[PATCH] apparmor: Add support for local profile customizations
by Jim Fehlig
Apparmor profiles in /etc/apparmor.d/ are config files that can and should
be replaced on package upgrade, which introduces the potential to overwrite
any local changes. Apparmor supports local profile customizations via
/etc/apparmor.d/local/<service> [1].
This change makes the support explicit by adding libvirtd, virtqemud, and
virtxend profile customization stubs to /etc/apparmor.d/local/. The stubs
are conditionally included by the corresponding main profiles.
[1] https://ubuntu.com/server/docs/security-apparmor
See "Profile customization" section
Signed-off-by: Jim Fehlig <jfehlig(a)suse.com>
---
This patch was inspired by an internal bug report. The SUSE libvirt package
has marked /etc/apparmor.d/<some-libvirt-service> profiles as
'config(noreplace)' for as long as I can remember. On rare occasions a
profile receives a change that is required to avoid regression. And on rarer
occasions a user might have made local customizations to the profile. With
'noreplace', the trap is set for the user to experience the regression.
Unless other apparmor users convince me otherwise, I'm planning to make
this change in the SUSE package, along with changing the main
/etc/apparmor.d/ profiles to 'config' and using 'config(noreplace)' for the
local customizations only.
Note: I'm fine keeping this as a downstream-only patch if upstream isn't
interested in the clutter.
src/security/apparmor/meson.build | 12 +++++++-----
src/security/apparmor/usr.sbin.libvirtd.in | 3 +++
src/security/apparmor/usr.sbin.libvirtd.local | 1 +
src/security/apparmor/usr.sbin.virtqemud.in | 3 +++
src/security/apparmor/usr.sbin.virtqemud.local | 1 +
src/security/apparmor/usr.sbin.virtxend.in | 3 +++
src/security/apparmor/usr.sbin.virtxend.local | 1 +
7 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meson.build
index 58b4024b85..02a6d098ad 100644
--- a/src/security/apparmor/meson.build
+++ b/src/security/apparmor/meson.build
@@ -34,8 +34,10 @@ install_data(
install_dir: apparmor_dir / 'libvirt',
)
-install_data(
- 'usr.lib.libvirt.virt-aa-helper.local',
- install_dir: apparmor_dir / 'local',
- rename: 'usr.lib.libvirt.virt-aa-helper',
-)
+foreach name : apparmor_gen_profiles
+ install_data(
+ '@0@.local'.format(name),
+ install_dir: apparmor_dir / 'local',
+ rename: name,
+ )
+endforeach
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
index edb8dd8e26..41bdef53ec 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -139,4 +139,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
}
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.sbin.libvirtd>
}
diff --git a/src/security/apparmor/usr.sbin.libvirtd.local b/src/security/apparmor/usr.sbin.libvirtd.local
new file mode 100644
index 0000000000..3716400022
--- /dev/null
+++ b/src/security/apparmor/usr.sbin.libvirtd.local
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.libvirtd'
diff --git a/src/security/apparmor/usr.sbin.virtqemud.in b/src/security/apparmor/usr.sbin.virtqemud.in
index f269c60809..3ebdbf2a8f 100644
--- a/src/security/apparmor/usr.sbin.virtqemud.in
+++ b/src/security/apparmor/usr.sbin.virtqemud.in
@@ -132,4 +132,7 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) {
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
}
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.sbin.virtqemud>
}
diff --git a/src/security/apparmor/usr.sbin.virtqemud.local b/src/security/apparmor/usr.sbin.virtqemud.local
new file mode 100644
index 0000000000..2ac68bb069
--- /dev/null
+++ b/src/security/apparmor/usr.sbin.virtqemud.local
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.virtqemud'
diff --git a/src/security/apparmor/usr.sbin.virtxend.in b/src/security/apparmor/usr.sbin.virtxend.in
index 72e0d801e5..719766a0c1 100644
--- a/src/security/apparmor/usr.sbin.virtxend.in
+++ b/src/security/apparmor/usr.sbin.virtxend.in
@@ -52,4 +52,7 @@ profile virtxend @sbindir@/virtxend flags=(attach_disconnected) {
@libexecdir@/libvirt_iohelper ix,
/etc/libvirt/hooks/** rmix,
/etc/xen/scripts/** rmix,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.sbin.virtxend>
}
diff --git a/src/security/apparmor/usr.sbin.virtxend.local b/src/security/apparmor/usr.sbin.virtxend.local
new file mode 100644
index 0000000000..2ade86d4df
--- /dev/null
+++ b/src/security/apparmor/usr.sbin.virtxend.local
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.sbin.virtxend'
--
2.40.1
2 years
[libvirt PATCH 0/8] apparmor: Improve overrides, fix 2.x compatibility
by Andrea Bolognani
An alternative to Jim's attempt[1]. See [2] for the discussion
leading up to these changes.
