[Pkg-libvirt-commits] [Git][libvirt-team/libvirt][debian/sid] 9 commits: Rediff patches
Guido Günther
gitlab at salsa.debian.org
Mon Aug 26 12:08:57 BST 2019
Guido Günther pushed to branch debian/sid at Libvirt Packaging Team / libvirt
Commits:
d48fdf6d by Andrea Bolognani at 2019-08-25T13:22:15Z
Rediff patches
- - - - -
3b16c860 by Andrea Bolognani at 2019-08-25T13:22:15Z
Bump symbol versions
Both 5.5.0 and 5.6.0 introduce new symbols, but the former was
never even imported into the packaging repository, let alone
uploaded to Debian; 5.3.0 didn't introduce any new symbols.
- - - - -
48c9b758 by Andrea Bolognani at 2019-08-25T13:22:15Z
Drop Avahi support
Removed upstream as of 5.5.0.
- - - - -
a49de917 by Andrea Bolognani at 2019-08-25T13:22:15Z
Fix AppArmor profile for virt-aa-helper
The new patches
virt-aa-helper-Fix-AppArmor-profile.patch
virt-aa-helper-Actually-fix-AppArmor-profile.patch
which have been cherry-picked from upstream allow virt-aa-helper
to read /proc/self/fd/ and unbreak guest startup with AppArmor.
- - - - -
b8e92da4 by Andrea Bolognani at 2019-08-25T13:22:15Z
Disable libvirtd socket activation
It's currently broken upstream.
- - - - -
73d1e8cb by Andrea Bolognani at 2019-08-25T14:31:10Z
Install kbase articles
- - - - -
fc6f21e2 by Andrea Bolognani at 2019-08-25T14:33:22Z
Document changes and release 5.6.0-1
- - - - -
9f38a9e6 by Guido Günther at 2019-08-26T10:41:10Z
apparmor: Allow run pygrub
- - - - -
be1b5700 by Guido Günther at 2019-08-26T10:51:12Z
Document changes and release 5.6.0-1
- - - - -
20 changed files:
- debian/changelog
- debian/control
- debian/libvirt-daemon-system.libvirtd.init
- debian/libvirt-doc.docs
- debian/libvirt0.symbols
- debian/patches/Include-etc-pki-qemu-in-apparmor.patch
- debian/patches/Pass-GPG_TTY-env-var-to-the-ssh-binary.patch
- debian/patches/Reduce-udevadm-settle-timeout-to-10-seconds.patch
- + debian/patches/apparmor-Allow-run-pygrub.patch
- debian/patches/apparmor-Allow-virt-aa-helper-to-access-the-name-service-.patch
- debian/patches/debian/Debianize-systemd-service-files.patch
- + debian/patches/debian/Disable-libvirtd-socket-activation.patch
- debian/patches/debian/Don-t-enable-default-network-on-boot.patch
- debian/patches/debian/Prefer-sbin-over-usr-sbin.patch
- debian/patches/debian/Use-upstreams-polkit-rule.patch
- debian/patches/debian/apparmor_profiles_local_include.patch
- debian/patches/series
- + debian/patches/virt-aa-helper-Actually-fix-AppArmor-profile.patch
- + debian/patches/virt-aa-helper-Fix-AppArmor-profile.patch
- debian/rules
Changes:
=====================================
debian/changelog
=====================================
@@ -1,12 +1,17 @@
-libvirt (5.3.0-1~2.gbp6ef599) UNRELEASED; urgency=medium
+libvirt (5.6.0-1) unstable; urgency=medium
- ** SNAPSHOT build @6ef59955262b2219b9ab4e5ce1d1cb89248c316f **
+ * Team upload.
