[Pkg-libvirt-commits] [libvirt] 01/04: Allow libvirt to kill unconfined domains

Guido Guenther agx at moszumanska.debian.org
Mon Jan 15 09:03:57 UTC 2018 

This is an automated email from the git hooks/post-receive script.

agx pushed a commit to annotated tag debian/4.0.0_rc1-1
in repository libvirt.

commit 89b8ab47fb582a4b9f1eedb8825a45d84427a606
Author: intrigeri <intrigeri at debian.org>
Date:   Mon Jan 15 09:34:42 2018 +0100

    Allow libvirt to kill unconfined domains
---
 ...Allow-libvirt-to-kill-unconfined-domaiens.patch | 26 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 27 insertions(+)

diff --git a/debian/patches/Allow-libvirt-to-kill-unconfined-domaiens.patch b/debian/patches/Allow-libvirt-to-kill-unconfined-domaiens.patch
new file mode 100644
index 0000000..14ca2a4
--- /dev/null
+++ b/debian/patches/Allow-libvirt-to-kill-unconfined-domaiens.patch
@@ -0,0 +1,26 @@
+From: intrigeri <intrigeri+libvirt at boum.org>
+Date: Mon, 15 Jan 2018 09:29:47 +0100
+Subject: Allow libvirt to kill unconfined domaiens
+
+On startup libvirtd runs a number of QEMU processes unconfined such as:
+
+  /usr/bin/qemu-system-x86_64 -S -no-user-config -nodefaults -nographic -machine none,accel=kvm:tcg -qmp unix:/var/lib/libvirt/qemu/capabilities.monitor.sock,server,nowait -pidfile /var/lib/libvirt/qemu/capabilities.pidfile -daemonize
+
+libvirtd needs to be allowed to kill these processes, otherwise they
+remain running.
+---
+ examples/apparmor/usr.sbin.libvirtd | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
+index bd7796c..4d220c2 100644
+--- a/examples/apparmor/usr.sbin.libvirtd
++++ b/examples/apparmor/usr.sbin.libvirtd
+@@ -63,6 +63,7 @@
+ 
+   signal (send) peer=/usr/sbin/dnsmasq,
+   signal (read, send) peer=libvirt-*,
++  signal (send) set=("kill") peer=unconfined,
+ 
+   # Very lenient profile for libvirtd since we want to first focus on confining
+   # the guests. Guests will have a very restricted profile.
diff --git a/debian/patches/series b/debian/patches/series
index e1c83ed..1bf82ad 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,3 +17,4 @@ debian/apparmor_profiles_local_include.patch
 Set-defaults-for-zfs-tools.patch
 Pass-GPG_TTY-env-var-to-the-ssh-binary.patch
 apparmor-Allow-virt-aa-helper-to-access-the-name-service-.patch
+Allow-libvirt-to-kill-unconfined-domaiens.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-libvirt/libvirt.git

More information about the Pkg-libvirt-commits mailing list