[1] https://listman.redhat.com/archives/libvir-list/2023-June/240531.html
[2] https://listman.redhat.com/archives/libvir-list/2023-June/240251.html
Andrea Bolognani (8):
meson: Detect AppArmor 3.x
apparmor: Allow version-specific bits in profiles
apparmor: Allow version-specific bits in abstractions too
apparmor: Only support passt on 3.x
apparmor: Make abstractions extensible
apparmor: Improve virt-aa-helper include
apparmor: Make all profiles extensible
NEWS: Mention overrides for AppArmor profiles and abstractions
NEWS.rst | 8 +++
meson.build | 3 +
.../apparmor/{libvirt-lxc => libvirt-lxc.in} | 4 ++
.../{libvirt-qemu => libvirt-qemu.in} | 6 ++
src/security/apparmor/meson.build | 68 ++++++++++++++++---
.../usr.lib.libvirt.virt-aa-helper.in | 5 ++
src/security/apparmor/usr.sbin.libvirtd.in | 4 ++
src/security/apparmor/usr.sbin.virtqemud.in | 4 ++
src/security/apparmor/usr.sbin.virtxend.in | 4 ++
9 files changed, 96 insertions(+), 10 deletions(-)
rename src/security/apparmor/{libvirt-lxc => libvirt-lxc.in} (98%)
rename src/security/apparmor/{libvirt-qemu => libvirt-qemu.in} (98%)
--
2.41.0
2 years
[PATCH V2 0/3] apparmor: Add support for local profile customizations
by Jim Fehlig
This is a stab at a V2 of
https://listman.redhat.com/archives/libvir-list/2023-June/240219.html
That patch was ACKed and committed, but reverted before the 9.5.0 release
since it could be problematic with older apparmor 2.x versions still
supported by libvirt.
Andrea suggested copies of the profiles for apparmor 2.x and 3.x. This
series takes that approach, with patch 1 making an identical copy of the
src/security/apparmor directory. Patches 2 and 3 then adjust the profiles
accordingly.
My approach to copying the existing directory does introduce some duplicate
files in the tree, but otherwise it's minimally disruptive and will be easy
to rip out when upstream libvirt no longer needs to support apparmor 2.x.
FYI, so far I've only tested with apparmor 3.x, but I did push the changes
to my fork with CI enabled
https://gitlab.com/jfehlig/libvirt/-/pipelines/915347878
Thanks for comments/suggestions!
Jim Fehlig (3):
apparmor: Create version specific apparmor profiles
apparmor: Remove support for passt from apparmor 2.x
apparmor: Add support for local profile customizations
meson.build | 6 +-
src/security/apparmor-2/TEMPLATE.lxc | 15 +
src/security/apparmor-2/TEMPLATE.qemu | 9 +
src/security/apparmor-2/libvirt-lxc | 118 ++++++++
src/security/apparmor-2/libvirt-qemu | 256 ++++++++++++++++++
src/security/apparmor-2/meson.build | 41 +++
.../usr.lib.libvirt.virt-aa-helper.in | 75 +++++
.../usr.lib.libvirt.virt-aa-helper.local | 1 +
src/security/apparmor-2/usr.sbin.libvirtd.in | 142 ++++++++++
src/security/apparmor-2/usr.sbin.virtqemud.in | 135 +++++++++
src/security/apparmor-2/usr.sbin.virtxend.in | 55 ++++
src/security/apparmor/libvirt-lxc | 3 +
src/security/apparmor/libvirt-qemu | 3 +
src/security/apparmor/usr.sbin.libvirtd.in | 5 +-
src/security/apparmor/usr.sbin.virtqemud.in | 3 +
