Hello community,
here is the log from the commit of package libvirt for openSUSE:Factory checked in at 2014-11-18 22:47:14
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libvirt (Old)
and /work/SRC/openSUSE:Factory/.libvirt.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libvirt"
Changes:
--------
--- /work/SRC/openSUSE:Factory/libvirt/libvirt.changes 2014-11-13 09:17:49.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.libvirt.new/libvirt.changes 2014-11-18 22:49:09.000000000 +0100
@@ -8,0 +9,8 @@
+Thu Nov 6 16:00:24 UTC 2014 - cbosdonnat@suse.com
+
+- Fix Qemu AppArmor abstraction.
+ - qemu-block.so was denied on x86_64. install-apparmor-profiles.patch
+ - Temporary fix access to screenshot temporary file. bsc#904426.
+ qemu-apparmor-screenshot.patch
+
+-------------------------------------------------------------------
New:
----
qemu-apparmor-screenshot.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libvirt.spec ++++++
--- /var/tmp/diff_new_pack.JjJHVn/_old 2014-11-18 22:49:11.000000000 +0100
+++ /var/tmp/diff_new_pack.JjJHVn/_new 2014-11-18 22:49:11.000000000 +0100
@@ -457,6 +457,7 @@
%if %{with_apparmor}
Patch250: install-apparmor-profiles.patch
Patch251: apparmor-no-mount.patch
+Patch252: qemu-apparmor-screenshot.patch
%endif
%if %{with_netcontrol}
Patch300: libvirt-suse-netcontrol.patch
@@ -985,6 +986,7 @@
%if %{with_apparmor}
%patch250 -p1
%patch251 -p1
+%patch252 -p1
%endif
%if %{with_netcontrol}
%patch300 -p1
++++++ install-apparmor-profiles.patch ++++++
--- /var/tmp/diff_new_pack.JjJHVn/_old 2014-11-18 22:49:11.000000000 +0100
+++ /var/tmp/diff_new_pack.JjJHVn/_new 2014-11-18 22:49:11.000000000 +0100
@@ -2,9 +2,12 @@
===================================================================
--- libvirt-1.2.10.orig/examples/apparmor/Makefile.am
+++ libvirt-1.2.10/examples/apparmor/Makefile.am
-@@ -19,10 +19,22 @@ EXTRA_DIST= \
+@@ -17,12 +17,30 @@
+ EXTRA_DIST= \
+ TEMPLATE.qemu \
TEMPLATE.lxc \
- libvirt-qemu \
+- libvirt-qemu \
++ libvirt-qemu.in \
libvirt-lxc \
- usr.lib.libvirt.virt-aa-helper \
- usr.sbin.libvirtd
@@ -24,6 +27,12 @@
+ < $< > $@-t
+ mv $@-t $@
+
++libvirt-qemu: libvirt-qemu.in
++ sed \
++ -e 's![@]libdir[@]!$(libdir)!g' \
++ < $< > $@-t
++ mv $@-t $@
++
apparmordir = $(sysconfdir)/apparmor.d/
apparmor_DATA = \
usr.lib.libvirt.virt-aa-helper \
@@ -274,3 +283,301 @@
- change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
-
-}
+Index: libvirt-1.2.10/examples/apparmor/libvirt-qemu
+===================================================================
+--- libvirt-1.2.10.orig/examples/apparmor/libvirt-qemu
++++ /dev/null
+@@ -1,144 +0,0 @@
+-# Last Modified: Wed Sep 3 21:52:03 2014
+-
+- #include
+- #include
+- #include
+-
+- # required for reading disk images
+- capability dac_override,
+- capability dac_read_search,
+- capability chown,
+-
+- # needed to drop privileges
+- capability setgid,
+- capability setuid,
+-
+- network inet stream,
+- network inet6 stream,
+-
+- /dev/net/tun rw,
+- /dev/kvm rw,
+- /dev/ptmx rw,
+- /dev/kqemu rw,
+- @{PROC}/*/status r,
+- @{PROC}/sys/kernel/cap_last_cap r,
+-
+- # For hostdev access. The actual devices will be added dynamically
+- /sys/bus/usb/devices/ r,
+- /sys/devices/**/usb[0-9]*/** r,
+-
+- # WARNING: this gives the guest direct access to host hardware and specific
+- # portions of shared memory. This is required for sound using ALSA with kvm,
+- # but may constitute a security risk. If your environment does not require
+- # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
+- # the rules for files in /dev.
+- /{dev,run}/shm r,
+- /{dev,run}/shmpulse-shm* r,
+- /{dev,run}/shmpulse-shm* rwk,
+- /dev/snd/* rw,
+- capability ipc_lock,
+- # spice
+- owner /{dev,run}/shm/spice.* rw,
+- # 'kill' is not required for sound and is a security risk. Do not enable
+- # unless you absolutely need it.
