[libvirt] [patch 1/1] virt-aa-helper: Add support for smartcard host-certificates
Arnaud Patard
apatard at hupstream.com
Thu Oct 24 08:57:26 UTC 2019
When emulating smartcard with host certificates, qemu needs to
be able to read the certificates files, which is denied by apparmor.
Add necessary code to add the smartcard certificates related directory
to the apparmor profile.
This code supports only this case smartcard 'host' and 'passthrough'
settings are not supported, as I can't test them.
Signed-off-by: Arnaud Patard <apatard at hupstream.com>
Index: libvirt-5.0.0/src/security/virt-aa-helper.c
===================================================================
--- libvirt-5.0.0.orig/src/security/virt-aa-helper.c
+++ libvirt-5.0.0/src/security/virt-aa-helper.c
@@ -1251,6 +1251,26 @@ get_files(vahControl * ctl)
}
}
+ for (i = 0; i < ctl->def->nsmartcards; i++) {
+ virDomainSmartcardDefPtr sc = ctl->def->smartcards[i];
+ virDomainSmartcardType sc_type = sc->type;
+ char *sc_db = (char *)VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
+ if (sc->data.cert.database)
+ sc_db = sc->data.cert.database;
+ switch(sc_type) {
+ case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
+ break;
+ case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
+ virBufferAsprintf(&buf, " \"%s/\" rk,\n", sc_db);
+ virBufferAsprintf(&buf, " \"%s/*\" rk,\n", sc_db);
+ break;
+ case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
+ break;
+ case VIR_DOMAIN_SMARTCARD_TYPE_LAST:
+ break;
+ }
+ }
+
if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
for (i = 0; i < ctl->def->nnets; i++) {
virDomainNetDefPtr net = ctl->def->nets[i];
More information about the libvir-list
mailing list