src/security/apparmor/usr.sbin.virtxend.in | 3 +
src/security/meson.build | 3 +
17 files changed, 871 insertions(+), 2 deletions(-)
create mode 100644 src/security/apparmor-2/TEMPLATE.lxc
create mode 100644 src/security/apparmor-2/TEMPLATE.qemu
create mode 100644 src/security/apparmor-2/libvirt-lxc
create mode 100644 src/security/apparmor-2/libvirt-qemu
create mode 100644 src/security/apparmor-2/meson.build
create mode 100644 src/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.in
create mode 100644 src/security/apparmor-2/usr.lib.libvirt.virt-aa-helper.local
create mode 100644 src/security/apparmor-2/usr.sbin.libvirtd.in
create mode 100644 src/security/apparmor-2/usr.sbin.virtqemud.in
create mode 100644 src/security/apparmor-2/usr.sbin.virtxend.in
--
2.41.0
2 years
[PATCH] nodedev: transient mdev update on nodeDeviceCreateXML
by Boris Fiuczynski
Update the optional mdev attributes on the new created nodedev object as
they otherwise would not get set until the next mdevctl update cycle.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2143158
Signed-off-by: Boris Fiuczynski <fiuczy(a)linux.ibm.com>
---
src/node_device/node_device_driver.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/src/node_device/node_device_driver.c b/src/node_device/node_device_driver.c
index a2d0600560..5134d246f3 100644
--- a/src/node_device/node_device_driver.c
+++ b/src/node_device/node_device_driver.c
@@ -847,6 +847,9 @@ static virNodeDevicePtr
nodeDeviceCreateXMLMdev(virConnectPtr conn,
virNodeDeviceDef *def)
{
+ virNodeDeviceObj *obj;
+ virNodeDeviceDef *new_def;
+ virNodeDevicePtr device;
g_autofree char *uuid = NULL;
if (!def->parent) {
@@ -864,8 +867,19 @@ nodeDeviceCreateXMLMdev(virConnectPtr conn,
def->caps->data.mdev.uuid = g_steal_pointer(&uuid);
}
- return nodeDeviceFindNewMediatedDevice(conn, def->caps->data.mdev.uuid,
- def->caps->data.mdev.parent_addr);
+ device = nodeDeviceFindNewMediatedDevice(conn, def->caps->data.mdev.uuid,
+ def->caps->data.mdev.parent_addr);
+ /* check on def for attributes and try update */
+ if (def->caps->data.mdev.nattributes > 0) {
+ /* ignore failures as mdevctl updates will recover later */
+ if (!(obj = nodeDeviceObjFindByName(device->name)))
+ return device;
+ new_def = virNodeDeviceObjGetDef(obj);
+ nodeDeviceDefCopyFromMdevctl(new_def, def);
+ virNodeDeviceObjEndAPI(&obj);
+ }
+
+ return device;
}
--
2.41.0
2 years
[PATCH] Revert "lxc_fuse: Tell FUSE that /proc/meminfo is nonseekable"
by Michal Privoznik
After v8.1.0-61-g030faee28d it is no longer necessary to make the
/proc/meminfo file nonseekable as our code that fills the file
with spoofed values can handle seeking just fine.
Previously, `free(1)` was okay with failed lseek(), but this was
ages ago and meanwhile the procps project moved to creating a
library and moved the file parsing code under an exported
function. In attempt to make the function callable multiple
times, it can lseek() multiple times and failure to do so is
fatal.
This reverts commit 766495508650bebd5f4ac23224ecd0a2ee2ca9eb.
