[libvirt] [PATCH] 1/1: implement usb and pci hot attach in AppArmor driver
Jamie Strandboge
jamie at canonical.com
Thu Sep 23 22:23:46 UTC 2010
The AppArmor security driver has partial support for hostdev devices in
that if they already exist in the XML, virt-aa-helper can find them and
add them to the profile. Hot attach does not work[1] because
AppArmorSetSecurityHostdevLabel and AppArmorRestoreSecurityHostdevLabel
are not currently implemented. From the patch description:
Implement AppArmorSetSecurityHostdevLabel() and
AppArmorRestoreSecurityHostdevLabel() for hostdev and pcidev attach.
virt-aa-helper also has to be adjusted because *FileIterate() is used
for pci and usb devices and the corresponding XML for hot attached
hostdev and pcidev is not in the XML passed to virt-aa-helper. The new
'-F filename' option is added to append a rule to the profile as opposed
to the existing '-f filename', which rewrites the libvirt-<uuid>.files
file anew. This new '-F' option will append a rule to an existing
libvirt-<uuid>.files if it exists, otherwise it acts the same as '-f'.
load_profile() and reload_profile() have been adjusted to add an
'append' argument, which when true will use '-F' instead of '-f' when
executing virt-aa-helper.
All existing calls to load_profile() and reload_profile() have been
adjusted to use the old behavior (ie append==false) except
AppArmorSetSavedStateLabel() where it made sense to use the new
behavior.
This patch also adds tests for '-F'
The tests still use the old convention of cat with sed that Eric Blake
mentioned should be improved-- I will be submitting another patch for
this. This patch compiles fine with --enable-compile-warnings=error,
passes the parts of 'make check' that this patch touches (ie, the
daemon-conf fails here, but it always fails for me) and passes
'syntax-check'.
Jamie
[1]https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/640993
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-apparmor-hostdev.patch
Type: text/x-patch
Size: 19552 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20100923/64d372ac/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20100923/64d372ac/attachment-0001.sig>
More information about the libvir-list
mailing list