[Pkg-libvirt-commits] [Git][libvirt-team/libvirt][debian/experimental] 2 commits: d/control, d/rules: feature architecture parity
Andrea Bolognani
gitlab at salsa.debian.org
Mon Aug 17 14:37:01 BST 2020
Andrea Bolognani pushed to branch debian/experimental at Libvirt Packaging Team / libvirt
Commits:
ceab4030 by Christian Ehrhardt at 2020-08-14T07:30:45+02:00
d/control, d/rules: feature architecture parity
Enable systemtap, numa and numad on architecture having the build-deps
nowadays.
Ubuntu enabled these features on ppc64el and s390x that work fine there and
have no reason to be non-enabled there based on these architectures.
On review it was pointed out that the build-deps are linux-any these
days, therefore enable it less selective on linux-any.
Signed-off-by: Dimitri John Ledkov <xnox at ubuntu.com>
Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
- - - - -
dd2d1a9e by Christian Ehrhardt at 2020-08-14T07:30:49+02:00
Drop d/p/apparmor-Allow-virt-aa-helper-to-access-the-name-service-.patch
The abstraction brings too much permissions, see discussion when
upstreaming the change:
https://www.redhat.com/archives/libvir-list/2020-August/msg00099.html
(To me) with libvirt >=6.0 (actually even with the old versions, maybe
kernel dependent) this isn't reproducible anymore. We should drop the
rule and once anyone can reproduce it again we can try if we either
want to go with:
# virt-aa-helper dependent libraries read (and if successful, other
# files) this but virt-aa-helper itself doesn't require the access,
# so silence the denial.
deny /etc/nsswitch.conf r,
Or allowing a very reduced set (Ubuntu had that for a short while):
# virt-aa-helper dependent libraries might read nss info, but do not
# need full nameservice access.
/etc/gai.conf r,
/etc/hosts r,
/etc/host.conf r,
/etc/nsswitch.conf r,
Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
- - - - -
4 changed files:
- debian/control
- − debian/patches/apparmor-Allow-virt-aa-helper-to-access-the-name-service-.patch
- debian/patches/series
- debian/rules
Changes:
=====================================
debian/control
=====================================
@@ -27,7 +27,7 @@ Build-Depends:
libnetcf-dev (>= 1:0.2.3-3~) [linux-any],
libnl-3-dev [linux-any],
libnl-route-3-dev [linux-any],
- libnuma-dev [amd64 arm64 i386 ia64 mips mipsel powerpc ppc64 ppc64el],
+ libnuma-dev [linux-any],
libparted-dev (>= 2.2),
libpcap0.8-dev,
libpciaccess-dev,
@@ -50,7 +50,7 @@ Build-Depends:
lvm2 [linux-any],
netcat-openbsd,
nfs-common,
- numad [amd64 arm64 i386 ia64 mips mipsel powerpc ppc64 ppc64el],
+ numad [linux-any],
open-iscsi [linux-any],
openssh-client,
parted (>= 2.2),
@@ -61,7 +61,7 @@ Build-Depends:
qemu-system-common,
qemu-utils,
radvd [linux-any],
- systemtap-sdt-dev [amd64 armel armhf i386 ia64 powerpc s390],
+ systemtap-sdt-dev [linux-any],
uuid-dev,
xsltproc,
zfsutils [kfreebsd-amd64 kfreebsd-i386],
=====================================
debian/patches/apparmor-Allow-virt-aa-helper-to-access-the-name-service-.patch deleted
=====================================
@@ -1,21 +0,0 @@
-From: =?utf-8?q?Guido_G=C3=BCnther?= <agx at sigxcpu.org>
-Date: Tue, 5 Dec 2017 14:40:40 +0100
-Subject: apparmor: Allow virt-aa-helper to access the name service switch
-
-Closes: #882979
----
- src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
-index be8b9ee..9ad9537 100644
---- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
-+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
-@@ -2,6 +2,7 @@
-
- profile virt-aa-helper @libexecdir@/virt-aa-helper {
- #include <abstractions/base>
-+ #include <abstractions/nameservice>
-
- # needed for searching directories
- capability dac_override,
=====================================
debian/patches/series
=====================================
@@ -9,7 +9,6 @@ debian/Use-upstreams-polkit-rule.patch
debian/apparmor_profiles_local_include.patch
Set-defaults-for-zfs-tools.patch
Pass-GPG_TTY-env-var-to-the-ssh-binary.patch
-apparmor-Allow-virt-aa-helper-to-access-the-name-service-.patch
debian/Prefer-sbin-over-usr-sbin.patch
Include-etc-pki-qemu-in-apparmor.patch
apparmor-Allow-run-pygrub.patch
=====================================
debian/rules
=====================================
@@ -49,16 +49,8 @@ ifneq (,$(findstring $(DEB_HOST_ARCH_OS), linux))
WITH_SELINUX = --with-selinux --with-secdriver-selinux --with-selinux-mount=/sys/fs/selinux
WITH_APPARMOR = --with-apparmor --with-secdriver-apparmor --with-apparmor-profiles
WITH_NSS_PLUGIN = --with-nss-plugin
- ifneq (,$(findstring $(DEB_HOST_ARCH), amd64 armel armhf i386 ia64 powerpc s390))
- WITH_DTRACE = --with-dtrace
- else
- WITH_DTRACE = --without-dtrace
- endif
- ifneq (,$(findstring $(DEB_HOST_ARCH), amd64 arm64 i386 ia64 mips mipsel powerpc ppc64el))
- WITH_NUMA = --with-numactl --with-numad
- else
- WITH_NUMA = --without-numactl --without-numad
- endif
+ WITH_DTRACE = --with-dtrace
+ WITH_NUMA = --with-numactl --with-numad
ifneq (,$(findstring $(DEB_HOST_ARCH), ia64))
WITH_LXC = --without-lxc
else
View it on GitLab: https://salsa.debian.org/libvirt-team/libvirt/-/compare/a7dbff150a18ade03df10499d8029e9c40bf892a...dd2d1a9e504fd634fe14bdc9be1c8f0fcc6d3537
--
View it on GitLab: https://salsa.debian.org/libvirt-team/libvirt/-/compare/a7dbff150a18ade03df10499d8029e9c40bf892a...dd2d1a9e504fd634fe14bdc9be1c8f0fcc6d3537
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-commits/attachments/20200817/5f9cae07/attachment-0001.html>
More information about the Pkg-libvirt-commits
mailing list