Resolves: https://gitlab.com/libvirt/libvirt/-/issues/492
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
Ideally, I'd like to merge this in the time for upcoming release, but I
don't insist. It's a bug fix after all ;-)
src/lxc/lxc_fuse.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/lxc/lxc_fuse.c b/src/lxc/lxc_fuse.c
index a11cbbaff7..44bdd1412d 100644
--- a/src/lxc/lxc_fuse.c
+++ b/src/lxc/lxc_fuse.c
@@ -163,7 +163,6 @@ lxcProcOpen(const char *path,
return -EACCES;
fi->direct_io = 1;
- fi->nonseekable = 1;
return 0;
}
--
2.39.3
2 years
[PATCH] scripts: Fix the flake8 syntax-check failures
by Han Han
Fix the syntax-check failures with the help of isort[1]:
289/316 libvirt:syntax-check / flake8 FAIL 5.24s exit status 2
[1]: https://pycqa.github.io/isort/
Signed-off-by: Han Han <hhan(a)redhat.com>
---
ci/util.py | 3 +--
run.in | 2 +-
scripts/apibuild.py | 6 +++---
scripts/check-html-references.py | 4 ++--
scripts/check-pot.py | 2 +-
scripts/esx_vi_generator.py | 3 +--
scripts/hvsupport.py | 2 +-
scripts/hyperv_wmi_generator.py | 2 +-
scripts/meson-timestamp.py | 1 -
src/cpu_map/sync_qemu_models_i386.py | 3 ++-
tests/cputestdata/cpu-data.py | 1 -
tests/virsh-auth | 2 +-
tools/virt-qemu-qmp-proxy | 9 +++++----
tools/virt-qemu-sev-validate | 9 +++++----
14 files changed, 24 insertions(+), 25 deletions(-)
diff --git a/ci/util.py b/ci/util.py
index f9f3c550db..f18da8d662 100644
--- a/ci/util.py
+++ b/ci/util.py
@@ -1,8 +1,7 @@
import json
import pathlib
-import urllib.request
import urllib.parse
-
+import urllib.request
from typing import Dict, List
diff --git a/run.in b/run.in
index c6d3411082..80a5d2dd43 100644
--- a/run.in
+++ b/run.in
@@ -44,8 +44,8 @@ import os
import os.path
import random
import signal
-import sys
import subprocess
+import sys
# Function to intelligently prepend a path to an environment variable.
diff --git a/scripts/apibuild.py b/scripts/apibuild.py
index f532dbe834..3ecc3eadf7 100755
--- a/scripts/apibuild.py
+++ b/scripts/apibuild.py
@@ -8,11 +8,11 @@
# daniel(a)veillard.com
#
-import os
-import sys
+import argparse
import glob
+import os
import re
-import argparse
+import sys
quiet = True
warnings = 0
diff --git a/scripts/check-html-references.py b/scripts/check-html-references.py
index 788622a2d0..d15f28bea7 100755
--- a/scripts/check-html-references.py
+++ b/scripts/check-html-references.py
@@ -16,10 +16,10 @@
#
# Check that external references between documentation HTML files are not broken.
-import sys
-import os
import argparse
+import os
import re
+import sys
import xml.etree.ElementTree as ET
ns = {'html': 'http://www.w3.org/1999/xhtml'}
diff --git a/scripts/check-pot.py b/scripts/check-pot.py
index f6b4fbf36d..6b6b1879fa 100755
--- a/scripts/check-pot.py
+++ b/scripts/check-pot.py
@@ -1,7 +1,7 @@
#!/usr/bin/env python3
-import sys
import re
+import sys
if len(sys.argv) != 2:
print(f"usage: {sys.argv[0]} POTFILE", file=sys.stderr)
diff --git a/scripts/esx_vi_generator.py b/scripts/esx_vi_generator.py
index 31c36f42e2..0e9adeeefd 100755
--- a/scripts/esx_vi_generator.py
+++ b/scripts/esx_vi_generator.py
@@ -22,10 +22,9 @@
# <http://www.gnu.org/licenses/>.
#
-import sys
import os
import os.path
-
+import sys
OCCURRENCE__REQUIRED_ITEM = "r"
OCCURRENCE__REQUIRED_LIST = "rl"
diff --git a/scripts/hvsupport.py b/scripts/hvsupport.py
index be6bf7b0d2..2327bdf3b8 100755
--- a/scripts/hvsupport.py
+++ b/scripts/hvsupport.py
@@ -16,9 +16,9 @@
# License along with this library. If not, see
# <http://www.gnu.org/licenses/>.
-import sys
import os.path
import re
+import sys
if len(sys.argv) != 3:
print("syntax: %s TOP-SRCDIR TOP-BUILDDIR\n" % sys.argv[0], file=sys.stderr)
