diff options
author | V3n3RiX <venerix@redcorelinux.org> | 2018-02-15 16:58:00 +0000 |
---|---|---|
committer | V3n3RiX <venerix@redcorelinux.org> | 2018-02-15 16:58:00 +0000 |
commit | 434d713861b70f6c6563d6ee50a8e64f14c970d9 (patch) | |
tree | b72c523c72e764420f835ba9d63d43ffef687dcf /app-emulation/libvirt/files | |
parent | f78108598211053d41752a83e0345441bb9014ae (diff) |
gentoo resync : 15.02.2018
Diffstat (limited to 'app-emulation/libvirt/files')
-rw-r--r-- | app-emulation/libvirt/files/libvirt-3.0.0-fix_paths_for_apparmor.patch | 79 | ||||
-rw-r--r-- | app-emulation/libvirt/files/libvirt-3.8.0-CVE-2017-1000256.patch | 74 |
2 files changed, 0 insertions, 153 deletions
diff --git a/app-emulation/libvirt/files/libvirt-3.0.0-fix_paths_for_apparmor.patch b/app-emulation/libvirt/files/libvirt-3.0.0-fix_paths_for_apparmor.patch deleted file mode 100644 index c9c7eb6ad49f..000000000000 --- a/app-emulation/libvirt/files/libvirt-3.0.0-fix_paths_for_apparmor.patch +++ /dev/null @@ -1,79 +0,0 @@ -From baad1483ed0a699509f66abac6708797f370f888 Mon Sep 17 00:00:00 2001 -From: Matthias Maier <tamiko@kyomu.43-1.org> -Date: Sun, 22 Jan 2017 09:07:57 -0600 -Subject: [PATCH] Update paths to Gentoo layout - ---- - examples/Makefile.am | 4 ++-- - .../{usr.lib.libvirt.virt-aa-helper => usr.libexec.virt-aa-helper} | 4 ++-- - examples/apparmor/usr.sbin.libvirtd | 6 ++++-- - 3 files changed, 8 insertions(+), 6 deletions(-) - rename examples/apparmor/{usr.lib.libvirt.virt-aa-helper => usr.libexec.virt-aa-helper} (90%) - -diff --git a/examples/Makefile.am b/examples/Makefile.am -index 2956e14..d81e34b 100644 ---- a/examples/Makefile.am -+++ b/examples/Makefile.am -@@ -23,7 +23,7 @@ EXTRA_DIST = \ - apparmor/TEMPLATE.lxc \ - apparmor/libvirt-qemu \ - apparmor/libvirt-lxc \ -- apparmor/usr.lib.libvirt.virt-aa-helper \ -+ apparmor/usr.libexec.virt-aa-helper \ - apparmor/usr.sbin.libvirtd \ - lxcconvert/virt-lxc-convert \ - polkit/libvirt-acl.rules \ -@@ -70,7 +70,7 @@ admin_logging_SOURCES = admin/logging.c - if WITH_APPARMOR_PROFILES - apparmordir = $(sysconfdir)/apparmor.d/ - apparmor_DATA = \ -- apparmor/usr.lib.libvirt.virt-aa-helper \ -+ apparmor/usr.libexec.virt-aa-helper \ - apparmor/usr.sbin.libvirtd \ - $(NULL) - -diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.libexec.virt-aa-helper -similarity index 90% -rename from examples/apparmor/usr.lib.libvirt.virt-aa-helper -rename to examples/apparmor/usr.libexec.virt-aa-helper -index 4a8f197..a6072f1 100644 ---- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper -+++ b/examples/apparmor/usr.libexec.virt-aa-helper -@@ -1,7 +1,7 @@ - # Last Modified: Mon Apr 5 15:10:27 2010 - #include <tunables/global> - --profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { -+profile virt-aa-helper /usr/libexec/virt-aa-helper { - #include <abstractions/base> - - # needed for searching directories -@@ -20,7 +20,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { - /sys/devices/ r, - /sys/devices/** r, - -- /usr/{lib,lib64}/libvirt/virt-aa-helper mr, -+ /usr/libexec/virt-aa-helper mr, - /{usr/,}sbin/apparmor_parser Ux, - - /etc/apparmor.d/libvirt/* r, -diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd -index 8893e75..f0b471c 100644 ---- a/examples/apparmor/usr.sbin.libvirtd -+++ b/examples/apparmor/usr.sbin.libvirtd -@@ -59,8 +59,10 @@ - audit deny /sys/kernel/security/apparmor/.