[libvirt] [PATCH] 5/10 AppArmor driver updates

Laine Stump laine at laine.org
Fri Jun 4 16:15:51 UTC 2010 

Jamie,

Likewise, this patch was ACKed but not pushed. Still okay to push?


On Mon, 2010-04-05 at 16:15 -0500, Jamie Strandboge wrote:
> 
> 5_apparmor-fix-save-restore.patch: refactoring to update AppArmor
> security driver to adjust profile for save/restore[3]

-- 
Jamie Strandboge             | http://www.canonical.com

Author: Jamie Strandboge <jamie canonical com>
Description: update AppArmor security driver to adjust profile for save/restore
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=529363
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/457716

Index: libvirt-0.7.7/src/security/security_apparmor.c
===================================================================
--- libvirt-0.7.7.orig/src/security/security_apparmor.c	2010-03-31 11:20:48.000000000 -0500
+++ libvirt-0.7.7/src/security/security_apparmor.c	2010-03-31 11:31:39.000000000 -0500
@@ -149,7 +149,7 @@
  */
 static int
 load_profile(const char *profile, virDomainObjPtr vm,
-             virDomainDiskDefPtr disk)
+             const char *fn)
 {
     int rc = -1, status, ret;
     bool create = true;
@@ -175,9 +175,9 @@
         };
         ret = virExec(argv, NULL, NULL, &child,
                       pipefd[0], NULL, NULL, VIR_EXEC_NONE);
-    } else if (disk && disk->src) {
+    } else if (fn) {
         const char *const argv[] = {
-            VIRT_AA_HELPER, "-r", "-u", profile, "-f", disk->src, NULL
+            VIRT_AA_HELPER, "-r", "-u", profile, "-f", fn, NULL
         };
         ret = virExec(argv, NULL, NULL, &child,
                       pipefd[0], NULL, NULL, VIR_EXEC_NONE);
@@ -277,6 +277,40 @@
     return rc;
 }
 
+/* reload the profile, adding read/write file specified by fn if it is not
+ * NULL.
+ */
+static int
+reload_profile(virDomainObjPtr vm, const char *fn)
+{
+    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    int rc = -1;
+    char *profile_name = NULL;
+
+    if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
+        return 0;
+
+    if ((profile_name = get_profile_name(vm)) == NULL)
+        return rc;
+
+    /* Update the profile only if it is loaded */
+    if (profile_loaded(secdef->imagelabel) >= 0) {
+        if (load_profile(secdef->imagelabel, vm, fn) < 0) {
+            virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
+                                   _("cannot update AppArmor profile "
+                                     "\'%s\'"),
+                                   secdef->imagelabel);
+            goto clean;
+        }
+    }
+
+    rc = 0;
+  clean:
+    VIR_FREE(profile_name);
+
+    return rc;
+}
+
 /* Called on libvirtd startup to see if AppArmor is available */
 static int
 AppArmorSecurityDriverProbe(void)
@@ -377,14 +411,14 @@
 }
 
 static int
-AppArmorSetSecurityAllLabel(virDomainObjPtr vm)
+AppArmorSetSecurityAllLabel(virDomainObjPtr vm, const char *stdin_path)
 {
     if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
         return 0;
 
     /* if the profile is not already loaded, then load one */
     if (profile_loaded(vm->def->seclabel.label) < 0) {
-        if (load_profile(vm->def->seclabel.label, vm, NULL) < 0) {
+        if (load_profile(vm->def->seclabel.label, vm, stdin_path) < 0) {
             virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                                    _("cannot generate AppArmor profile "
                                    "\'%s\'"), vm->def->seclabel.label);
@@ -501,32 +535,7 @@
 AppArmorRestoreSecurityImageLabel(virDomainObjPtr vm,
                                   virDomainDiskDefPtr disk ATTRIBUTE_UNUSED)
 {
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
-    int rc = -1;
-    char *profile_name = NULL;
-
-    if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
-        return 0;
-
-    if ((profile_name = get_profile_name(vm)) == NULL)
-        return rc;
-
-    /* Update the profile only if it is loaded */
-    if (profile_loaded(secdef->imagelabel) >= 0) {
-        if (load_profile(secdef->imagelabel, vm, NULL) < 0) {
-            virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
-                                   _("cannot update AppArmor profile "
-                                     "\'%s\'"),
-                                   secdef->imagelabel);
-            goto clean;
-        }
-    }
-
-    rc = 0;
-  clean:
-    VIR_FREE(profile_name);
-
-    return rc;
+    return reload_profile(vm, NULL);
 }
 
 /* Called when hotplugging */
@@ -556,7 +565,7 @@
 
         /* update the profile only if it is loaded */
         if (profile_loaded(secdef->imagelabel) >= 0) {
-            if (load_profile(secdef->imagelabel, vm, disk) < 0) {
+            if (load_profile(secdef->imagelabel, vm, disk->src) < 0) {
                 virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                                      _("cannot update AppArmor profile "
                                      "\'%s\'"),
@@ -623,6 +632,21 @@
     return 0;
 }
 
+static int
+AppArmorSetSavedStateLabel(virDomainObjPtr vm,
+                          const char *savefile)
+{
+    return reload_profile(vm, savefile);
+}
+
+
+static int
+AppArmorRestoreSavedStateLabel(virDomainObjPtr vm,
+                               const char *savefile ATTRIBUTE_UNUSED)
+{
+    return reload_profile(vm, NULL);
+}
+
 virSecurityDriver virAppArmorSecurityDriver = {
     .name = SECURITY_APPARMOR_NAME,
     .probe = AppArmorSecurityDriverProbe,
@@ -639,4 +663,6 @@
     .domainSetSecurityAllLabel = AppArmorSetSecurityAllLabel,
     .domainSetSecurityHostdevLabel = AppArmorSetSecurityHostdevLabel,
     .domainRestoreSecurityHostdevLabel = AppArmorRestoreSecurityHostdevLabel,
+    .domainSetSavedStateLabel = AppArmorSetSavedStateLabel,
+    .domainRestoreSavedStateLabel = AppArmorRestoreSavedStateLabel,
 };

More information about the libvir-list mailing list