Enable default confinment#2
Closed
jsegitz wants to merge 82 commits into
Closed
Conversation
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Currently, libxl_send_trigger() does not implement the LIBXL_TRIGGER_RESET option, but domainReset can be implemented in the libxl driver by forcibly destroying the domain and starting it again. Signed-off-by: Jim Fehlig <jfehlig@suse.com>
"Static" DHCP networks are those where no dynamic DHCP range is defined, only a list of host entries is used to serve permanent IP addresses. On such networks, we don't want dnsmasq to reply to other requests than those statically defined. But "dhcp-authoritative" will cause dnsmasq to do just that. Therefore we can't use "dhcp-authoritative" for static networks. Fixes: 4ac20b3 "network: add dnsmasq option 'dhcp-authoritative'" Signed-off-by: Martin Wilck <mwilck@suse.com>
My idea was that running pkttyagent unconditionally, modulo checks that pkttyagent itself does to make sure it does not fail, is not going to be an issue turned out to be wrong. Adding back the original check for stdin being a tty helps in some testing scenarios as reported by Jim Fehlig and does not really cause any issues. I originally wanted it in because it also made pkttyagent auth work with redirected input into virsh (with a connection that requires polkit authentication and without a session-wide polkit tty agent, basically making pkttyagent necessary to succeed). But anyone running virsh like that is asking for problems already anyway =) Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
https://bugzilla.novell.com/show_bug.cgi?id=879425 References: bsc#879425 Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Add support in the libxl driver for the BlockResize API. Use libxl's libxl_qemu_monitor_command API to issue the block_resize command to qemu. Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
This patch contains SUSE-specific adjustments to the upstream qemu.conf configuration file. In the future, it might make sense to separate these changes into individual patches (e.g. suse-qemu-conf-secdriver.patch, suse-qemu-conf-lockmgr.patch, etc.), but for now they are all lumped together in this single patch. Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Note: SLE15 SP2 and newer support automatic firmware selection. Firmwares advertised and used by libvirt are automatically detected. Until upstream removes the old DEFAULT_LOADER_NVRAM approach and associated code, this patch will stay. Note2: This patch needed adjustment on Dec 3, 2024 to fix some test failures that started occuring after commit 366907e. Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Add a hack to the libvirt libxl driver to set libxl_device_disk->script when the disk configuration starts with some well-known Xen external block scripts: dmmd, drbd, and npiv. Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Not sure who added this patch. See bug#904426 for possible suspects. References: bsc#904426
Originally authored by mt@suse.de
As per http://www.redhat.com/archives/libvir-list/2013-July/msg01279.html, wait for udev events to be handled after removing a virtual NIC. Any udev rule associated to NIC destroy could happen to run with a new device with the same name that is being created. From: <cbosdonnat@suse.com>
Xen 4.12 introduced a CONFIG_DOM0_MEM option, which our xen package uses to configure dom0 with a sensible initial memory value and disables autoballooning. This patch changes libvirt to also disable autoballooning by default. It can only be enabled with the 'autoballoon' setting in libxl.conf. See jsc#SLE-3059 for more details. Signed-off-by: Jim Fehlig <jfehlig@suse.com>
The libxl driver trivially supports firmware autoselection since as of June 2021 ovmf only supports one firmware for Xen. This patch adjusts the firmware path to match the one provided by the ovmf package. Signed-off-by: Jim Fehlig <jfehlig@suse.com>
From <cbosdonnat@suse.com>
…groups In an environment with hybrid cgroups and systemd the v2 backend is not available. This causes a few checks to fail during container initialization. To work around this we retrieve the lxc control process child process pid (the process that is registered with machined) and perform the checks using that pid. Signed-off-by: Eric van Blokland <mail@ericvanblokland.nl>
Remove unneeded use of ldconfig.
libvirt_sysconfig_{pre,posttrans} macros are noops on SUSE distros
since files in /etc/sysconfig/ are not owned by rpm.
Remove libvirt-daemon-common dependency from libvirt-daemon-{qemu,xen,lxc,vbox}.
They require libvirt-daemon-driver-{qemu,libxl,lxc,vbox}, which already
requires libvirt-daemon-common.
