[libvirt] [PATCH] apparmor: differentiate between error and unconfined profiles

Cédric Bosdonnat cbosdonnat at suse.com
Tue Oct 6 09:16:16 UTC 2015


profile_status function was not making any difference between error
cases and unconfined profiles. The problem with this approach is that
dominfo was throwing an error on unconfined domains.
---
 src/security/security_apparmor.c | 30 +++++++++++++++++++++---------
 1 file changed, 21 insertions(+), 9 deletions(-)

diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 16b8f87..2cf333d 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -66,10 +66,11 @@ struct SDPDOP {
 };
 
 /*
- * profile_status returns '-1' on error, '0' if loaded
+ * profile_status returns '-2' on error, '-1' if not loaded, '0' if loaded
  *
- * If check_enforcing is set to '1', then returns '-1' on error, '0' if
- * loaded in complain mode, and '1' if loaded in enforcing mode.
+ * If check_enforcing is set to '1', then returns '-2' on error, '-1' if
+ * not loaded, '0' if loaded in complain mode, and '1' if loaded in
+ * enforcing mode.
  */
 static int
 profile_status(const char *str, const int check_enforcing)
@@ -77,7 +78,7 @@ profile_status(const char *str, const int check_enforcing)
     char *content = NULL;
     char *tmp = NULL;
     char *etmp = NULL;
-    int rc = -1;
+    int rc = -2;
 
     /* create string that is '<str> \0' for accurate matching */
     if (virAsprintf(&tmp, "%s ", str) == -1)
@@ -100,6 +101,8 @@ profile_status(const char *str, const int check_enforcing)
 
     if (strstr(content, tmp) != NULL)
         rc = 0;
+    else
+        rc = -1; /* return -1 if not loaded */
     if (check_enforcing != 0) {
         if (rc == 0 && strstr(content, etmp) != NULL)
             rc = 1;                 /* return '1' if loaded and enforcing */
@@ -262,6 +265,9 @@ use_apparmor(void)
         goto cleanup;
 
     rc = profile_status(libvirt_daemon, 1);
+    /* Error or unconfined should all result in -1*/
+    if (rc < 0)
+        rc = -1;
 
  cleanup:
     VIR_FREE(libvirt_daemon);
@@ -517,23 +523,29 @@ AppArmorGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                 virSecurityLabelPtr sec)
 {
     int rc = -1;
+    int status;
     char *profile_name = NULL;
 
     if ((profile_name = get_profile_name(def)) == NULL)
         return rc;
 
-    if (virStrcpy(sec->label, profile_name,
-        VIR_SECURITY_LABEL_BUFLEN) == NULL) {
+    status = profile_status(profile_name, 1);
+    if (status < -1) {
         virReportError(VIR_ERR_INTERNAL_ERROR,
-                       "%s", _("error copying profile name"));
+                       "%s", _("error getting profile status"));
         goto cleanup;
+    } else if (status == -1) {
+        profile_name[0] = '\0';
     }
 
-    if ((sec->enforcing = profile_status(profile_name, 1)) < 0) {
+    if (virStrcpy(sec->label, profile_name,
+        VIR_SECURITY_LABEL_BUFLEN) == NULL) {
         virReportError(VIR_ERR_INTERNAL_ERROR,
-                       "%s", _("error calling profile_status()"));
+                       "%s", _("error copying profile name"));
         goto cleanup;
     }
+
+    sec->enforcing = status == 1;
     rc = 0;
 
  cleanup:
-- 
2.1.4




More information about the libvir-list mailing list