diff --git a/scripts/hyperv_wmi_generator.py b/scripts/hyperv_wmi_generator.py
index d11dfb1809..e10f7f79a7 100755
--- a/scripts/hyperv_wmi_generator.py
+++ b/scripts/hyperv_wmi_generator.py
@@ -20,9 +20,9 @@
# <http://www.gnu.org/licenses/>.
#
-import sys
import os
import os.path
+import sys
separator = "/*" + ("*" * 50) + "*\n"
wmi_classes_by_name = {}
diff --git a/scripts/meson-timestamp.py b/scripts/meson-timestamp.py
index f109cad66e..01dc794a5a 100755
--- a/scripts/meson-timestamp.py
+++ b/scripts/meson-timestamp.py
@@ -1,7 +1,6 @@
#!/usr/bin/env python3
import os
-
from datetime import datetime, timezone
timestamp = os.environ.get('SOURCE_DATE_EPOCH', None)
diff --git a/src/cpu_map/sync_qemu_models_i386.py b/src/cpu_map/sync_qemu_models_i386.py
index b5e738def7..65181b6f90 100755
--- a/src/cpu_map/sync_qemu_models_i386.py
+++ b/src/cpu_map/sync_qemu_models_i386.py
@@ -2,11 +2,12 @@
import argparse
import copy
-import lark
import os
import re
import xml.etree.ElementTree
+import lark
+
def translate_vendor(name):
T = {
diff --git a/tests/cputestdata/cpu-data.py b/tests/cputestdata/cpu-data.py
index b5641f7c16..37fb2e3791 100755
--- a/tests/cputestdata/cpu-data.py
+++ b/tests/cputestdata/cpu-data.py
@@ -10,7 +10,6 @@ import subprocess
import sys
import xml.etree.ElementTree
-
_KEYS = {
"cpuid": ["eax_in", "ecx_in"],
"msr": ["index"],
diff --git a/tests/virsh-auth b/tests/virsh-auth
index ce3a599107..f4ed798ec4 100755
--- a/tests/virsh-auth
+++ b/tests/virsh-auth
@@ -19,8 +19,8 @@
import os
import os.path
-import sys
import subprocess
+import sys
builddir = os.getenv("abs_top_builddir")
if builddir is None:
diff --git a/tools/virt-qemu-qmp-proxy b/tools/virt-qemu-qmp-proxy
index dfbaa1ff0c..dcdb24b9a9 100755
--- a/tools/virt-qemu-qmp-proxy
+++ b/tools/virt-qemu-qmp-proxy
@@ -2,16 +2,17 @@
import argparse
import array
-import libvirt
-import libvirt_qemu
+import fcntl
+import json
import os
import re
import socket
import sys
import traceback
-import json
-import fcntl
+import libvirt
+
+import libvirt_qemu
debug = False
diff --git a/tools/virt-qemu-sev-validate b/tools/virt-qemu-sev-validate
index 7a8c3205e7..209f19a4a8 100755
--- a/tools/virt-qemu-sev-validate
+++ b/tools/virt-qemu-sev-validate
@@ -36,22 +36,23 @@
import abc
import argparse
-from base64 import b64decode, b64encode
-from hashlib import sha256
import hmac
import logging
import os
import re
import socket
-from struct import pack
import sys
import traceback
+from base64 import b64decode, b64encode
+from hashlib import sha256
+from struct import pack
from uuid import UUID
+
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+import libvirt
from lxml import etree
-import libvirt
log = logging.getLogger()
--
2.40.1
2 years
[PATCH 0/3] Fix recent deadlocks when spawning processes
by Michal Privoznik
This is basically a v2 of:
https://listman.redhat.com/archives/libvir-list/2023-June/240320.html
But after discussion with Dan and most importantly, once he found the
root cause we can do proper fixes instead of papering over the issue.
Michal Prívozník (3):
vircommand: Use closefrom() more often
vircommand: Utilize close_range()
virGlobalInit: Make glib init its own global state
meson.build | 2 +
src/libvirt.c | 8 ++
src/util/vircommand.c | 239 +++++++++++++++++++++++++++++++-----------
3 files changed, 190 insertions(+), 59 deletions(-)
--
2.39.3
2 years
[PATCH] domain_event: Drop virDomainEventMemoryDeviceSizeChangePtr
by Michal Privoznik
We dropped our private virXXXPtr typedefs in v7.3.0-rc1~229 but
somehow v7.9.0-rc1~292 introduced one back:
virDomainEventMemoryDeviceSizeChangePtr. There's no need for it
and it's internal only. Drop it.