[ Guido Günther ]
* [fb43676] d/control: Drop dh-autoreconf build-dep
* [81d21d5] d/not-installed: Use multi-arch dirs
- * [641e532] New upstream version 5.3.0
* [07d5669] New upstream version 5.6.0
+ Fixes CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091,
+ CVE-2019-10132
+ (Closes: #915107, #931243, #929334)
+ * [9f38a9e] apparmor: Allow run pygrub
+ (Closes: #931768)
+ * Acknowledge NMU. Thanks Jonathan Wiltshire
[ Christian Ehrhardt ]
* [c28c3b3] d/libvirt0.install: install translations
@@ -21,16 +26,23 @@ libvirt (5.3.0-1~2.gbp6ef599) UNRELEASED; urgency=medium
* [eda89b2] d/no-installed, d/libvirt-doc.docs: do not install fonts
* [ab67a28] d/copyright: add license for docs/fonts/
* [2e222a2] d/rules: strip symbolic-functions linker option
- * [39b658c] Revert "d/libvirt-daemon-system.install: ship libxl-sanlock.conf"
- * [ce46360] d/rules: install libxl-sanlock.conf dependent on xen being enabled
+ * [39b658c] Revert "d/libvirt-daemon-system.install: ship
+ libxl-sanlock.conf"
+ * [ce46360] d/rules: install libxl-sanlock.conf dependent on xen being
+ enabled
[ Andrea Bolognani ]
* [6a2eae3] Simplify and improve watch file
- * [baef715] Rediff patches
* [82a1edc] Bump symbol versions
* [73fccd9] Specify --doc-main-package for dh_installdocs
-
- -- Guido Günther <agx at sigxcpu.org> Wed, 14 Aug 2019 08:30:07 +0200
+ * [d48fdf6] Rediff patches
+ * [3b16c86] Bump symbol versions
+ * [48c9b75] Drop Avahi support
+ * [a49de91] Fix AppArmor profile for virt-aa-helper
+ * [b8e92da] Disable libvirtd socket activation
+ * [73d1e8c] Install kbase articles
+
+ -- Andrea Bolognani <eof at kiyuko.org> Sun, 25 Aug 2019 16:32:31 +0200
libvirt (5.2.0-2) experimental; urgency=medium
=====================================
debian/control
=====================================
@@ -13,7 +13,6 @@ Build-Depends:
zlib1g-dev,
libgcrypt20-dev,
libgnutls28-dev,
- libavahi-client-dev,
libsasl2-dev,
libxen-dev (>= 4.3) [i386 amd64 armhf arm64],
lvm2 [linux-any],
@@ -202,7 +201,7 @@ Suggests:
systemd,
systemtap,
zfsutils,
-Breaks: avahi-daemon (<< 0.6.31-3~),
+Breaks:
systemd-sysv (<< 224-1~)
Description: Libvirt daemon configuration files
Libvirt is a C toolkit to interact with the virtualization capabilities
=====================================
debian/libvirt-daemon-system.libvirtd.init
=====================================
@@ -9,8 +9,8 @@
# Provides: libvirtd
# Required-Start: $network $local_fs $remote_fs $syslog virtlogd
# Required-Stop: $local_fs $remote_fs $syslog virtlogd
-# Should-Start: avahi-daemon cgconfig
-# Should-Stop: avahi-daemon cgconfig
+# Should-Start: cgconfig
+# Should-Stop: cgconfig
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: libvirt management daemon
=====================================
debian/libvirt-doc.docs
=====================================
@@ -7,5 +7,6 @@ docs/*.css
docs/html/
docs/devhelp/
docs/internals/
+docs/kbase/
docs/logos/
examples/
=====================================
debian/libvirt0.symbols
=====================================
@@ -119,8 +119,9 @@ libvirt.so.0 libvirt0 #MINVER#
*@LIBVIRT_4.10.0 4.10.0
*@LIBVIRT_5.0.0 5.0.0
*@LIBVIRT_5.2.0 5.2.0~rc1
- *@LIBVIRT_5.3.0 5.3.0
- *@LIBVIRT_PRIVATE_5.3.0 5.3.0
+ *@LIBVIRT_5.5.0 5.6.0
+ *@LIBVIRT_5.6.0 5.6.0
+ *@LIBVIRT_PRIVATE_5.6.0 5.6.0
libvirt-qemu.so.0 libvirt0 #MINVER#
*@LIBVIRT_QEMU_0.8.3 0.8.3
@@ -142,4 +143,4 @@ libvirt-admin.so.0 libvirt0 #MINVER#
*@LIBVIRT_ADMIN_1.3.0 1.2.18
*@LIBVIRT_ADMIN_2.0.0 2.0.0~rc1
*@LIBVIRT_ADMIN_3.0.0 3.0.0
- *@LIBVIRT_ADMIN_PRIVATE_5.3.0 5.3.0
+ *@LIBVIRT_ADMIN_PRIVATE_5.6.0 5.6.0
=====================================
debian/patches/Include-etc-pki-qemu-in-apparmor.patch
=====================================
@@ -12,10 +12,10 @@ Closes: #930100
1 file changed, 2 insertions(+)
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
-index eaa5167..0659cda 100644
+index d33348a..95e8e98 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
-@@ -93,6 +93,8 @@
+@@ -94,6 +94,8 @@
/etc/pki/CA/* r,
/etc/pki/libvirt{,-spice,-vnc}/ r,
/etc/pki/libvirt{,-spice,-vnc}/** r,
=====================================
debian/patches/Pass-GPG_TTY-env-var-to-the-ssh-binary.patch
=====================================
@@ -13,10 +13,10 @@ require the 'TERM' environment variable to be set to the terminal type.