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
… upgrade The apparmor profiles for the various libvirt daemons are marked as 'config(noreplace)', meaning the files are not replaced on package upgrade if local modifications exist. But profiles in the new package might contain important updates, e.g. allowing a new syscall used by qemu. Change the spec file to replace /etc/apparmor.d/<libvirt-profile> on package upgrade. Local customizations are supported in /etc/apparmor.d/local/<libvirt-profile>. References: bsc#1211472 Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Improve the supportconfig plugin to cope better with modular daemons. Also remove collection of lxc related configuration and files since it's no longer supported. Signed-off-by: Jim Fehlig <jfehlig@suse.com>
…ckages Commit da0f076 moved the qemu and lxc abstractions and templates to their respective subpackages. virt-aa-helper was left in the libvirt-daemon-common package since it's used by both the qemu and lxc drivers. But the apparmor probe function AppArmorSecurityManagerProbe is currently hard-coded to check if the abstraction and template files exist, returning SECURITY_DRIVER_DISABLE if not found. Move the files back to libvirt-daemon-common until the probe function can be fixed to conditionally check for them. Signed-off-by: Jim Fehlig <jfehlig@suse.com>
There's no need to clutter the filesystem with empty files. Signed-off-by: Jim Fehlig <jfehlig@suse.com>
This partially reverts commit a788974. Replacing the profiles on package upgrade can overwrite changes made by apparmor tools such as aa-logprof. Until the apparmor tools are changed to work with local, site-specific profiles instead of the distro provided ones, we'll need to honor the local changes and not overwrite them on package upgrade. Unfortunately it means the site admin will need to merge any changes to the locally modified profiles. References: bsc#1211472 Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Upstream stopped distributing /etc/apparmor.d/local/* files, so drop them from the files list. Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
While at it, follow upstream example and reduce use of with_modular_daemons. Signed-off-by: Jim Fehlig <jfehlig@suse.com>
…libvirtd libvirt socket activation has been around for a long time now. There's no longer a need to handle upgrading from a setup that does not use socket activation. Similar logic was removed in the upstream spec file with commit df1e4e3. Signed-off-by: Jim Fehlig <jfehlig@suse.com>
libvirt is one of the packages dragging Xen into ALP due to the build dependency on xen-devel. Disable builds of the Xen driver when suse_version == 1600. Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Instead of a suse_version comparision, use the newly created '%default_firewall_backend' prjconf setting to configure a firewall backend. Signed-off-by: Jim Fehlig <jfehlig@suse.com>
The various libvirt-daemon-<hypervisor> packages 'Require' the nwfilter driver. libvirt-daemon-xen does not support nwfilters, so the requirement can be completely dropped from there. For the others, the dependency can be loosened to 'Recommends', allowing an easy way to install libvirt without libvirt-daemon-driver-nwfilter and its hard iptables dependency. References: boo#1231798 Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Some local offset tests within virtimetest are known to fail when transitioning to a new year. The tests are skipped if the function isNearYearEnd() returns true. This patch extends isNearYearEnd() to return true Dec 31 through Jan 5 localtime. I considered posting this patch upstream, but it appears the failure is rather unique to OBS. One could argue the issue should be investigated and fixed in the build service environment, but in the end it's easier (and safe) to extend the EOY window where the tests are skipped. References: boo#1234995 Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Currently, the hooks package contains only one hook and it's specific to the qemu driver. Change the dependency from libvirt-daemon to libvirt-daemon-driver-qemu. References: bsc#1236378 Signed-off-by: Jim Fehlig <jfehlig@suse.com>
The libvirt LXC driver has been deprecated since SLE15 SP2. It's time to take it a step further and disable building the driver. Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Add a note to %description for packages that only define dependencies and contain no files. Signed-off-by: Jim Fehlig <jfehlig@suse.com>
While rebasing the downstream packages for this release, the patch "Disable TLS by default" was dropped. It's no longer needed with systemd socket activation. With SELinux now supported in SUSE distros, the patch "SUSE adjustments to qemu.conf" was tweaked to remove any Apparmor-specific comments. Signed-off-by: Jim Fehlig <jfehlig@suse.com>
References: bsc#1239836 Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
While updating, switch BuildRequires from fuse to fuse3 as requested in boo#1242081. Signed-off-by: Jim Fehlig <jfehlig@suse.com>
The nwfilter driver requires iptables, which is not available in SLFO. There is also a desire to remove iptables from Factory. Let's continue to build the driver, but no longer require/recommend it in the meta subpackages such as libvirt-daemon-qemu. References: jsc#PED-12034, boo#1231798 Signed-off-by: Jim Fehlig <jfehlig@suse.com>
While updating, remove spec file conditionals for older distros that are no longer supported. E.g. 'suse_version >= 1550' and 'sle_version >= 150300'. References: boo#1243740 References: bsc#1241481 Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Downstream patch that uses /usr/sbin/numa-preplace instead of the old, deprecated /usr/sbin/numad. numa-preplace is used to retrieve numa placement advice based on the number of vcpus and memory configured for a VM. If the VM requests memory backed by huge pages, the requested page size is also provided to numa-preplace using the '-H' option. The spec file has also been updated to only build numa auto-placement support on aarch64, power64 and x86_64, and to switch the package dependency from numad to numa-preplace. References: bsc#1242979 Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
This reverts commit c2c165e. SLE15 family has older libattr-2.4.47 without a pkg-config file. Retain checking for libattr using meson's cc.find_library() check. Signed-off-by: Jim Fehlig <jfehlig@suse.com>
…#1242998)
Set virt_hooks_unconfined boolean to true in libvirt-daemon-hooks
%post script (see comment 13 in bsc#1242998).
The goal is that the virt_hook_unconfined selinux boolean is
set during installation so that when libvirt-daemon-driver-qemu
calls a hook, it transition into the right domain.
Additional notes:
Currently, libvirt-daemon-hooks package is not installed by default.
Users would only see those audit log entries when knowingly
installing the hooks package.
Without this, currently there is no real breakage
since the selinux domain for libvirt-daemon-driver-qemu is in
permissive mode. The goal by selinux upstream is to set the
domain into enforcing in the future though.
In case this causes issues, there is also the option
to revert this commit and set the boolean for all systems
in the selinux-policy instead.
Adresses:
----
time->Mon Jun 2 09:39:32 2025
type=AVC msg=audit(1748867972.300:372): avc: denied { execute } for pid=3056 comm="rpc-virtqemud" name="qemu" dev="overlay" ino=55542 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_hook_t:s0 tclass=file permissive=1
----
time->Mon Jun 2 09:39:32 2025
type=AVC msg=audit(1748867972.300:373): avc: denied { execute_no_trans } for pid=3056 comm="rpc-virtqemud" path="/etc/libvirt/hooks/qemu" dev="overlay" ino=55542 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_hook_t:s0 tclass=file permissive=1
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
|
Thank you for your interest in the libvirt project. Since this repository is a read-only mirror of the project's master For main libvirt.git repository all patch review and discussion https://libvirt.org/submitting-patches.html Thank you for your time and understanding. |
Member
Author
|
wrong target branch |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.