From 36fc806da3aedf0f608d343d803efe8ed9d21905 Mon Sep 17 00:00:00 2001 From: yezengruan Date: Thu, 24 Mar 2022 16:27:21 +0800 Subject: [PATCH] update patch with openeuler !59 apparmor: Permit new capabilities required by libvirtd Signed-off-by: yezengruan (cherry picked from commit cc7a0d106087d7f1e1b09b4100ebd0051a9b2186) --- ...new-capabilities-required-by-libvirt.patch | 38 +++++++++++++++++++ libvirt.spec | 6 ++- 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 apparmor-Permit-new-capabilities-required-by-libvirt.patch diff --git a/apparmor-Permit-new-capabilities-required-by-libvirt.patch b/apparmor-Permit-new-capabilities-required-by-libvirt.patch new file mode 100644 index 0000000..9efd2e6 --- /dev/null +++ b/apparmor-Permit-new-capabilities-required-by-libvirt.patch @@ -0,0 +1,38 @@ +From 9abebfb36b2380829be4a901d7c9785a7a8f5f6a Mon Sep 17 00:00:00 2001 +From: Jim Fehlig +Date: Mon, 7 Jun 2021 16:21:28 -0600 +Subject: [PATCH] apparmor: Permit new capabilities required by libvirtd + +The audit log contains the following denials from libvirtd + +apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="daemon-init" capability=17 capname="sys_rawio" +apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="rpc-worker" capability=39 capname="bpf" +apparmor="DENIED" operation="capable" profile="libvirtd" pid=6012 comm="rpc-worker" capability=38 capname="perfmon" + +Squelch the denials and allow the capabilities in the libvirtd +apparmor profile. + +Signed-off-by: Jim Fehlig +Reviewed-by: Neal Gompa +Reviewed-by: Michal Privoznik +--- + src/security/apparmor/usr.sbin.libvirtd.in | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in +index 1e137039e9..49266743f5 100644 +--- a/src/security/apparmor/usr.sbin.libvirtd.in ++++ b/src/security/apparmor/usr.sbin.libvirtd.in +@@ -25,6 +25,9 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { + capability fsetid, + capability audit_write, + capability ipc_lock, ++ capability sys_rawio, ++ capability bpf, ++ capability perfmon, + + # Needed for vfio + capability sys_resource, +-- +2.27.0 + diff --git a/libvirt.spec b/libvirt.spec index 760824f..7597851 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -101,7 +101,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 6.2.0 -Release: 35 +Release: 36 License: LGPLv2+ URL: https://libvirt.org/ @@ -245,6 +245,7 @@ Patch0132: qemu-monitor-Don-t-add-props-wrapper-if-qemu-has-QEM.patch Patch0133: qemu-command-Use-JSON-for-QAPIfied-object-directly.patch Patch0134: tests-qemuxml2argv-Validate-generation-of-JSON-props.patch Patch0135: qemu-capabilities-Enable-detection-of-QEMU_CAPS_OBJE.patch +Patch0136: apparmor-Permit-new-capabilities-required-by-libvirt.patch Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon-config-network = %{version}-%{release} @@ -1979,6 +1980,9 @@ exit 0 %changelog +* Thu Mar 24 2022 yezengruan +- apparmor: Permit new capabilities required by libvirtd + * Thu Mar 24 2022 yezengruan - qemuMonitorJSONSetMigrationParams: Take double pointer for @params - qemuMonitorJSONAddObject: Take double pointer for @props -- Gitee