[gentoo-commits] repo/gentoo:master commit in: app-emulation/libvirt/, app-emulation/libvirt/files/

["Matthias Maier" <tamiko@gentoo.org>]

commit:     24cd72c425327c6e1267416c9f170eefdd7affb7
Author:     Matthias Maier <tamiko <AT> gentoo <DOT> org>
AuthorDate: Thu Dec  7 15:54:55 2017 +0000
Commit:     Matthias Maier <tamiko <AT> gentoo <DOT> org>
CommitDate: Thu Dec  7 16:02:12 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=24cd72c4

app-emulation/libvirt: Update apparmor profiles

Closes: https://bugs.gentoo.org/629718
Package-Manager: Portage-2.3.16, Repoman-2.3.6

 .../libvirt-3.10.0-fix_paths_for_apparmor.patch    | 118 +++++++++++++++++++++
 app-emulation/libvirt/libvirt-3.10.0.ebuild        |   2 +-
 2 files changed, 119 insertions(+), 1 deletion(-)

diff --git a/app-emulation/libvirt/files/libvirt-3.10.0-fix_paths_for_apparmor.patch b/app-emulation/libvirt/files/libvirt-3.10.0-fix_paths_for_apparmor.patch
new file mode 100644
index 00000000000..0e386c1e00b
--- /dev/null
+++ b/app-emulation/libvirt/files/libvirt-3.10.0-fix_paths_for_apparmor.patch
@@ -0,0 +1,118 @@
+diff --git a/examples/Makefile.am b/examples/Makefile.am
+index ef2f79d..d8cdb9b 100644
+--- a/examples/Makefile.am
++++ b/examples/Makefile.am
+@@ -23,7 +23,7 @@ EXTRA_DIST = \
+ 	apparmor/TEMPLATE.lxc \
+ 	apparmor/libvirt-qemu \
+ 	apparmor/libvirt-lxc \
+-	apparmor/usr.lib.libvirt.virt-aa-helper \
++	apparmor/usr.libexec.virt-aa-helper \
+ 	apparmor/usr.sbin.libvirtd \
+ 	lxcconvert/virt-lxc-convert \
+ 	polkit/libvirt-acl.rules \
+@@ -70,7 +70,7 @@ admin_logging_SOURCES = admin/logging.c
+ if WITH_APPARMOR_PROFILES
+ apparmordir = $(sysconfdir)/apparmor.d/
+ apparmor_DATA = \
+-	apparmor/usr.lib.libvirt.virt-aa-helper \
++	apparmor/usr.libexec.virt-aa-helper \
+ 	apparmor/usr.sbin.libvirtd \
+ 	$(NULL)
+ 
+diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
+index d4fad85..0b22009 100644
+--- a/examples/apparmor/libvirt-qemu
++++ b/examples/apparmor/libvirt-qemu
+@@ -86,6 +86,8 @@
+   /usr/share/AAVMF/** r,
+   /usr/share/qemu-efi/** r,
+   /usr/share/slof/** r,
++  /usr/share/seavgabios/** r,
++  /usr/share/edk2-ovmf/** r,
+ 
+   # access PKI infrastructure
+   /etc/pki/libvirt-vnc/** r,
+diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+deleted file mode 100644
+index bd6181d..0000000
+--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
++++ /dev/null
+@@ -1,60 +0,0 @@
+-# Last Modified: Mon Apr  5 15:10:27 2010
+-#include <tunables/global>
+-
+-profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
+-  #include <abstractions/base>
+-
+-  # needed for searching directories
+-  capability dac_override,
+-  capability dac_read_search,
+-
+-  # needed for when disk is on a network filesystem
+-  network inet,
+-  network inet6,
+-
+-  deny @{PROC}/[0-9]*/mounts r,
+-  @{PROC}/[0-9]*/net/psched r,
+-  owner @{PROC}/[0-9]*/status r,
+-  @{PROC}/filesystems r,
+-
+-  /etc/libnl-3/classid r,
+-
+-  # for hostdev
+-  /sys/devices/ r,
+-  /sys/devices/** r,
+-  deny /dev/sd* r,
+-  deny /dev/vd* r,
+-  deny /dev/dm-* r,
+-  deny /dev/drbd[0-9]* r,
+-  deny /dev/dasd* r,
+-  deny /dev/nvme* r,
+-  deny /dev/zd[0-9]* r,
+-  deny /dev/mapper/ r,
+-  deny /dev/mapper/* r,
+-
+-  /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
+-  /{usr/,}sbin/apparmor_parser Ux,
+-
+-  /etc/apparmor.d/libvirt/* r,
+-  /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+-
+-  # for backingstore -- allow access to non-hidden files in @{HOME} as well
+-  # as storage pools
+-  audit deny @{HOME}/.* mrwkl,
+-  audit deny @{HOME}/.*/ rw,
+-  audit deny @{HOME}/.*/** mrwkl,
+-  audit deny @{HOME}/bin/ rw,
+-  audit deny @{HOME}/bin/** mrwkl,
+-  @{HOME}/ r,
+-  @{HOME}/** r,
+-  /var/lib/libvirt/images/ r,
+-  /var/lib/libvirt/images/** r,
+-  /{media,mnt,opt,srv}/** r,
+-
+-  /**.img r,
+-  /**.qcow{,2} r,
+-  /**.qed r,
+-  /**.vmdk r,
+-  /**.[iI][sS][oO] r,
+-  /**/disk{,.*} r,
+-}
+diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
+index 8d61d15..656a559 100644
+--- a/examples/apparmor/usr.sbin.libvirtd
++++ b/examples/apparmor/usr.sbin.libvirtd
+@@ -84,8 +84,10 @@
+   audit deny /sys/kernel/security/apparmor/.* rwxl,
+   /sys/kernel/security/apparmor/profiles r,
+   /usr/{lib,lib64}/libvirt/* PUxr,
+-  /usr/{lib,lib64}/libvirt/libvirt_parthelper ix,
+-  /usr/{lib,lib64}/libvirt/libvirt_iohelper ix,
++  /usr/libexec/virt-aa-helper PUxr,
++  /usr/libexec/libvirt_lxc PUxr,
++  /usr/libexec/libvirt_parthelper ix,
++  /usr/libexec/libvirt_iohelper ix,
+   /etc/libvirt/hooks/** rmix,
+   /etc/xen/scripts/** rmix,
+ 

diff --git a/app-emulation/libvirt/libvirt-3.10.0.ebuild b/app-emulation/libvirt/libvirt-3.10.0.ebuild
index 06b849546b5..c8d9893516a 100644
--- a/app-emulation/libvirt/libvirt-3.10.0.ebuild
+++ b/app-emulation/libvirt/libvirt-3.10.0.ebuild
@@ -124,7 +124,7 @@ DEPEND="${RDEPEND}
 PATCHES=(
 	"${FILESDIR}"/${PN}-1.3.0-do_not_use_sysconf.patch
 	"${FILESDIR}"/${PN}-1.2.16-fix_paths_in_libvirt-guests_sh.patch
-	"${FILESDIR}"/${PN}-3.0.0-fix_paths_for_apparmor.patch
+	"${FILESDIR}"/${PN}-3.10.0-fix_paths_for_apparmor.patch
 	"${FILESDIR}"/${PN}-1.3.4-glibc-2.23.patch
 	"${FILESDIR}"/${PN}-3.1.0-musl-fix-includes.patch          # bug #609488
 )