[libvirt] [PATCH 1/1] apparmor: allow tunnelled migrations.
Jamie Strandboge
jamie at canonical.com
Fri Dec 2 19:33:24 UTC 2011
On Fri, 2011-12-02 at 13:10 -0600, Serge Hallyn wrote:
> The pathname for the pipe for tunnelled migration is unresolvable. The
> libvirt apparmor driver therefore refuses access, causing migration to
> fail. If we can't resolve the path, the worst that can happen is that
> we should have given permission to the file but didn't. Otherwise
> (especially since this is a /proc/$$/fd/N file) the file is already open
> and libvirt won't be refused access by apparmor anyway.
>
> Also adjust virt-aa-helper to allow access to the
> *.tunnelmigrate.dest.name files.
>
> Changelog: Dec 2: per jdstrand comment, also change the Error to a VIR_WARN.
>
> For more information, see https://launchpad.net/bugs/869553.
>
> Signed-off-by: Serge Hallyn <serge.hallyn at canonical.com>
> ---
> src/security/security_apparmor.c | 6 +++---
> src/security/virt-aa-helper.c | 4 ++++
> 2 files changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
> index 299dcc6..5e68da8 100644
> --- a/src/security/security_apparmor.c
> +++ b/src/security/security_apparmor.c
> @@ -791,9 +791,9 @@ AppArmorSetImageFDLabel(virSecurityManagerPtr mgr,
> }
>
> if (virFileResolveLink(proc, &fd_path) < 0) {
> - virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
> - "%s", _("could not find path for descriptor"));
> - return rc;
> + /* it's a deleted file, presumably. Ignore? */
> + VIR_WARN("could not find path for descriptor %s, skipping", proc);
> + return 0;
> }
>
> return reload_profile(mgr, vm, fd_path, true);
ACK
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index 14399cc..4561bb9 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -1220,6 +1220,10 @@ main(int argc, char **argv)
> LOCALSTATEDIR, ctl->def->name);
> virBufferAsprintf(&buf, " \"/run/libvirt/**/%s.pid\" rwk,\n",
> ctl->def->name);
> + virBufferAsprintf(&buf, " \"%s/run/libvirt/**/*.tunnelmigrate.dest.%s\" rw,\n",
> + LOCALSTATEDIR, ctl->def->name);
> + virBufferAsprintf(&buf, " \"/run/libvirt/**/*.tunnelmigrate.dest.%s\" rw,\n",
> + ctl->def->name);
> if (ctl->files)
> virBufferAdd(&buf, ctl->files, -1);
> }
ACK
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20111202/a3d1aa6a/attachment-0001.sig>
More information about the libvir-list
mailing list