2.17/examples/apparmor/usr.sbin.libvirtd >--- libvirt-1.2.17-orig/examples/apparmor/usr.sbin.libvirtd 2015-01-23 14:46:24.000000000 +0300 >+++ libvirt-1.2.17/examples/apparmor/usr.sbin.libvirtd 2015-07-28 07:23:03.798530837 +0300 >@@ -60,6 +60,7 @@ > /usr/{lib,lib64}/libvirt/* PUxr, > /usr/{lib,lib64}/libvirt/libvirt_parthelper ix, > /usr/{lib,lib64}/libvirt/libvirt_iohelper ix, >+ /usr/libexec/libvirt_iohelper ix, > /etc/libvirt/hooks/** rmix, > /etc/xen/scripts/** rmix, >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=407768">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 554628
: 407768 |
407866
