patches: Add backport/apparmor-Add-user-session-path-for-PID-and-socket-files-u.patch

Fixes use of passt with qemu:///session and AppArmor enabled. Closes: #1061678

patches: Add backport/apparmor-Add-user-session-path-for-PID-and-socket-files-u.patch
aa930a34 · Andrea Bolognani · 9a4ad478 · aa930a34 · aa930a34 · aa930a34
Commit aa930a34 authored 1 year ago by Andrea Bolognani
--- a/debian/patches/backport/apparmor-Add-user-session-path-for-PID-and-socket-files-u.patch
+++ b/debian/patches/backport/apparmor-Add-user-session-path-for-PID-and-socket-files-u.patch
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Tue, 30 Jan 2024 19:15:51 +0100
+Subject: apparmor: Add user session path for PID and socket files used by
+ passt
+Commit 7a39b04d683f ("apparmor: Enable passt support") grants
+passt(1) read-write access to /{,var/}run/libvirt/qemu/passt/* if
+started by the libvirt daemon. That's the path where passt creates
+PID and socket files only if the guest is started by the root user.
+If the guest is started by another user, though, the path is more
+commonly /var/run/user/$UID/libvirt/qemu/run/passt: add it as
+read-write location. Otherwise, passt won't be able to start, as
+reported by Andreas.
+While at it, replace /{,var/}run/ in the existing rule by its
+corresponding tunable variable, @{run}.
+Fixes: 7a39b04d683f ("apparmor: Enable passt support")
+Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061678
+Reported-by: Andreas B. Mundt <andi@debian.org>
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Reviewed-by: Andrea Bolognani <abologna@redhat.com>
+Reviewed-by: Jim Fehlig <jfehlig@suse.com>
+(cherry picked from commit f95675fdbb42eee07fc4864d7c135dcb8b00c3a9)
+Forwarded: not-needed
+Origin: https://gitlab.com/libvirt/libvirt/-/commit/f95675fdbb42eee07fc4864d7c135dcb8b00c3a9
+---
+ src/security/apparmor/libvirt-qemu.in | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/libvirt-qemu.in
+index f40f471..8b92915 100644
+--- a/src/security/apparmor/libvirt-qemu.in
+++ b/src/security/apparmor/libvirt-qemu.in
+@@ -196,7 +196,8 @@
+     signal (receive) set=("term") peer=libvirtd,
+     signal (receive) set=("term") peer=virtqemud,
+-    owner /{,var/}run/libvirt/qemu/passt/* rw,
+    owner @{run}/user/[0-9]*/libvirt/qemu/run/passt/* rw,
+    owner @{run}/libvirt/qemu/passt/* rw,
+     include if exists <abstractions/passt>
+   }
--- a/debian/patches/debian/apparmor_profiles_local_include.patch
+++ b/debian/patches/debian/apparmor_profiles_local_include.patch
@@ -27,10 +27,10 @@ index ffe4d8f..2973b00 100644
 +  include if exists <local/abstractions/libvirt-lxc>
 @END_APPARMOR_3@
 diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/libvirt-qemu.in
-index f40f471..a39ec62 100644
+index 8b92915..3a6b964 100644
 --- a/src/security/apparmor/libvirt-qemu.in
 +++ b/src/security/apparmor/libvirt-qemu.in
-@@ -277,4 +277,11 @@
+@@ -278,4 +278,11 @@
 @BEGIN_APPARMOR_3@
   include if exists <abstractions/libvirt-qemu.d>

--- a/debian/patches/series
+++ b/debian/patches/series
 backport/scripts-Make-check-symfile.py-work-on-alpha.patch
+backport/apparmor-Add-user-session-path-for-PID-and-socket-files-u.patch
 forward/Reduce-udevadm-settle-timeout-to-10-seconds.patch
 debian/Debianize-libvirt-guests.patch
 debian/apparmor_profiles_local_include.patch