Hello community, here is the log from the commit of package libvirt for openSUSE:Factory checked in at 2014-11-26 10:33:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libvirt (Old) and /work/SRC/openSUSE:Factory/.libvirt.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libvirt" Changes: -------- --- /work/SRC/openSUSE:Factory/libvirt/libvirt.changes 2014-11-18 22:49:09.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.libvirt.new/libvirt.changes 2014-11-26 10:34:02.000000000 +0100 @@ -1,0 +2,23 @@ +Thu Nov 20 11:56:16 UTC 2014 - cbosdonnat@suse.com + +- Fix potential crasher in virt-aa-helper + 2222123-virt-aa-helper-crash.patch +- ip link add now needs the 'name' parameter. + 433b427-iplink-name.patch +- Fixes for virt-sandbox-service to work: + - Allow adding virt-sandbox service config to apparmor rules. + c264eea-virt-aa-helper-sandbox.patch + - fix symlink resolving for containers to start. + 72fecf1-lxc-resolve-symlinks.patch + - fix unmounting file system if it contains the source to mount. + e50457d-lxc-unmount-check.patch + +------------------------------------------------------------------- +Tue Nov 18 17:21:55 UTC 2014 - cbosdonnat@suse.com + +- Remove security_driver = "none" in qemu config. This completely + disabled all security drivers instead of probing them. +- Changed default value of QEMU's security_default_confined to 0 to + keep QEMU domains unconfined by default. + +------------------------------------------------------------------- New: ---- 2222123-virt-aa-helper-crash.patch 433b427-iplink-name.patch 72fecf1-lxc-resolve-symlinks.patch c264eea-virt-aa-helper-sandbox.patch e50457d-lxc-unmount-check.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libvirt.spec ++++++ --- /var/tmp/diff_new_pack.vDZzBx/_old 2014-11-26 10:34:04.000000000 +0100 +++ /var/tmp/diff_new_pack.vDZzBx/_new 2014-11-26 10:34:04.000000000 +0100 @@ -435,6 +435,11 @@ Source99: baselibs.conf # Upstream patches Patch0: b1674ad5-CVE-2014-7823.patch +Patch1: 2222123-virt-aa-helper-crash.patch +Patch2: c264eea-virt-aa-helper-sandbox.patch +Patch3: 433b427-iplink-name.patch +Patch4: 72fecf1-lxc-resolve-symlinks.patch +Patch5: e50457d-lxc-unmount-check.patch # Patches pending upstream review # Need to go upstream Patch150: xen-name-for-devid.patch @@ -968,6 +973,11 @@ %prep %setup -q %patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 %patch150 -p1 %patch151 -p1 %patch152 -p1 ++++++ 2222123-virt-aa-helper-crash.patch ++++++

From 22221233d0c2fd2c2d41b7527fe2bec13295a427 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com> Date: Thu, 20 Nov 2014 11:31:44 +0100 Subject: [PATCH 1/5] virt-aa-helper wasn't running virErrorInitialize

This turns out to be working by magic but needs to be fixed. --- src/security/virt-aa-helper.c | 6 ++++++ 1 file changed, 6 insertions(+) Index: libvirt-1.2.10/src/security/virt-aa-helper.c =================================================================== --- libvirt-1.2.10.orig/src/security/virt-aa-helper.c +++ libvirt-1.2.10/src/security/virt-aa-helper.c @@ -1251,6 +1251,12 @@ main(int argc, char **argv) exit(EXIT_FAILURE); } + if (virThreadInitialize() < 0 || + virErrorInitialize() < 0) { + fprintf(stderr, _("%s: initialization failed\n"), argv[0]); + exit(EXIT_FAILURE); + } + /* clear the environment */ environ = NULL; if (setenv("PATH", "/sbin:/usr/sbin", 1) != 0) { ++++++ 433b427-iplink-name.patch ++++++

From 433b427ff853ab72d32573d415e6ec569b77c7cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com> Date: Thu, 20 Nov 2014 15:26:35 +0100 Subject: [PATCH 3/5] ip link needs 'name' in 3.16 to create the veth pair

Due to a change (or bug?) in ip link implementation, the command 'ip link add vnet0...' is forced into 'ip link add name vnet0...' The changed command also works on older versions of iproute2, just the 'name' parameter has been made mandatory. --- src/util/virnetdevveth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/util/virnetdevveth.c b/src/util/virnetdevveth.c index e9d6f9c..ad30e1d 100644 --- a/src/util/virnetdevveth.c +++ b/src/util/virnetdevveth.c @@ -89,7 +89,7 @@ static int virNetDevVethGetFreeNum(int startDev) * @veth2: pointer to return name for container end of veth pair * * Creates a veth device pair using the ip command: - * ip link add veth1 type veth peer name veth2 + * ip link add name veth1 type veth peer name veth2 * If veth1 points to NULL on entry, it will be a valid interface on * return. veth2 should point to NULL on entry. * @@ -146,7 +146,7 @@ int virNetDevVethCreate(char** veth1, char** veth2) } cmd = virCommandNew("ip"); - virCommandAddArgList(cmd, "link", "add", + virCommandAddArgList(cmd, "link", "add", "name", *veth1 ? *veth1 : veth1auto, "type", "veth", "peer", "name", *veth2 ? *veth2 : veth2auto, -- 2.1.2 ++++++ 72fecf1-lxc-resolve-symlinks.patch ++++++