* rwxl, - /sys/kernel/security/apparmor/profiles r, - /usr/{lib,lib64}/libvirt/* PUxr, -- /usr/{lib,lib64}/libvirt/libvirt_parthelper ix, -- /usr/{lib,lib64}/libvirt/libvirt_iohelper ix, -+ /usr/libexec/virt-aa-helper PUxr, -+ /usr/libexec/libvirt_lxc PUxr, -+ /usr/libexec/libvirt_parthelper ix, -+ /usr/libexec/libvirt_iohelper ix, - /etc/libvirt/hooks/** rmix, - /etc/xen/scripts/** rmix, - --- -2.10.2 - diff --git a/app-emulation/libvirt/files/libvirt-3.8.0-CVE-2017-1000256.patch b/app-emulation/libvirt/files/libvirt-3.8.0-CVE-2017-1000256.patch deleted file mode 100644 index 8c347cd799ad..000000000000 --- a/app-emulation/libvirt/files/libvirt-3.8.0-CVE-2017-1000256.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 441d3eb6d1be940a67ce45a286602a967601b157 Mon Sep 17 00:00:00 2001 -From: "Daniel P. Berrange" <berrange@redhat.com> -Date: Thu, 5 Oct 2017 17:54:28 +0100 -Subject: [PATCH] qemu: ensure TLS clients always verify the server certificate - -The default_tls_x509_verify (and related) parameters in qemu.conf -control whether the QEMU TLS servers request & verify certificates -from clients. This works as a simple access control system for -servers by requiring the CA to issue certs to permitted clients. -This use of client certificates is disabled by default, since it -requires extra work to issue client certificates. - -Unfortunately the code was using this configuration parameter when -setting up both TLS clients and servers in QEMU. The result was that -TLS clients for character devices and disk devices had verification -turned off, meaning they would ignore errors while validating the -server certificate. - -This allows for trivial MITM attacks between client and server, -as any certificate returned by the attacker will be accepted by -the client. - -This is assigned CVE-2017-1000256 / LSN-2017-0002 - -Reviewed-by: Eric Blake <eblake@redhat.com> -Signed-off-by: Daniel P. Berrange <berrange@redhat.com> ---- - src/qemu/qemu_command.c | 2 +- - tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args | 2 +- - .../qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c -index 46f0bdd18..f68b82d08 100644 ---- a/src/qemu/qemu_command.c -+++ b/src/qemu/qemu_command.c -@@ -721,7 +721,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath, - if (virJSONValueObjectCreate(propsret, - "s:dir", path, - "s:endpoint", (isListen ? "server": "client"), -- "b:verify-peer", verifypeer, -+ "b:verify-peer", (isListen ? verifypeer : true), - NULL) < 0) - goto cleanup; - -diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args -index 5aff7734e..ab5f7e27f 100644 ---- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args -+++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args -@@ -26,7 +26,7 @@ server,nowait \ - localport=1111 \ - -device isa-serial,chardev=charserial0,id=serial0 \ - -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ --endpoint=client,verify-peer=no \ -+endpoint=client,verify-peer=yes \ - -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ - tls-creds=objcharserial1_tls0 \ - -device isa-serial,chardev=charserial1,id=serial1 \ -diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args -index 91f1fe0cd..2567abbfa 100644 ---- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args -+++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args -@@ -31,7 +31,7 @@ localport=1111 \ - data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\ - keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \ - -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ --endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \ -+endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \ - -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ - tls-creds=objcharserial1_tls0 \ - -device isa-serial,chardev=charserial1,id=serial1 \ --- -2.13.6 - |