[Pkg-libvirt-commits] [libvirt] 02/09: apparmor: allow libvirt to send term signal to unconfined

Fri Jan 19 17:20:06 UTC 2018

This is an automated email from the git hooks/post-receive script.

agx pushed a commit to annotated tag debian/4.0.0_rc2-1
in repository libvirt.

commit 0819e5a410e99cfb149d56cd4e934f5afb6d63cb
Author: Guido Günther <agx at sigxcpu.org>
Date:   Thu Jan 18 14:29:48 2018 +0100

    apparmor: allow libvirt to send term signal to unconfined
---
 ...Allow-libvirt-to-kill-unconfined-domains.patch} |  2 +-
 ...libvirt-to-send-term-signal-to-unconfined.patch | 24 ++++++++++++++++++++++
 debian/patches/series                              |  3 ++-
 3 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/debian/patches/Allow-libvirt-to-kill-unconfined-domaiens.patch b/debian/patches/Allow-libvirt-to-kill-unconfined-domains.patch
similarity index 95%
rename from debian/patches/Allow-libvirt-to-kill-unconfined-domaiens.patch
rename to debian/patches/Allow-libvirt-to-kill-unconfined-domains.patch
index 14ca2a4..6af677c 100644
--- a/debian/patches/Allow-libvirt-to-kill-unconfined-domaiens.patch
+++ b/debian/patches/Allow-libvirt-to-kill-unconfined-domains.patch
@@ -1,6 +1,6 @@
 From: intrigeri <intrigeri+libvirt at boum.org>
 Date: Mon, 15 Jan 2018 09:29:47 +0100
-Subject: Allow libvirt to kill unconfined domaiens
+Subject: Allow libvirt to kill unconfined domains
 
 On startup libvirtd runs a number of QEMU processes unconfined such as:
 
diff --git a/debian/patches/apparmor-allow-libvirt-to-send-term-signal-to-unconfined.patch b/debian/patches/apparmor-allow-libvirt-to-send-term-signal-to-unconfined.patch
new file mode 100644
index 0000000..27bb8ac
--- /dev/null
+++ b/debian/patches/apparmor-allow-libvirt-to-send-term-signal-to-unconfined.patch
@@ -0,0 +1,24 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <agx at sigxcpu.org>
+Date: Wed, 17 Jan 2018 16:20:37 +0100
+Subject: apparmor: allow libvirt to send term signal to unconfined
+
+Otherwise stopping domains with qemu://session fails like
+
+[164012.338157] audit: type=1400 audit(1516202208.784:99): apparmor="DENIED" operation="signal" profile="/usr/sbin/libvirtd" pid=18835 comm="libvirtd" requested_mask="send" denied_mask="send" signal=term peer="unconfined"
+---
+ examples/apparmor/usr.sbin.libvirtd | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
+index 4d220c2..72d7987 100644
+--- a/examples/apparmor/usr.sbin.libvirtd
++++ b/examples/apparmor/usr.sbin.libvirtd
+@@ -63,7 +63,7 @@
+ 
+   signal (send) peer=/usr/sbin/dnsmasq,
+   signal (read, send) peer=libvirt-*,
+-  signal (send) set=("kill") peer=unconfined,
++  signal (send) set=("kill", "term") peer=unconfined,
+ 
+   # Very lenient profile for libvirtd since we want to first focus on confining
+   # the guests. Guests will have a very restricted profile.
diff --git a/debian/patches/series b/debian/patches/series
index 1bf82ad..b2cea98 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,4 +17,5 @@ debian/apparmor_profiles_local_include.patch
 Set-defaults-for-zfs-tools.patch
 Pass-GPG_TTY-env-var-to-the-ssh-binary.patch
 apparmor-Allow-virt-aa-helper-to-access-the-name-service-.patch
-Allow-libvirt-to-kill-unconfined-domaiens.patch
+Allow-libvirt-to-kill-unconfined-domains.patch
+apparmor-allow-libvirt-to-send-term-signal-to-unconfined.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-libvirt/libvirt.git