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/conf/domain_event.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/src/conf/domain_event.c b/src/conf/domain_event.c
index 94b7335e56..75603a933a 100644
--- a/src/conf/domain_event.c
+++ b/src/conf/domain_event.c
@@ -284,7 +284,6 @@ struct _virDomainEventMemoryDeviceSizeChange {
unsigned long long size;
};
typedef struct _virDomainEventMemoryDeviceSizeChange virDomainEventMemoryDeviceSizeChange;
-typedef virDomainEventMemoryDeviceSizeChange *virDomainEventMemoryDeviceSizeChangePtr;
static int
virDomainEventsOnceInit(void)
@@ -554,7 +553,7 @@ virDomainEventMemoryFailureDispose(void *obj)
static void
virDomainEventMemoryDeviceSizeChangeDispose(void *obj)
{
- virDomainEventMemoryDeviceSizeChangePtr event = obj;
+ virDomainEventMemoryDeviceSizeChange *event = obj;
VIR_DEBUG("obj=%p", event);
g_free(event->alias);
@@ -1692,7 +1691,7 @@ virDomainEventMemoryDeviceSizeChangeNew(int id,
const char *alias,
unsigned long long size)
{
- virDomainEventMemoryDeviceSizeChangePtr ev;
+ virDomainEventMemoryDeviceSizeChange *ev;
if (virDomainEventsInitialize() < 0)
return NULL;
@@ -2033,9 +2032,9 @@ virDomainEventDispatchDefaultFunc(virConnectPtr conn,
case VIR_DOMAIN_EVENT_ID_MEMORY_DEVICE_SIZE_CHANGE:
{
- virDomainEventMemoryDeviceSizeChangePtr memoryDeviceSizeChangeEvent;
+ virDomainEventMemoryDeviceSizeChange *memoryDeviceSizeChangeEvent;
- memoryDeviceSizeChangeEvent = (virDomainEventMemoryDeviceSizeChangePtr)event;
+ memoryDeviceSizeChangeEvent = (virDomainEventMemoryDeviceSizeChange *)event;
((virConnectDomainEventMemoryDeviceSizeChangeCallback)cb)(conn, dom,
memoryDeviceSizeChangeEvent->alias,
memoryDeviceSizeChangeEvent->size,
--
2.39.3
2 years
[PATCH] Revert "apparmor: Add support for local profile customizations"
by Jim Fehlig
As it turns out, apparmor 2.x and 3.x behave differently or have differing
levels of support for local customizations of profiles and profile
abstractions. Additionally the apparmor 2.x tools do not cope well with
'include if exists'. Revert this commit until a more complete solution is
developed that works with old and new apparmor.
Reverts: 9b743ee19053db2fc3da8fba1e9cf81915c1e2f4
Signed-off-by: Jim Fehlig <jfehlig(a)suse.com>
---
src/security/apparmor/meson.build | 12 +++++-------
src/security/apparmor/usr.sbin.libvirtd.in | 3 ---
src/security/apparmor/usr.sbin.libvirtd.local | 1 -
src/security/apparmor/usr.sbin.virtqemud.in | 3 ---
src/security/apparmor/usr.sbin.virtqemud.local | 1 -
src/security/apparmor/usr.sbin.virtxend.in | 3 ---
src/security/apparmor/usr.sbin.virtxend.local | 1 -
7 files changed, 5 insertions(+), 19 deletions(-)
diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meson.build
index 02a6d098ad..58b4024b85 100644
--- a/src/security/apparmor/meson.build
+++ b/src/security/apparmor/meson.build
@@ -34,10 +34,8 @@ install_data(
install_dir: apparmor_dir / 'libvirt',
)
-foreach name : apparmor_gen_profiles
- install_data(
- '@0@.local'.format(name),
- install_dir: apparmor_dir / 'local',
- rename: name,
- )
-endforeach
+install_data(
+ 'usr.lib.libvirt.virt-aa-helper.local',
+ install_dir: apparmor_dir / 'local',
+ rename: 'usr.lib.libvirt.virt-aa-helper',
+)
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
index 41bdef53ec..edb8dd8e26 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -139,7 +139,4 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
}
-
- # Site-specific additions and overrides. See local/README for details.