From 72fecf1813b9e77a7f89bc1e708f91bdab7d9ad4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com> Date: Fri, 21 Nov 2014 17:45:55 +0100 Subject: [PATCH 4/5] lxc: be more patient while resolving symlinks

Resolving symlinks can fail before mounting any file system if one file system depends on another being mounted. Symlinks are now resolved in two passes: * Before any file system is mounted, but then we are more gentle if the source path can't be accessed * Right before mounting a file system, so that we are sure that we have the resolved path... but then if it can't be accessed we raise an error. --- src/conf/domain_conf.h | 1 + src/lxc/lxc_container.c | 77 ++++++++++++++++++++++++++++++++++--------------- 2 files changed, 54 insertions(+), 24 deletions(-) diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index d428451..dcb30bc 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -821,6 +821,7 @@ struct _virDomainFSDef { virDomainDeviceInfo info; unsigned long long space_hard_limit; /* in bytes */ unsigned long long space_soft_limit; /* in bytes */ + bool symlinksResolved; }; diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index db823d6..12f3a41 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -608,6 +608,48 @@ static int lxcContainerUnmountSubtree(const char *prefix, return ret; } +static int lxcContainerResolveSymlinks(virDomainFSDefPtr fs, bool gentle) +{ + char *newroot; + + if (!fs->src || fs->symlinksResolved) + return 0; + + if (access(fs->src, F_OK)) { + if (gentle) { + /* Just ignore the error for the while, we'll try again later */ + VIR_DEBUG("Skipped unaccessible '%s'", fs->src); + return 0; + } else { + virReportSystemError(errno, + _("Failed to access '%s'"), fs->src); + return -1; + } + } + + VIR_DEBUG("Resolving '%s'", fs->src); + if (virFileResolveAllLinks(fs->src, &newroot) < 0) { + if (gentle) { + VIR_DEBUG("Skipped non-resolvable '%s'", fs->src); + return 0; + } else { + virReportSystemError(errno, + _("Failed to resolve symlink at %s"), + fs->src); + } + return -1; + } + + /* Mark it resolved to skip it the next time */ + fs->symlinksResolved = true; + + VIR_DEBUG("Resolved '%s' to %s", fs->src, newroot); + + VIR_FREE(fs->src); + fs->src = newroot; + + return 0; +} static int lxcContainerPrepareRoot(virDomainDefPtr def, virDomainFSDefPtr root, @@ -634,6 +676,9 @@ static int lxcContainerPrepareRoot(virDomainDefPtr def, return -1; } + if (lxcContainerResolveSymlinks(root, false) < 0) + return -1; + if (virAsprintf(&dst, "%s/%s.root", LXC_STATE_DIR, def->name) < 0) return -1; @@ -1552,6 +1597,9 @@ static int lxcContainerMountAllFS(virDomainDefPtr vmDef, if (STREQ(vmDef->fss[i]->dst, "/")) continue; + if (lxcContainerResolveSymlinks(vmDef->fss[i], false) < 0) + return -1; + if (lxcContainerUnmountSubtree(vmDef->fss[i]->dst, false) < 0) return -1; @@ -1735,37 +1783,18 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef, return ret; } - -static int lxcContainerResolveSymlinks(virDomainDefPtr vmDef) +static int lxcContainerResolveAllSymlinks(virDomainDefPtr vmDef) { - char *newroot; size_t i; VIR_DEBUG("Resolving symlinks"); for (i = 0; i < vmDef->nfss; i++) { virDomainFSDefPtr fs = vmDef->fss[i]; - if (!fs->src) - continue; - - if (access(fs->src, F_OK)) { - virReportSystemError(errno, - _("Failed to access '%s'"), fs->src); + /* In the first pass, be gentle as some files may + depend on other filesystems to be mounted */ + if (lxcContainerResolveSymlinks(fs, true) < 0) return -1; - } - - VIR_DEBUG("Resolving '%s'", fs->src); - if (virFileResolveAllLinks(fs->src, &newroot) < 0) { - virReportSystemError(errno, - _("Failed to resolve symlink at %s"), - fs->src); - return -1; - } - - VIR_DEBUG("Resolved '%s' to %s", fs->src, newroot); - - VIR_FREE(fs->src); - fs->src = newroot; } VIR_DEBUG("Resolved all filesystem symlinks"); @@ -2106,7 +2135,7 @@ static int lxcContainerChild(void *data) goto cleanup; } - if (lxcContainerResolveSymlinks(vmDef) < 0) + if (lxcContainerResolveAllSymlinks(vmDef) < 0) goto cleanup; VIR_DEBUG("Setting up pivot"); -- 2.1.2 ++++++ c264eea-virt-aa-helper-sandbox.patch ++++++

