[libvirt] [PATCHv3 21/26] security: AppArmor: Implement per-image seclabel set

Wednesday, 25 June 2014

Refactor the code and reuse it to implement the functionality.
---
 src/security/security_apparmor.c | 38 +++++++++++++++++++++++---------------
 1 file changed, 23 insertions(+), 15 deletions(-)

diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 72d1e16..fb41c5a 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -704,41 +704,40 @@ AppArmorRestoreSecurityDiskLabel(virSecurityManagerPtr mgr,

 /* Called when hotplugging */
 static int
-AppArmorSetSecurityDiskLabel(virSecurityManagerPtr mgr,
-                             virDomainDefPtr def, virDomainDiskDefPtr disk)
+AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
+                              virDomainDefPtr def,
+                              virStorageSourcePtr src)
 {
     int rc = -1;
     char *profile_name = NULL;
-    virSecurityLabelDefPtr secdef =
-        virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
+    virSecurityLabelDefPtr secdef;

-    if (!secdef)
+    if (!src->path ||
+        virStorageSourceGetActualType(src) == VIR_STORAGE_TYPE_NETWORK)
+        return 0;
+
+    if (!(secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME)))
         return -1;

     if (secdef->norelabel)
         return 0;

-    if (!virDomainDiskGetSource(disk) ||
-        virDomainDiskGetType(disk) == VIR_STORAGE_TYPE_NETWORK)
-        return 0;
-
     if (secdef->imagelabel) {
         /* if the device doesn't exist, error out */
-        if (!virFileExists(virDomainDiskGetSource(disk))) {
+        if (!virFileExists(src->path)) {
             virReportError(VIR_ERR_INTERNAL_ERROR,
                            _("\'%s\' does not exist"),
-                           virDomainDiskGetSource(disk));
-            return rc;
+                           src->path);
+            return -1;
         }

         if ((profile_name = get_profile_name(def)) == NULL)
-            return rc;
+            return -1;

         /* update the profile only if it is loaded */
         if (profile_loaded(secdef->imagelabel) >= 0) {
             if (load_profile(mgr, secdef->imagelabel, def,
-                             virDomainDiskGetSource(disk),
-                             false) < 0) {
+                             src->path, false) < 0) {
                 virReportError(VIR_ERR_INTERNAL_ERROR,
                                _("cannot update AppArmor profile "
                                  "\'%s\'"),
@@ -756,6 +755,14 @@ AppArmorSetSecurityDiskLabel(virSecurityManagerPtr mgr,
 }

 static int
+AppArmorSetSecurityDiskLabel(virSecurityManagerPtr mgr,
+                             virDomainDefPtr def,
+                             virDomainDiskDefPtr disk)
+{
+    return AppArmorSetSecurityImageLabel(mgr, def, disk->src);
+}
+
+static int
 AppArmorSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                        virDomainDefPtr def)
 {
@@ -983,6 +990,7 @@ virSecurityDriver virAppArmorSecurityDriver = {
     .domainSetSecurityDiskLabel         = AppArmorSetSecurityDiskLabel,
     .domainRestoreSecurityDiskLabel     = AppArmorRestoreSecurityDiskLabel,

+    .domainSetSecurityImageLabel        = AppArmorSetSecurityImageLabel,
     .domainRestoreSecurityImageLabel    = AppArmorRestoreSecurityImageLabel,

     .domainSetSecurityDaemonSocketLabel = AppArmorSetSecurityDaemonSocketLabel,
-- 
1.9.3


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[libvirt] [PATCHv3 21/26] security: AppArmor: Implement per-image seclabel set