- include if exists <local/usr.sbin.libvirtd>
}
diff --git a/src/security/apparmor/usr.sbin.libvirtd.local b/src/security/apparmor/usr.sbin.libvirtd.local
deleted file mode 100644
index 3716400022..0000000000
--- a/src/security/apparmor/usr.sbin.libvirtd.local
+++ /dev/null
@@ -1 +0,0 @@
-# Site-specific additions and overrides for 'usr.sbin.libvirtd'
diff --git a/src/security/apparmor/usr.sbin.virtqemud.in b/src/security/apparmor/usr.sbin.virtqemud.in
index 3ebdbf2a8f..f269c60809 100644
--- a/src/security/apparmor/usr.sbin.virtqemud.in
+++ b/src/security/apparmor/usr.sbin.virtqemud.in
@@ -132,7 +132,4 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) {
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
}
-
- # Site-specific additions and overrides. See local/README for details.
- include if exists <local/usr.sbin.virtqemud>
}
diff --git a/src/security/apparmor/usr.sbin.virtqemud.local b/src/security/apparmor/usr.sbin.virtqemud.local
deleted file mode 100644
index 2ac68bb069..0000000000
--- a/src/security/apparmor/usr.sbin.virtqemud.local
+++ /dev/null
@@ -1 +0,0 @@
-# Site-specific additions and overrides for 'usr.sbin.virtqemud'
diff --git a/src/security/apparmor/usr.sbin.virtxend.in b/src/security/apparmor/usr.sbin.virtxend.in
index 719766a0c1..72e0d801e5 100644
--- a/src/security/apparmor/usr.sbin.virtxend.in
+++ b/src/security/apparmor/usr.sbin.virtxend.in
@@ -52,7 +52,4 @@ profile virtxend @sbindir@/virtxend flags=(attach_disconnected) {
@libexecdir@/libvirt_iohelper ix,
/etc/libvirt/hooks/** rmix,
/etc/xen/scripts/** rmix,
-
- # Site-specific additions and overrides. See local/README for details.
- include if exists <local/usr.sbin.virtxend>
}
diff --git a/src/security/apparmor/usr.sbin.virtxend.local b/src/security/apparmor/usr.sbin.virtxend.local
deleted file mode 100644
index 2ade86d4df..0000000000
--- a/src/security/apparmor/usr.sbin.virtxend.local
+++ /dev/null
@@ -1 +0,0 @@
-# Site-specific additions and overrides for 'usr.sbin.virtxend'
--
2.41.0
2 years
[libvirt PATCH] Add <title> and <description> for Network Objects
by K Shiva
This patch adds new elements <title> and <description> to the Network XML.
- The <title> attribute holds a short title defined by the user and
cannot contain newlines.
- The <description> attribute holds any documentation that the user
wants to store.
- Schema definitions of <title> and <metadata> have been moved from
domaincommon.rng to basictypes.rng for use by network and future objects.
Get/Set Public APIs for modifying these elements as well as
<metadata> will be added in a subsequent patch.
Signed-off-by: K Shiva Kiran <shiva_kr(a)riseup.net>
---
docs/formatnetwork.rst | 11 +++++++++++
src/conf/network_conf.c | 13 +++++++++++++
src/conf/network_conf.h | 2 ++
src/conf/schemas/basictypes.rng | 15 +++++++++++++++
src/conf/schemas/domaincommon.rng | 15 ---------------
src/conf/schemas/network.rng | 10 ++++++++++
6 files changed, 51 insertions(+), 15 deletions(-)
diff --git a/docs/formatnetwork.rst b/docs/formatnetwork.rst
index b5dc29db07..ee07f7d505 100644
--- a/docs/formatnetwork.rst
+++ b/docs/formatnetwork.rst
@@ -30,6 +30,8 @@ The first elements provide basic metadata about the virtual network.
<network ipv6='yes' trustGuestRxFilters='no'>
<name>default</name>
<uuid>3e3fce45-4f53-4fa7-bb32-11f34168b82b</uuid>
+ <title>A short description - title - of the network</title>
+ <description>Some human readable description</description>
<metadata>
<app1:foo xmlns:app1="http://app1.org/app1/">..</app1:foo>
<app2:bar xmlns:app2="http://app1.org/app2/">..</app2:bar>
@@ -47,6 +49,7 @@ The first elements provide basic metadata about the virtual network.
the virtual network. The format must be RFC 4122 compliant, eg
``3e3fce45-4f53-4fa7-bb32-11f34168b82b``. If omitted when defining/creating a
new network, a random UUID is generated. :since:`Since 0.3.0`
+``metadata``
The ``metadata`` node can be used by applications to store custom metadata in
the form of XML nodes/trees. Applications must use custom namespaces on their
XML nodes/trees, with only one top-level element per namespace (if the
@@ -65,6 +68,14 @@ The first elements provide basic metadata about the virtual network.
documentation for more details. Note that an explicit setting of this
attribute in a portgroup or the individual domain interface will override the
setting in the network.