1 file changed, 2 insertions(+)
diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
-index bfa1952..bbc70e2 100644
+index 3282bc0..f448001 100644
--- a/src/rpc/virnetsocket.c
+++ b/src/rpc/virnetsocket.c
-@@ -844,6 +844,8 @@ int virNetSocketNewConnectSSH(const char *nodename,
+@@ -876,6 +876,8 @@ int virNetSocketNewConnectSSH(const char *nodename,
virCommandAddEnvPassBlockSUID(cmd, "KRB5CCNAME", NULL);
virCommandAddEnvPassBlockSUID(cmd, "SSH_AUTH_SOCK", NULL);
virCommandAddEnvPassBlockSUID(cmd, "SSH_ASKPASS", NULL);
=====================================
debian/patches/Reduce-udevadm-settle-timeout-to-10-seconds.patch
=====================================
@@ -10,15 +10,15 @@ Closes: #663931
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/util/virutil.c b/src/util/virutil.c
-index e5917d3..e24b5c3 100644
+index 84ccc1a..a9b1f04 100644
--- a/src/util/virutil.c
+++ b/src/util/virutil.c
-@@ -1483,7 +1483,7 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *groups, int ngroups,
- void virWaitForDevices(void)
- {
- # ifdef UDEVADM
-- const char *const settleprog[] = { UDEVADM, "settle", NULL };
-+ const char *const settleprog[] = { UDEVADM, "settle", "--timeout=10", NULL };
- # else
- const char *const settleprog[] = { UDEVSETTLE, NULL };
- # endif
+@@ -1488,7 +1488,7 @@ void virWaitForDevices(void)
+ if (!(udev = virFindFileInPath(UDEVADM)))
+ return;
+
+- if (!(cmd = virCommandNewArgList(udev, "settle", NULL)))
++ if (!(cmd = virCommandNewArgList(udev, "settle", "--timeout=10", NULL)))
+ return;
+
+ /*
=====================================
debian/patches/apparmor-Allow-run-pygrub.patch
=====================================
@@ -0,0 +1,20 @@
+From: Tobias Wolter <towo at b1-systems.de>
+Date: Wed, 21 Aug 2019 10:27:05 +0200
+Subject: apparmor: Allow run pygrub
+
+---
+ src/security/apparmor/usr.sbin.libvirtd | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd
+index a66452b..67d5d3c 100644
+--- a/src/security/apparmor/usr.sbin.libvirtd
++++ b/src/security/apparmor/usr.sbin.libvirtd
+@@ -87,6 +87,7 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
+ /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
+ /usr/{lib,lib64}/xen/bin/* Ux,
+ /usr/lib/xen-*/bin/libxl-save-helper PUx,
++ /usr/lib/xen-*/bin/pygrub PUx,
+
+ # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
+ # read and run an ebtables script.
