From 36fc806da3aedf0f608d343d803efe8ed9d21905 Mon Sep 17 00:00:00 2001
From: yezengruan <yezengruan@huawei.com>
Date: Thu, 24 Mar 2022 16:27:21 +0800
Subject: [PATCH] update patch with openeuler !59

apparmor: Permit new capabilities required by libvirtd

Signed-off-by: yezengruan <yezengruan@huawei.com>
(cherry picked from commit cc7a0d106087d7f1e1b09b4100ebd0051a9b2186)
---
 ...new-capabilities-required-by-libvirt.patch | 38 +++++++++++++++++++
 libvirt.spec                                  |  6 ++-
 2 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 apparmor-Permit-new-capabilities-required-by-libvirt.patch

diff --git a/apparmor-Permit-new-capabilities-required-by-libvirt.patch b/apparmor-Permit-new-capabilities-required-by-libvirt.patch
new file mode 100644
index 0000000..9efd2e6
--- /dev/null
+++ b/apparmor-Permit-new-capabilities-required-by-libvirt.patch
@@ -0,0 +1,38 @@
+From 9abebfb36b2380829be4a901d7c9785a7a8f5f6a Mon Sep 17 00:00:00 2001
+From: Jim Fehlig <jfehlig@suse.com>
+Date: Mon, 7 Jun 2021 16:21:28 -0600
+Subject: [PATCH] apparmor: Permit new capabilities required by libvirtd
+
+The audit log contains the following denials from libvirtd
+
+apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="daemon-init" capability=17  capname="sys_rawio"
+apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="rpc-worker" capability=39  capname="bpf"
+apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="rpc-worker" capability=38  capname="perfmon"
+
+Squelch the denials and allow the capabilities in the libvirtd
+apparmor profile.
+
+Signed-off-by: Jim Fehlig <jfehlig@suse.com>
+Reviewed-by: Neal Gompa <ngompa13@gmail.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/security/apparmor/usr.sbin.libvirtd.in | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
+index 1e137039e9..49266743f5 100644
+--- a/src/security/apparmor/usr.sbin.libvirtd.in
++++ b/src/security/apparmor/usr.sbin.libvirtd.in
+@@ -25,6 +25,9 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
+   capability fsetid,
+   capability audit_write,
+   capability ipc_lock,
++  capability sys_rawio,
++  capability bpf,
++  capability perfmon,
+ 
+   # Needed for vfio
+   capability sys_resource,
+-- 
+2.27.0
+
diff --git a/libvirt.spec b/libvirt.spec
index 760824f..7597851 100644
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -101,7 +101,7 @@
 Summary: Library providing a simple virtualization API
 Name: libvirt
 Version: 6.2.0
-Release: 35
+Release: 36
 License: LGPLv2+
 URL: https://libvirt.org/
 
@@ -245,6 +245,7 @@ Patch0132: qemu-monitor-Don-t-add-props-wrapper-if-qemu-has-QEM.patch
 Patch0133: qemu-command-Use-JSON-for-QAPIfied-object-directly.patch
 Patch0134: tests-qemuxml2argv-Validate-generation-of-JSON-props.patch
 Patch0135: qemu-capabilities-Enable-detection-of-QEMU_CAPS_OBJE.patch
+Patch0136: apparmor-Permit-new-capabilities-required-by-libvirt.patch
 
 Requires: libvirt-daemon = %{version}-%{release}
 Requires: libvirt-daemon-config-network = %{version}-%{release}
@@ -1979,6 +1980,9 @@ exit 0
 
 
 %changelog
+* Thu Mar 24 2022 yezengruan <yezengruan@huawei.com>
+- apparmor: Permit new capabilities required by libvirtd
+
 * Thu Mar 24 2022 yezengruan <yezengruan@huawei.com>
 - qemuMonitorJSONSetMigrationParams: Take double pointer for @params
 - qemuMonitorJSONAddObject: Take double pointer for @props
-- 
Gitee