Commit 0819e5a410e99cfb149d56cd4e934f5afb6d63cb - libvirt

+0

-26

~~debian/patches/Allow-libvirt-to-kill-unconfined-domaiens.patch~~ less more

0		From: intrigeri <intrigeri+libvirt@boum.org>
1		Date: Mon, 15 Jan 2018 09:29:47 +0100
2		Subject: Allow libvirt to kill unconfined domaiens
3
4		On startup libvirtd runs a number of QEMU processes unconfined such as:
5
6		/usr/bin/qemu-system-x86_64 -S -no-user-config -nodefaults -nographic -machine none,accel=kvm:tcg -qmp unix:/var/lib/libvirt/qemu/capabilities.monitor.sock,server,nowait -pidfile /var/lib/libvirt/qemu/capabilities.pidfile -daemonize
7
8		libvirtd needs to be allowed to kill these processes, otherwise they
9		remain running.
10		---
11		examples/apparmor/usr.sbin.libvirtd \| 1 +
12		1 file changed, 1 insertion(+)
13
14		diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
15		index bd7796c..4d220c2 100644
16		--- a/examples/apparmor/usr.sbin.libvirtd
17		+++ b/examples/apparmor/usr.sbin.libvirtd
18		@@ -63,6 +63,7 @@
19
20		signal (send) peer=/usr/sbin/dnsmasq,
21		signal (read, send) peer=libvirt-*,
22		+ signal (send) set=("kill") peer=unconfined,
23
24		# Very lenient profile for libvirtd since we want to first focus on confining
25		# the guests. Guests will have a very restricted profile.

+26

-0

debian/patches/Allow-libvirt-to-kill-unconfined-domains.patch less more

	0	From: intrigeri <intrigeri+libvirt@boum.org>
	1	Date: Mon, 15 Jan 2018 09:29:47 +0100
	2	Subject: Allow libvirt to kill unconfined domains
	3
	4	On startup libvirtd runs a number of QEMU processes unconfined such as:
	5
	6	/usr/bin/qemu-system-x86_64 -S -no-user-config -nodefaults -nographic -machine none,accel=kvm:tcg -qmp unix:/var/lib/libvirt/qemu/capabilities.monitor.sock,server,nowait -pidfile /var/lib/libvirt/qemu/capabilities.pidfile -daemonize
	7
	8	libvirtd needs to be allowed to kill these processes, otherwise they
	9	remain running.
	10	---
	11	examples/apparmor/usr.sbin.libvirtd \| 1 +
	12	1 file changed, 1 insertion(+)
	13
	14	diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
	15	index bd7796c..4d220c2 100644
	16	--- a/examples/apparmor/usr.sbin.libvirtd
	17	+++ b/examples/apparmor/usr.sbin.libvirtd
	18	@@ -63,6 +63,7 @@
	19
	20	signal (send) peer=/usr/sbin/dnsmasq,
	21	signal (read, send) peer=libvirt-*,
	22	+ signal (send) set=("kill") peer=unconfined,
	23
	24	# Very lenient profile for libvirtd since we want to first focus on confining
	25	# the guests. Guests will have a very restricted profile.

+24

-0

	0	From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
	1	Date: Wed, 17 Jan 2018 16:20:37 +0100
	2	Subject: apparmor: allow libvirt to send term signal to unconfined
	3
	4	Otherwise stopping domains with qemu://session fails like
	5
	6	[164012.338157] audit: type=1400 audit(1516202208.784:99): apparmor="DENIED" operation="signal" profile="/usr/sbin/libvirtd" pid=18835 comm="libvirtd" requested_mask="send" denied_mask="send" signal=term peer="unconfined"
	7	---
	8	examples/apparmor/usr.sbin.libvirtd \| 2 +-
	9	1 file changed, 1 insertion(+), 1 deletion(-)
	10
	11	diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
	12	index 4d220c2..72d7987 100644
	13	--- a/examples/apparmor/usr.sbin.libvirtd
	14	+++ b/examples/apparmor/usr.sbin.libvirtd
	15	@@ -63,7 +63,7 @@
	16
	17	signal (send) peer=/usr/sbin/dnsmasq,
	18	signal (read, send) peer=libvirt-*,
	19	- signal (send) set=("kill") peer=unconfined,
	20	+ signal (send) set=("kill", "term") peer=unconfined,
	21
	22	# Very lenient profile for libvirtd since we want to first focus on confining
	23	# the guests. Guests will have a very restricted profile.

+2

-1

debian/patches/series less more

16	16	Set-defaults-for-zfs-tools.patch
17	17	Pass-GPG_TTY-env-var-to-the-ssh-binary.patch
18	18	apparmor-Allow-virt-aa-helper-to-access-the-name-service-.patch
19		Allow-libvirt-to-kill-unconfined-domaiens.patch
	19	Allow-libvirt-to-kill-unconfined-domains.patch
	20	apparmor-allow-libvirt-to-send-term-signal-to-unconfined.patch