+- deny capability kill,
+-
+- # Uncomment the following if you need access to /dev/fb*
+- #/dev/fb* rw,
+-
+- /etc/pulse/client.conf r,
+- @{HOME}/.pulse-cookie rwk,
+- owner /root/.pulse-cookie rwk,
+- owner /root/.pulse/ rw,
+- owner /root/.pulse/* rw,
+- /usr/share/alsa/** r,
+- owner /tmp/pulse-*/ rw,
+- owner /tmp/pulse-*/* rw,
+- /var/lib/dbus/machine-id r,
+-
+- # access to firmware's etc
+- /usr/share/kvm/** r,
+- /usr/share/qemu/** r,
+- /usr/share/bochs/** r,
+- /usr/share/openbios/** r,
+- /usr/share/openhackware/** r,
+- /usr/share/proll/** r,
+- /usr/share/vgabios/** r,
+- /usr/share/seabios/** r,
+- /usr/share/ovmf/** r,
+-
+- # access PKI infrastructure
+- /etc/pki/libvirt-vnc/** r,
+-
+- # the various binaries
+- /usr/bin/kvm rmix,
+- /usr/bin/qemu rmix,
+- /usr/bin/qemu-system-arm rmix,
+- /usr/bin/qemu-system-cris rmix,
+- /usr/bin/qemu-system-i386 rmix,
+- /usr/bin/qemu-system-m68k rmix,
+- /usr/bin/qemu-system-microblaze rmix,
+- /usr/bin/qemu-system-microblazeel rmix,
+- /usr/bin/qemu-system-mips rmix,
+- /usr/bin/qemu-system-mips64 rmix,
+- /usr/bin/qemu-system-mips64el rmix,
+- /usr/bin/qemu-system-mipsel rmix,
+- /usr/bin/qemu-system-ppc rmix,
+- /usr/bin/qemu-system-ppc64 rmix,
+- /usr/bin/qemu-system-ppcemb rmix,
+- /usr/bin/qemu-system-sh4 rmix,
+- /usr/bin/qemu-system-sh4eb rmix,
+- /usr/bin/qemu-system-sparc rmix,
+- /usr/bin/qemu-system-sparc64 rmix,
+- /usr/bin/qemu-system-x86_64 rmix,
+- /usr/bin/qemu-alpha rmix,
+- /usr/bin/qemu-arm rmix,
+- /usr/bin/qemu-armeb rmix,
+- /usr/bin/qemu-cris rmix,
+- /usr/bin/qemu-i386 rmix,
+- /usr/bin/qemu-m68k rmix,
+- /usr/bin/qemu-microblaze rmix,
+- /usr/bin/qemu-microblazeel rmix,
+- /usr/bin/qemu-mips rmix,
+- /usr/bin/qemu-mipsel rmix,
+- /usr/bin/qemu-ppc rmix,
+- /usr/bin/qemu-ppc64 rmix,
+- /usr/bin/qemu-ppc64abi32 rmix,
+- /usr/bin/qemu-sh4 rmix,
+- /usr/bin/qemu-sh4eb rmix,
+- /usr/bin/qemu-sparc rmix,
+- /usr/bin/qemu-sparc64 rmix,
+- /usr/bin/qemu-sparc32plus rmix,
+- /usr/bin/qemu-sparc64 rmix,
+- /usr/bin/qemu-x86_64 rmix,
+- /usr/lib/qemu/block-curl.so mr,
+-
+- # for save and resume
+- /bin/dash rmix,
+- /bin/dd rmix,
+- /bin/cat rmix,
+-
+- # for usb access
+- /dev/bus/usb/ r,
+- /etc/udev/udev.conf r,
+- /sys/bus/ r,
+- /sys/class/ r,
+-
+- /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
+- # child profile for bridge helper process
+- profile qemu_bridge_helper {
+- #include
+-
+- capability setuid,
+- capability setgid,
+- capability setpcap,
+- capability net_admin,
+-
+- network inet stream,
+-
+- /dev/net/tun rw,
+- /etc/qemu/** r,
+- owner @{PROC}/*/status r,
+-
+- /usr/{lib,libexec}/qemu-bridge-helper rmix,
+- }
+Index: libvirt-1.2.10/examples/apparmor/libvirt-qemu.in
+===================================================================
+--- /dev/null
++++ libvirt-1.2.10/examples/apparmor/libvirt-qemu.in
+@@ -0,0 +1,144 @@
++# Last Modified: Wed Sep 3 21:52:03 2014
++
++ #include
++ #include
++ #include
++
++ # required for reading disk images
++ capability dac_override,
++ capability dac_read_search,
++ capability chown,
++
++ # needed to drop privileges
++ capability setgid,
++ capability setuid,
++
++ network inet stream,
++ network inet6 stream,
++
++ /dev/net/tun rw,
++ /dev/kvm rw,
++ /dev/ptmx rw,
++ /dev/kqemu rw,
++ @{PROC}/*/status r,
++ @{PROC}/sys/kernel/cap_last_cap r,
++
++ # For hostdev access. The actual devices will be added dynamically
++ /sys/bus/usb/devices/ r,
++ /sys/devices/**/usb[0-9]*/** r,
++
++ # WARNING: this gives the guest direct access to host hardware and specific
++ # portions of shared memory. This is required for sound using ALSA with kvm,
++ # but may constitute a security risk. If your environment does not require
++ # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
++ # the rules for files in /dev.