=====================================
debian/patches/apparmor-Allow-virt-aa-helper-to-access-the-name-service-.patch
=====================================
@@ -8,7 +8,7 @@ Closes: #882979
1 file changed, 1 insertion(+)
diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
-index 3c61f0f..2d43057 100644
+index 577fc77..ee02744 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
@@ -3,6 +3,7 @@
=====================================
debian/patches/debian/Debianize-systemd-service-files.patch
=====================================
@@ -8,17 +8,21 @@ Subject: Debianize systemd service files
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/remote/libvirtd.service.in b/src/remote/libvirtd.service.in
-index 7f689e0..d57690c 100644
+index 3ddf0e2..143dd7f 100644
--- a/src/remote/libvirtd.service.in
+++ b/src/remote/libvirtd.service.in
-@@ -22,8 +22,8 @@ Documentation=https://libvirt.org
+@@ -20,12 +20,12 @@ Documentation=https://libvirt.org
[Service]
Type=notify
-EnvironmentFile=-/etc/sysconfig/libvirtd
--ExecStart=@sbindir@/libvirtd $LIBVIRTD_ARGS
+EnvironmentFile=-/etc/default/libvirtd
-+ExecStart=@sbindir@/libvirtd $libvirtd_opts
+ # libvirtd.service is set to run on boot so that autostart of
+ # VMs can be performed. We don't want it to stick around if
+ # unused though, so we set a timeout. The socket activation
+ # then ensures it gets started again if anything needs it
+-ExecStart=@sbindir@/libvirtd --timeout 120 $LIBVIRTD_ARGS
++ExecStart=@sbindir@/libvirtd --timeout 120 $libvirtd_opts
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
=====================================
debian/patches/debian/Disable-libvirtd-socket-activation.patch
=====================================
@@ -0,0 +1,29 @@
+From: Andrea Bolognani <eof at kiyuko.org>
+Date: Sat, 24 Aug 2019 18:00:00 +0200
+Subject: debian: Disable libvirtd socket activation
+
+It's currently broken upstream.
+---
+ src/remote/libvirtd.service.in | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/src/remote/libvirtd.service.in b/src/remote/libvirtd.service.in
+index 143dd7f..0fc50dc 100644
+--- a/src/remote/libvirtd.service.in
++++ b/src/remote/libvirtd.service.in
+@@ -2,9 +2,6 @@
+ Description=Virtualization daemon
+ Requires=virtlogd.socket
+ Requires=virtlockd.socket
+-Requires=libvirtd.socket
+-Requires=libvirtd-ro.socket
+-Requires=libvirtd-admin.socket
+ Wants=systemd-machined.service
+ Before=libvirt-guests.service
+ After=network.target
+@@ -44,5 +41,3 @@ TasksMax=32768
+ WantedBy=multi-user.target
+ Also=virtlockd.socket
+ Also=virtlogd.socket
+-Also=libvirtd.socket
+-Also=libvirtd-ro.socket
=====================================
debian/patches/debian/Don-t-enable-default-network-on-boot.patch
=====================================
@@ -9,10 +9,10 @@ to not interfere with existing network configurations
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/src/Makefile.in b/src/Makefile.in
-index 99217f9..e9e5ee0 100644
+index 9a215e4..ace56ba 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
-@@ -13426,8 +13426,7 @@ lxc/lxc_controller_dispatch.h: $(srcdir)/rpc/gendispatch.pl \
+@@ -14837,8 +14837,7 @@ lxc/lxc_controller_dispatch.h: $(srcdir)/rpc/gendispatch.pl \
@WITH_NETWORK_TRUE@ $(DESTDIR)$(confdir)/qemu/networks/default.xml && \
@WITH_NETWORK_TRUE@ rm $(DESTDIR)$(confdir)/qemu/networks/default.xml.t; }
@WITH_NETWORK_TRUE@ ( cd $(DESTDIR)$(confdir)/qemu/networks/autostart && \
@@ -23,7 +23,7 @@ index 99217f9..e9e5ee0 100644
@WITH_FIREWALLD_ZONE_TRUE@@WITH_NETWORK_TRUE@ $(INSTALL_DATA) $(srcdir)/network/libvirt.zone \
@WITH_FIREWALLD_ZONE_TRUE@@WITH_NETWORK_TRUE@ $(DESTDIR)$(prefix)/lib/firewalld/zones/libvirt.xml
diff --git a/src/network/Makefile.inc.am b/src/network/Makefile.inc.am
-index 3fed59c..13ae858 100644
+index 23cf39b..ca516c3 100644
--- a/src/network/Makefile.inc.am
+++ b/src/network/Makefile.inc.am
@@ -87,8 +87,7 @@ install-data-network:
=====================================
debian/patches/debian/Prefer-sbin-over-usr-sbin.patch
=====================================
@@ -11,7 +11,7 @@ Closes: #895145
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
-index dcd78f6..1b77c97 100644
+index d18d427..9fe0aea 100644
--- a/configure.ac
+++ b/configure.ac
@@ -116,7 +116,7 @@ then
=====================================
debian/patches/debian/Use-upstreams-polkit-rule.patch
=====================================
@@ -9,10 +9,10 @@ As of 1.2.16 upstream ships a Polkit rule like Debian does.