From c264eeaa381a917f01ba74526bf202073358a9dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com> Date: Thu, 20 Nov 2014 11:32:38 +0100 Subject: [PATCH 2/5] virt-aa-helper: /etc/libvirt-sandbox/services isn't restricted

From e50457dd4cc5d4ba1ac7b05734157524620d087f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com> Date: Mon, 24 Nov 2014 15:10:19 +0100 Subject: [PATCH 5/5] lxc: don't unmount subtree if it contains the source of

To get virt-sandbox-service working with AppArmor, virt-aa-helper needs not to choke on path in /etc/libvirt-sandbox/services. --- src/security/virt-aa-helper.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 81f9f40..f273e09 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -571,7 +571,8 @@ valid_path(const char *path, const bool readonly) }; /* override the above with these */ const char * const override[] = { - "/sys/devices/pci" /* for hostdev pci devices */ + "/sys/devices/pci", /* for hostdev pci devices */ + "/etc/libvirt-sandbox/services/" /* for virt-sandbox service config */ }; if (path == NULL) { -- 2.1.2 ++++++ e50457d-lxc-unmount-check.patch ++++++ the mount The typical case where we had a problem is with such a filesystem definition as created by virt-sandbox-service: <filesystem type='bind' accessmode='passthrough'> <source dir='/var/lib/libvirt/filesystems/mysshd/var'/> <target dir='/var'/> </filesystem> In this case, we don't want to unmount the /var subtree or we may loose the access to the source folder. --- src/lxc/lxc_container.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 12f3a41..334a1df 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -1597,11 +1597,15 @@ static int lxcContainerMountAllFS(virDomainDefPtr vmDef, if (STREQ(vmDef->fss[i]->dst, "/")) continue; + VIR_DEBUG("Mounting '%s' -> '%s'", vmDef->fss[i]->src, vmDef->fss[i]->dst); + if (lxcContainerResolveSymlinks(vmDef->fss[i], false) < 0) return -1; - if (lxcContainerUnmountSubtree(vmDef->fss[i]->dst, - false) < 0) + + if (!(vmDef->fss[i]->src && + STRPREFIX(vmDef->fss[i]->src, vmDef->fss[i]->dst)) && + lxcContainerUnmountSubtree(vmDef->fss[i]->dst, false) < 0) return -1; if (lxcContainerMountFS(vmDef->fss[i], sec_mount_options) < 0) -- 2.1.2 ++++++ suse-qemu-conf.patch ++++++ --- /var/tmp/diff_new_pack.vDZzBx/_old 2014-11-26 10:34:04.000000000 +0100 +++ /var/tmp/diff_new_pack.vDZzBx/_new 2014-11-26 10:34:04.000000000 +0100 @@ -2,24 +2,16 @@ =================================================================== --- libvirt-1.2.10.orig/src/qemu/qemu.conf +++ libvirt-1.2.10/src/qemu/qemu.conf -@@ -200,7 +200,16 @@ - # a special value; security_driver can be set to that value in - # isolation, but it cannot appear in a list of drivers. - # -+# SUSE Note: -+# Currently, Apparmor is the default security framework in SUSE -+# distros. If Apparmor is enabled on the host, libvirtd is -+# generously confined but users must opt-in to confine qemu -+# instances. Change this to 'apparmor' to enable Apparmor -+# confinement of qemu instances. -+# - #security_driver = "selinux" -+# security_driver = "apparmor" -+security_driver = "none" +@@ -204,7 +204,7 @@ # If set to non-zero, then the default security labeling # will make guests confined. If set to zero, then guests -@@ -417,11 +426,22 @@ +-# will be unconfined by default. Defaults to 1. ++# will be unconfined by default. Defaults to 0. + #security_default_confined = 1 + + # If set to non-zero, then attempts to create unconfined +@@ -417,11 +417,22 @@ #allow_disk_format_probing = 1 @@ -47,3 +39,16 @@ # #lock_manager = "lockd" +Index: libvirt-1.2.10/src/qemu/qemu_conf.c +=================================================================== +--- libvirt-1.2.10.orig/src/qemu/qemu_conf.c ++++ libvirt-1.2.10/src/qemu/qemu_conf.c +@@ -249,7 +249,7 @@ virQEMUDriverConfigPtr virQEMUDriverConf + + cfg->clearEmulatorCapabilities = true; + +- cfg->securityDefaultConfined = true; ++ cfg->securityDefaultConfined = false; + cfg->securityRequireConfined = false; + + cfg->keepAliveInterval = 5; -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org