[libvirt] [patch 1/1] virt-aa-helper: Add support for smartcard host-certificates

Cole Robinson crobinso at redhat.com
Thu Nov 14 22:29:32 UTC 2019 

On 10/24/19 4:57 AM, Arnaud Patard wrote:
> When emulating smartcard with host certificates, qemu needs to
> be able to read the certificates files, which is denied by apparmor.
> Add necessary code to add the smartcard certificates related directory
> to the apparmor profile.
> 
> This code supports only this case smartcard 'host' and 'passthrough'
> settings are not supported, as I can't test them.
> 
> Signed-off-by: Arnaud Patard <apatard at hupstream.com>
> Index: libvirt-5.0.0/src/security/virt-aa-helper.c
> ===================================================================
> --- libvirt-5.0.0.orig/src/security/virt-aa-helper.c
> +++ libvirt-5.0.0/src/security/virt-aa-helper.c
> @@ -1251,6 +1251,26 @@ get_files(vahControl * ctl)
>          }
>      }
>  
> +    for (i = 0; i < ctl->def->nsmartcards; i++) {
> +        virDomainSmartcardDefPtr sc = ctl->def->smartcards[i];
> +        virDomainSmartcardType sc_type = sc->type;
> +        char *sc_db = (char *)VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
> +        if (sc->data.cert.database)
> +            sc_db = sc->data.cert.database;
> +        switch(sc_type) {

Add a space after 'switch'. 'make syntax-check' will catch this. libvirt
style is typically to not indent the 'case' keyword either, but this
file is inconsistent on that front. With those fixed:

Reviewed-by: Cole Robinson <crobinso at redhat.com>

This matches what is done for the selinux driver AFAICT

CCing apparmor maintainers, I'll defer to them to commit

- Cole

> +            case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
> +                break;
> +            case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
> +                virBufferAsprintf(&buf, "  \"%s/\" rk,\n", sc_db);
> +                virBufferAsprintf(&buf, "  \"%s/*\" rk,\n", sc_db);
> +                break;
> +            case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
> +                break;
> +            case VIR_DOMAIN_SMARTCARD_TYPE_LAST:
> +                break;
> +        }
> +    }
> +
>      if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
>          for (i = 0; i < ctl->def->nnets; i++) {
>              virDomainNetDefPtr net = ctl->def->nets[i];
> 
> 
> --
> libvir-list mailing list
> libvir-list at redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
>

More information about the libvir-list mailing list