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/Makefile.in b/src/Makefile.in
-index e9e5ee0..c780453 100644
+index ace56ba..6721f99 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
-@@ -13475,12 +13475,12 @@ lxc/lxc_controller_dispatch.h: $(srcdir)/rpc/gendispatch.pl \
+@@ -14886,12 +14886,12 @@ lxc/lxc_controller_dispatch.h: $(srcdir)/rpc/gendispatch.pl \
@WITH_LIBVIRTD_TRUE@@WITH_POLKIT_TRUE@ $(DESTDIR)$(polkitactionsdir)/org.libvirt.unix.policy
@WITH_LIBVIRTD_TRUE@@WITH_POLKIT_TRUE@ $(MKDIR_P) $(DESTDIR)$(polkitrulesdir)
@WITH_LIBVIRTD_TRUE@@WITH_POLKIT_TRUE@ $(INSTALL_DATA) $(srcdir)/remote/libvirtd.rules \
@@ -28,10 +28,10 @@ index e9e5ee0..c780453 100644
.PHONY: \
diff --git a/src/remote/Makefile.inc.am b/src/remote/Makefile.inc.am
-index 0671424..9e7227d 100644
+index 0cf00cb..75b7290 100644
--- a/src/remote/Makefile.inc.am
+++ b/src/remote/Makefile.inc.am
-@@ -221,12 +221,12 @@ install-polkit:
+@@ -226,12 +226,12 @@ install-polkit:
$(DESTDIR)$(polkitactionsdir)/org.libvirt.unix.policy
$(MKDIR_P) $(DESTDIR)$(polkitrulesdir)
$(INSTALL_DATA) $(srcdir)/remote/libvirtd.rules \
=====================================
debian/patches/debian/apparmor_profiles_local_include.patch
=====================================
@@ -9,10 +9,10 @@ Include local apparmor profile
2 files changed, 4 insertions(+)
diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
-index 78994bc..3c61f0f 100644
+index bf6bd29..577fc77 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
-@@ -66,5 +66,6 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
+@@ -67,5 +67,6 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
/**.[iI][sS][oO] r,
/**/disk{,.*} r,
=====================================
debian/patches/series
=====================================
@@ -15,3 +15,7 @@ Pass-GPG_TTY-env-var-to-the-ssh-binary.patch
apparmor-Allow-virt-aa-helper-to-access-the-name-service-.patch
debian/Prefer-sbin-over-usr-sbin.patch
Include-etc-pki-qemu-in-apparmor.patch
+virt-aa-helper-Fix-AppArmor-profile.patch
+virt-aa-helper-Actually-fix-AppArmor-profile.patch
+debian/Disable-libvirtd-socket-activation.patch
+apparmor-Allow-run-pygrub.patch
=====================================
debian/patches/virt-aa-helper-Actually-fix-AppArmor-profile.patch
=====================================
@@ -0,0 +1,41 @@
+From: Andrea Bolognani <abologna at redhat.com>
+Date: Tue, 20 Aug 2019 09:54:12 +0200
+Subject: virt-aa-helper: Actually fix AppArmor profile
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Tried previously in
+
+ commit b1eb8b3e8fd1d4cb1da8e5e2b16f2c10837fd823
+ Author: Andrea Bolognani <abologna at redhat.com>
+ Date: Mon Aug 19 10:23:42 2019 +0200
+
+ virt-aa-helper: Fix AppArmor profile
+
+ v5.6.0-243-gb1eb8b3e8f
+
+with somewhat disappointing results.
