[libvirt] [PATCH] Teach virt-aa-helper to use TEMPLATE.qemu if the domain is kvm or kqemu

Peter Krempa pkrempa at redhat.com
Thu Oct 30 09:47:51 UTC 2014 

On 10/29/14 14:31, Serge Hallyn wrote:
> Quoting Cédric Bosdonnat (cbosdonnat at suse.com):
>> Without this patch, kvm and kqemu domains confined with apparmor can't start
>> due to virt-aa-helper not finding TEMPLATE.kvm or TEMPLATE.kqemu. This patch
>> points all kvm-related drivers to TEMPLATE.qemu.
> 
> D'oh, I dropped the ball here.  I had a patch like this but it seems it never
> made it to the list.
> 
> Thanks, Cédric.
> 
> Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>

Thanks for confirming it's the right thing to do with apparmor. I'll
push this patch in a moment. I was about to ACK it but was afraid to do
so as I don't use apparmor actually.

Peter

> 
>>
>> ---
>>  src/security/virt-aa-helper.c | 12 +++++++++++-
>>  1 file changed, 11 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
>> index 9afc8db..6b95fdb 100644
>> --- a/src/security/virt-aa-helper.c
>> +++ b/src/security/virt-aa-helper.c
>> @@ -341,15 +341,25 @@ create_profile(const char *profile, const char *profile_name,
>>      int tlen, plen;
>>      int fd;
>>      int rc = -1;
>> +    const char *driver_name = NULL;
>>  
>>      if (virFileExists(profile)) {
>>          vah_error(NULL, 0, _("profile exists"));
>>          goto end;
>>      }
>>  
>> +    switch (virtType) {
>> +    case VIR_DOMAIN_VIRT_QEMU: 
>> +    case VIR_DOMAIN_VIRT_KQEMU: 
>> +    case VIR_DOMAIN_VIRT_KVM:
>> +        driver_name = "qemu";
>> +        break;
>> +    default:
>> +        driver_name = virDomainVirtTypeToString(virtType);
>> +    }
>>  
>>      if (virAsprintfQuiet(&template, "%s/TEMPLATE.%s", APPARMOR_DIR "/libvirt",
>> -                         virDomainVirtTypeToString(virtType)) < 0) {
>> +                         driver_name) < 0) {
>>          vah_error(NULL, 0, _("template name exceeds maximum length"));
>>          goto end;
>>      }
>> -- 
>> 1.8.4.5
>>
>> --
>> libvir-list mailing list
>> libvir-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/libvir-list
> 
> --
> libvir-list mailing list
> libvir-list at redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20141030/dfefb837/attachment-0001.sig>

More information about the libvir-list mailing list