+``title``
+ The optional element ``title`` provides space for a short description of the
+ network. The title should not contain any newlines. :since:`Since 9.5.0` .
+``description``
+ The content of the ``description`` element provides a human readable
+ description of the network. This data is not used by libvirt in any
+ way, it can contain any information the user wants. :since:`Since 9.5.0`
+
Connectivity
~~~~~~~~~~~~
diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
index 73788b6d87..1e5d45f23a 100644
--- a/src/conf/network_conf.c
+++ b/src/conf/network_conf.c
@@ -281,6 +281,8 @@ virNetworkDefFree(virNetworkDef *def)
virNetDevBandwidthFree(def->bandwidth);
virNetDevVlanClear(&def->vlan);
+ g_free(def->title);
+ g_free(def->description);
xmlFreeNode(def->metadata);
if (def->namespaceData && def->ns.free)
@@ -1599,6 +1601,17 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt,
def->uuid_specified = true;
}
+ /* Extract short description of network (title) */
+ def->title = virXPathString("string(./title[1])", ctxt);
+ if (def->title && strchr(def->title, '\n')) {
+ virReportError(VIR_ERR_XML_ERROR, "%s",
+ _("Network title can't contain newlines"));
+ return NULL;
+ }
+
+ /* Extract documentation if present */
+ def->description = virXPathString("string(./description[1])", ctxt);
+
/* check if definitions with no IPv6 gateway addresses is to
* allow guest-to-guest communications.
*/
diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h
index 2b2e9d15f0..5a1bdb1284 100644
--- a/src/conf/network_conf.h
+++ b/src/conf/network_conf.h
@@ -249,6 +249,8 @@ struct _virNetworkDef {
unsigned char uuid[VIR_UUID_BUFLEN];
bool uuid_specified;
char *name;
+ char *title;
+ char *description;
int connections; /* # of guest interfaces connected to this network */
char *bridge; /* Name of bridge device */
diff --git a/src/conf/schemas/basictypes.rng b/src/conf/schemas/basictypes.rng
index 2d6f1a2c84..26eb538077 100644
--- a/src/conf/schemas/basictypes.rng
+++ b/src/conf/schemas/basictypes.rng
@@ -610,6 +610,21 @@
</choice>
</define>
+ <!--
+ title and description element, may be placed anywhere under the root
+ -->
+ <define name="title">
+ <element name="title">
+ <ref name="objectNameWithSlash"/>
+ </element>
+ </define>
+
+ <define name="description">
+ <element name="description">
+ <text/>
+ </element>
+ </define>
+
<define name="metadata">
<element name="metadata">
<zeroOrMore>
diff --git a/src/conf/schemas/domaincommon.rng b/src/conf/schemas/domaincommon.rng
index fcf9e00600..a4360a4036 100644
--- a/src/conf/schemas/domaincommon.rng
+++ b/src/conf/schemas/domaincommon.rng
@@ -8,21 +8,6 @@
<include href="nwfilter_params.rng"/>
<include href="privatedata.rng"/>
- <!--
- description and title element, may be placed anywhere under the root
- -->
- <define name="description">
- <element name="description">
- <text/>
- </element>
- </define>
-
- <define name="title">
- <element name="title">
- <ref name="objectNameWithSlash"/>
- </element>
- </define>
-
<define name="createMode">
<data type="unsignedInt">
<param name="pattern">0[0-7]{3}|[0-7]{1,3}</param>
diff --git a/src/conf/schemas/network.rng b/src/conf/schemas/network.rng
index 4317572208..cda174ab4b 100644
--- a/src/conf/schemas/network.rng
+++ b/src/conf/schemas/network.rng
@@ -37,6 +37,16 @@
<text/>
</element>
+ <!-- <title> element -->
+ <optional>
+ <ref name="title"/>
+ </optional>
+
+ <!-- <description> element -->
+ <optional>
+ <ref name="description"/>
+ </optional>
+
<!-- <metadata> element -->
<optional>
<ref name="metadata"/>
--
2.41.0
2 years