+
+Signed-off-by: Andrea Bolognani <abologna at redhat.com>
+Reviewed-by: Ján Tomko <jtomko at redhat.com>
+(cherry picked from commit 9c2446ed4a81450f6482f259f9a0cf720cb0e423)
+---
+ src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
+index 8a9a1f3..85ed370 100644
+--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
++++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
+@@ -19,8 +19,8 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
+ @{PROC}/filesystems r,
+
+ # Used when internally running another command (namely apparmor_parser)
+- @{PROC}/self/fd r,
+- @{PROC}/@{pid}/fd r,
++ @{PROC}/self/fd/ r,
++ @{PROC}/@{pid}/fd/ r,
+
+ /etc/libnl-3/classid r,
+
=====================================
debian/patches/virt-aa-helper-Fix-AppArmor-profile.patch
=====================================
@@ -0,0 +1,65 @@
+From: Andrea Bolognani <abologna at redhat.com>
+Date: Mon, 19 Aug 2019 10:23:42 +0200
+Subject: virt-aa-helper: Fix AppArmor profile
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Since
+
+ commit 432faf259b696043ee5d7e8f657d855419a9a3fa
+ Author: Michal Privoznik <mprivozn at redhat.com>
+ Date: Tue Jul 2 19:49:51 2019 +0200
+
+ virCommand: use procfs to learn opened FDs
+
+ When spawning a child process, between fork() and exec() we close
+ all file descriptors and keep only those the caller wants us to
+ pass onto the child. The problem is how we do that. Currently, we
+ get the limit of opened files and then iterate through each one
+ of them and either close() it or make it survive exec(). This
+ approach is suboptimal (although, not that much in default
+ configurations where the limit is pretty low - 1024). We have
+ /proc where we can learn what FDs we hold open and thus we can
+ selectively close only those.
+
+ Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
+ Reviewed-by: Ján Tomko <jtomko at redhat.com>
+
+ v5.5.0-173-g432faf259b
+
+programs using the virCommand APIs on Linux need read access to
+/proc/self/fd, or they will fail like
+
+ error : virCommandWait:2796 : internal error: Child process
+ (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -c
+ -u libvirt-b20e9a8e-091a-45e0-8823-537119e98bc6) unexpected exit
+ status 1: libvirt: error : cannot open directory '/proc/self/fd':
+ Permission denied
+ virt-aa-helper: error: apparmor_parser exited with error
+
+Update the AppArmor profile for virt-aa-helper so that read access
+to the relevant path is granted.
+
+Signed-off-by: Andrea Bolognani <abologna at redhat.com>
+Reviewed-by: Ján Tomko <jtomko at redhat.com>
+(cherry picked from commit b1eb8b3e8fd1d4cb1da8e5e2b16f2c10837fd823)
+---
+ src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
+index ee02744..8a9a1f3 100644
+--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
++++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
+@@ -18,6 +18,10 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
+ owner @{PROC}/[0-9]*/status r,
+ @{PROC}/filesystems r,
+
++ # Used when internally running another command (namely apparmor_parser)
++ @{PROC}/self/fd r,
++ @{PROC}/@{pid}/fd r,
++
+ /etc/libnl-3/classid r,
+
+ # for gl enabled graphics
=====================================
debian/rules
=====================================
@@ -100,7 +100,6 @@ DEB_CONFIGURE_EXTRA_ARGS := \
--with-qemu-user=libvirt-qemu \
--with-qemu-group=libvirt-qemu \
$(WITH_OPENVZ) \
- --with-avahi \
--with-sasl \
--with-yajl \
--with-ssh2 \
@@ -189,6 +188,10 @@ override_dh_install-arch:
cp debian/polkit/60-libvirt.pkla \
debian/libvirt-daemon-system/var/lib/polkit-1/localauthority/10-vendor.d/
ifneq (,$(findstring $(DEB_HOST_ARCH_OS), linux))
+ # Socket activation for libvirtd is currently broken. Fixes are being
+ # worked on upstream, but until they are in place it's much better for
+ # us to pretend the feature doesn't exist at all
+ rm -f debian/tmp/usr/lib/systemd/system/libvirtd*.socket
# Linux supports more nice things:
dh_install -p libvirt-daemon-system usr/lib/systemd/system lib/systemd/
dh_install -p libvirt-daemon-system usr/lib/libvirt/virt-aa-helper
View it on GitLab: https://salsa.debian.org/libvirt-team/libvirt/compare/b4861f249c19fc8858fa02290097911ec37bdf21...be1b5700d635dd779b01243b8da6042f81ba772c
--
View it on GitLab: https://salsa.debian.org/libvirt-team/libvirt/compare/b4861f249c19fc8858fa02290097911ec37bdf21...be1b5700d635dd779b01243b8da6042f81ba772c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-commits/attachments/20190826/6a0b239f/attachment-0001.html>
More information about the Pkg-libvirt-commits
mailing list