[libvirt] [PATCH 1/4] security, apparmor: implement domainSetPathLabel

Christian Ehrhardt christian.ehrhardt at canonical.com
Wed Jan 3 17:00:17 UTC 2018


This came up in discussions around huge pages, but it will cover
more per guest paths that should be added to the guests apparmor profile:
 - keys via qemuDomainWriteMasterKeyFile
 - per domain dirs via qemuProcessMakeDir
 - memory backing paths via qemuProcessBuildDestroyMemoryPathsImpl

Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
---
 src/security/security_apparmor.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 1db94c6..dcd6f52 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -953,6 +953,13 @@ AppArmorSetSavedStateLabel(virSecurityManagerPtr mgr,
     return reload_profile(mgr, def, savefile, true);
 }
 
+static int
+AppArmorSetPathLabel(virSecurityManagerPtr mgr,
+                           virDomainDefPtr def,
+                           const char *path)
+{
+    return reload_profile(mgr, def, path, true);
+}
 
 static int
 AppArmorRestoreSavedStateLabel(virSecurityManagerPtr mgr,
@@ -1045,6 +1052,8 @@ virSecurityDriver virAppArmorSecurityDriver = {
     .domainSetSavedStateLabel           = AppArmorSetSavedStateLabel,
     .domainRestoreSavedStateLabel       = AppArmorRestoreSavedStateLabel,
 
+    .domainSetPathLabel                 = AppArmorSetPathLabel,
+
     .domainSetSecurityImageFDLabel      = AppArmorSetFDLabel,
     .domainSetSecurityTapFDLabel        = AppArmorSetFDLabel,
 
-- 
2.7.4




More information about the libvir-list mailing list