replace patches for pki and pygrub with clean upstream backports

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>

replace patches for pki and pygrub with clean upstream backports
c12faf12 · Christian Ehrhardt · 92acaf68 · c12faf12 · c12faf12 · c12faf12
Verified Commit c12faf12 authored 4 years ago by Christian Ehrhardt
--- a/debian/patches/forward/Include-etc-pki-qemu-in-apparmor.patch
+++ b/debian/patches/forward/Include-etc-pki-qemu-in-apparmor.patch
 From: Sam Hartman <hartmans@debian.org>
-Date: Tue, 18 Jun 2019 09:02:09 -0400
-Subject: Include /etc/pki/qemu in apparmor
+Date: Mon, 3 Aug 2020 12:08:41 +0200
+Subject: apparmor: allow default pki path

-We already permit /etc/pki/libvirt-{spice,vnc} to be read in the
-apparmor profile.  However the default tls directory in qemu.conf that
-we ship is /etc/pki/qemu.  So permit that as well.
+/etc/pki/qemu is a pki path recommended by qemu tls docs [1]
+and one that can cause issues with spice connections when missing.

-Closes: #930100
+Add the path to the allowed list of pki paths to fix the issue.
+
+Note: this is active in Debian/Ubuntu [1] for quite a while already.
+
+[1]: https://www.qemu.org/docs/master/system/tls.html
+[2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930100
+
+Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+Reviewed-by: Andrea Bolognani <abologna@redhat.com>
+Acked-by: Jamie Strandboge <jamie@canonical.com>
+(cherry picked from commit 155d4fe3fa8b2115003973f692512a7007ab9264)
 ---
 src/security/apparmor/libvirt-qemu | 2 ++
 1 file changed, 2 insertions(+)

--- a/debian/patches/forward/apparmor-Allow-run-pygrub.patch
+++ b/debian/patches/forward/apparmor-Allow-run-pygrub.patch
-From: Tobias Wolter <towo@b1-systems.de>
-Date: Wed, 21 Aug 2019 10:27:05 +0200
-Subject: apparmor: Allow run pygrub
+From: Stefan Bader <stefan.bader@canonical.com>
+Date: Mon, 3 Aug 2020 12:21:23 +0200
+Subject: apparmor: allow libvirtd to call pygrub

+When using xen through libxl in Debian/Ubuntu it needs to be able to
+call pygrub.
+
+This is placed in a versioned path like /usr/lib/xen-4.11/bin.
+In theory the rule could be more strict by rendering the libexec_dir
+setting pkg-config can derive from libbxen-dev. But that would make
+particular libvirt/xen packages version-depend on each other. It seems
+more reasonable to avoid these versioned dependencies and use a wildcard
+rule instead as it is already in place for libxl-save-helper.
+
+Note: This change was in Debian [1] and Ubuntu [2] for quite some time
+already.
+
+[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931768
+[2]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1326003
+
+Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+Reviewed-by: Andrea Bolognani <abologna@redhat.com>
+Acked-by: Jamie Strandboge <jamie@canonical.com>
+(cherry picked from commit 8b6ee1afdb664ef5d90e1a92b69fc9f2f9221090)
 ---
 src/security/apparmor/usr.sbin.libvirtd.in | 1 +
 1 file changed, 1 insertion(+)

 diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
-index 1e13703..d7c0539 100644
+index 1e13703..312fa4b 100644
 --- a/src/security/apparmor/usr.sbin.libvirtd.in
 +++ b/src/security/apparmor/usr.sbin.libvirtd.in
-@@ -87,6 +87,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
+@@ -86,6 +86,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
+   /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
   /usr/{lib,lib64}/xen/bin/* Ux,
   /usr/lib/xen-*/bin/libxl-save-helper PUx,
-   /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
 +  /usr/lib/xen-*/bin/pygrub PUx,
+   /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
 
   # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
-   # read and run an ebtables script.
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,11 +2,11 @@ backport/virdevmapper-Don-t-cache-device-mapper-major.patch
 backport/virdevmapper-Handle-kernel-without-device-mapper-support.patch
 backport/virdevmapper-Ignore-all-errors-when-opening-dev-mapper-co.patch
 backport/tools-fix-libvirt-guests.sh-text-assignments.patch
+backport/apparmor-allow-default-pki-path.patch
+backport/apparmor-allow-libvirtd-to-call-pygrub.patch
 forward/Skip-vircgrouptest.patch
 forward/Reduce-udevadm-settle-timeout-to-10-seconds.patch
 forward/Pass-GPG_TTY-env-var-to-the-ssh-binary.patch
-forward/Include-etc-pki-qemu-in-apparmor.patch
-forward/apparmor-Allow-run-pygrub.patch
 debian/Debianize-libvirt-guests.patch
 debian/Debianize-systemd-service-files.patch
 debian/Debianize-virtlockd.patch