++ /{dev,run}/shm r,
++ /{dev,run}/shmpulse-shm* r,
++ /{dev,run}/shmpulse-shm* rwk,
++ /dev/snd/* rw,
++ capability ipc_lock,
++ # spice
++ owner /{dev,run}/shm/spice.* rw,
++ # 'kill' is not required for sound and is a security risk. Do not enable
++ # unless you absolutely need it.
++ deny capability kill,
++
++ # Uncomment the following if you need access to /dev/fb*
++ #/dev/fb* rw,
++
++ /etc/pulse/client.conf r,
++ @{HOME}/.pulse-cookie rwk,
++ owner /root/.pulse-cookie rwk,
++ owner /root/.pulse/ rw,
++ owner /root/.pulse/* rw,
++ /usr/share/alsa/** r,
++ owner /tmp/pulse-*/ rw,
++ owner /tmp/pulse-*/* rw,
++ /var/lib/dbus/machine-id r,
++
++ # access to firmware's etc
++ /usr/share/kvm/** r,
++ /usr/share/qemu/** r,
++ /usr/share/bochs/** r,
++ /usr/share/openbios/** r,
++ /usr/share/openhackware/** r,
++ /usr/share/proll/** r,
++ /usr/share/vgabios/** r,
++ /usr/share/seabios/** r,
++ /usr/share/ovmf/** r,
++
++ # access PKI infrastructure
++ /etc/pki/libvirt-vnc/** r,
++
++ # the various binaries
++ /usr/bin/kvm rmix,
++ /usr/bin/qemu rmix,
++ /usr/bin/qemu-system-arm rmix,
++ /usr/bin/qemu-system-cris rmix,
++ /usr/bin/qemu-system-i386 rmix,
++ /usr/bin/qemu-system-m68k rmix,
++ /usr/bin/qemu-system-microblaze rmix,
++ /usr/bin/qemu-system-microblazeel rmix,
++ /usr/bin/qemu-system-mips rmix,
++ /usr/bin/qemu-system-mips64 rmix,
++ /usr/bin/qemu-system-mips64el rmix,
++ /usr/bin/qemu-system-mipsel rmix,
++ /usr/bin/qemu-system-ppc rmix,
++ /usr/bin/qemu-system-ppc64 rmix,
++ /usr/bin/qemu-system-ppcemb rmix,
++ /usr/bin/qemu-system-sh4 rmix,
++ /usr/bin/qemu-system-sh4eb rmix,
++ /usr/bin/qemu-system-sparc rmix,
++ /usr/bin/qemu-system-sparc64 rmix,
++ /usr/bin/qemu-system-x86_64 rmix,
++ /usr/bin/qemu-alpha rmix,
++ /usr/bin/qemu-arm rmix,
++ /usr/bin/qemu-armeb rmix,
++ /usr/bin/qemu-cris rmix,
++ /usr/bin/qemu-i386 rmix,
++ /usr/bin/qemu-m68k rmix,
++ /usr/bin/qemu-microblaze rmix,
++ /usr/bin/qemu-microblazeel rmix,
++ /usr/bin/qemu-mips rmix,
++ /usr/bin/qemu-mipsel rmix,
++ /usr/bin/qemu-ppc rmix,
++ /usr/bin/qemu-ppc64 rmix,
++ /usr/bin/qemu-ppc64abi32 rmix,
++ /usr/bin/qemu-sh4 rmix,
++ /usr/bin/qemu-sh4eb rmix,
++ /usr/bin/qemu-sparc rmix,
++ /usr/bin/qemu-sparc64 rmix,
++ /usr/bin/qemu-sparc32plus rmix,
++ /usr/bin/qemu-sparc64 rmix,
++ /usr/bin/qemu-x86_64 rmix,
++ @libdir@/qemu/block-curl.so mr,
++
++ # for save and resume
++ /bin/dash rmix,
++ /bin/dd rmix,
++ /bin/cat rmix,
++
++ # for usb access
++ /dev/bus/usb/ r,
++ /etc/udev/udev.conf r,
++ /sys/bus/ r,
++ /sys/class/ r,
++
++ /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
++ # child profile for bridge helper process
++ profile qemu_bridge_helper {
++ #include
++
++ capability setuid,
++ capability setgid,
++ capability setpcap,
++ capability net_admin,
++
++ network inet stream,
++
++ /dev/net/tun rw,
++ /etc/qemu/** r,
++ owner @{PROC}/*/status r,
++
++ /usr/{lib,libexec}/qemu-bridge-helper rmix,
++ }
++++++ qemu-apparmor-screenshot.patch ++++++
Index: libvirt-1.2.10/examples/apparmor/libvirt-qemu.in
===================================================================
--- libvirt-1.2.10.orig/examples/apparmor/libvirt-qemu.in
+++ libvirt-1.2.10/examples/apparmor/libvirt-qemu.in
@@ -124,6 +124,9 @@
/sys/bus/ r,
/sys/class/ r,
+ # Temporary screendump rule -- See bsc#904426
+ /var/cache/libvirt/qemu/qemu.screendump.* rw,
+
/usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
# child profile for bridge helper process
profile qemu_bridge_helper {
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org