This patch series addresses bug fixes in the AppArmor driver as well as updating it to changes made in 0.7.6 and 0.7.7. All of these are self-contained within the driver except 4_qemu_driver_stdin_path.patch. This is required by 5_apparmor-fix-save-restore.patch (see below). These all pass 'make syntax-check' and 'make check' (except 'daemon-conf', which has never passed here and I didn't patch it). 1_apparmor-dont-clear-caps.patch: originally submitted on 2010/02/08 with no feedback. The calls to virExec() in security_apparmor.c when invoking virt-aa-helper use VIR_EXEC_CLEAR_CAPS. When compiled without libcap-ng, this is not a problem (it's effectively a no-op) but with libcap-ng this causes MAC_ADMIN to be cleared. MAC_ADMIN is needed by virt-aa-helper to manipulate apparmor profiles and without it VMs will not start[1]. This patch calls virExec with the default VIR_EXEC_NONE instead. 2_apparmor-remove-unloaded-profile-is-not-fatal.patch: Don't exit with error if the user unloaded the profile outside of libvirt[2] 3_apparmor-fix-vah-xml-parse.patch: add VIR_DOMAIN_XML_INACTIVE flag to virDomainDefParseString() so virDomainDefParseString() doesn't error out when seeing <seclabel...>. This was needed due to changes since 0.7.5. 4_qemu_driver_stdin_path.patch: adjust args to qemudStartVMDaemon() to also specify path to stdin_fd, so this can be passed to the AppArmor driver via *SetSecurityAllLabel(). This updates all calls to qemudStartVMDaemon() as well as setting up the non-AppArmor security driver *SetSecurityAllLabel() declarations for the above. This is required for 5_apparmor-fix-save-restore.patch since AppArmor resolves the passed file descriptor to the pathname given to open(). 5_apparmor-fix-save-restore.patch: refactoring to update AppArmor security driver to adjust profile for save/restore[3] 6_apparmor-fix-backingstore.patch: adjust virt-aa-helper to handle backing store[4] 7_apparmor-fix-hostdev.patch: adjust virt-aa-helper to handle pci devices. Update valid_path() to have an override array to check against, and add "/sys/devices/pci" to it. Then rename file_iterate_cb() to file_iterate_hostdev_cb() and create file_iterate_pci_cb() based on it. 8_apparmor-fix-xauth.patch: adjust virt-aa-helper to handle SDL graphics, specifically Xauthority[6]. Also remove a couple redundant checks 9_apparmor-examples.patch: adjustments to the example profiles 10_apparmor-vah-test.patch: update pcidev test and add SDL xauth [1] https://launchpad.net/bugs/517714 [2] https://launchpad.net/bugs/530400 [3] https://launchpad.net/bugs/457716 [4] https://launchpad.net/bugs/470636 [5] https://launchpad.net/bugs/545795 [6] https://launchpad.net/bugs/545426 -- Jamie Strandboge | http://www.canonical.com
Attachment:
signature.asc
Description: This is a digitally signed message part
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list