[Pkg-libvirt-commits] [Git][libvirt-team/libvirt][debian/latest] 2 commits: patches: Add backport/apparmor-Don-t-check-for-existence[...]

Andrea Bolognani (@abologna) gitlab at salsa.debian.org
Tue Sep 17 21:25:40 BST 2024 


Andrea Bolognani pushed to branch debian/latest at Libvirt Packaging Team / libvirt


Commits:
70a5d8d9 by Andrea Bolognani at 2024-09-16T21:40:11+02:00
patches: Add backport/apparmor-Don-t-check-for-existence[...]

Ensures that AppArmor doesn't get disabled for QEMU
domains just because the LXC driver is not installed.

Closes: #1081396

- - - - -
8a85c0b8 by Andrea Bolognani at 2024-09-16T21:58:08+02:00
Document changes and release 10.7.0-3

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/backport/apparmor-Don-t-check-for-existence-of-templates-upfront.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,11 @@
+libvirt (10.7.0-3) unstable; urgency=medium
+
+  * [70a5d8d] patches: Add backport/apparmor-Don-t-check-for[...]
+    - Ensures that AppArmor doesn't get disabled for QEMU domains
+      just because the LXC driver is not installed (Closes: #1081396)
+
+ -- Andrea Bolognani <eof at kiyuko.org>  Mon, 16 Sep 2024 21:41:15 +0200
+
 libvirt (10.7.0-2) unstable; urgency=medium
 
   * [6fb4103] control: Turn dmidecode back into a Recommends


=====================================
debian/patches/backport/apparmor-Don-t-check-for-existence-of-templates-upfront.patch
=====================================
@@ -0,0 +1,69 @@
+From: Andrea Bolognani <abologna at redhat.com>
+Date: Mon, 16 Sep 2024 16:39:11 +0200
+Subject: apparmor: Don't check for existence of templates upfront
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Currently, if either template is missing AppArmor support is
+completely disabled. This means that uninstalling the LXC
+driver from a system results in QEMU domains being started
+without AppArmor confinement, which obviously doesn't make any
+sense.
+
+The problematic scenario was impossible to hit in Debian until
+very recently, because all AppArmor files were shipped as part
+of the same package; now that the Debian package is much closer
+to the Fedora one, and specifically ships the AppArmor files
+together with the corresponding driver, it becomes trivial to
+trigger it.
+
+Drop the checks entirely. virt-aa-helper, which is responsible
+for creating the per-domain profiles starting from the
+driver-specific template, already fails if the latter is not
+present, so they were always redundant.
+
+https://bugs.debian.org/1081396
+
+Signed-off-by: Andrea Bolognani <abologna at redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange at redhat.com>
+(cherry picked from commit d622ca04f6525b90cfe6d8274efaf4bee043d8ba)
+
+Forwarded: not-needed
+Origin: https://gitlab.com/libvirt/libvirt/-/commit/d622ca04f6525b90cfe6d8274efaf4bee043d8ba
+---
+ src/security/security_apparmor.c | 18 ------------------
+ 1 file changed, 18 deletions(-)
+
+diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
+index 27184ae..a62ec1b 100644
+--- a/src/security/security_apparmor.c
++++ b/src/security/security_apparmor.c
+@@ -318,27 +318,9 @@ AppArmorSetSecurityHostLabel(virSCSIVHostDevice *dev G_GNUC_UNUSED,
+ static virSecurityDriverStatus
+ AppArmorSecurityManagerProbe(const char *virtDriver G_GNUC_UNUSED)
+ {
+-    g_autofree char *template_qemu = NULL;
+-    g_autofree char *template_lxc = NULL;
+-
+     if (use_apparmor() < 0)
+         return SECURITY_DRIVER_DISABLE;
+ 
+-    /* see if template file exists */
+-    template_qemu = g_strdup_printf("%s/TEMPLATE.qemu", APPARMOR_DIR "/libvirt");
+-    template_lxc = g_strdup_printf("%s/TEMPLATE.lxc", APPARMOR_DIR "/libvirt");
+-
+-    if (!virFileExists(template_qemu)) {
+-        virReportError(VIR_ERR_INTERNAL_ERROR,
+-                       _("template \'%1$s\' does not exist"), template_qemu);
+-        return SECURITY_DRIVER_DISABLE;
+-    }
+-    if (!virFileExists(template_lxc)) {
+-        virReportError(VIR_ERR_INTERNAL_ERROR,
+-                       _("template \'%1$s\' does not exist"), template_lxc);
+-        return SECURITY_DRIVER_DISABLE;
+-    }
+-
+     return SECURITY_DRIVER_ENABLE;
+ }
+ 


=====================================
debian/patches/series
=====================================
@@ -1,3 +1,4 @@
+backport/apparmor-Don-t-check-for-existence-of-templates-upfront.patch
 forward/Reduce-udevadm-settle-timeout-to-10-seconds.patch
 debian/Debianize-libvirt-guests.patch
 debian/apparmor_profiles_local_include.patch



View it on GitLab: https://salsa.debian.org/libvirt-team/libvirt/-/compare/72c502d9168af402cc18577ce8adc695395bd76f...8a85c0b8e56022665a3eacad18e3d783cc269eaf

-- 
View it on GitLab: https://salsa.debian.org/libvirt-team/libvirt/-/compare/72c502d9168af402cc18577ce8adc695395bd76f...8a85c0b8e56022665a3eacad18e3d783cc269eaf
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-commits/attachments/20240917/7c0bcbcd/attachment-0001.htm>

More information about the Pkg-libvirt-commits mailing list