Re: [libvirt] [PATCH 2/3] Add a virSecurityManagerSetProcessFDLabel

24 Jun 2011

On Fri, 2011-06-24 at 16:09 +0100, Daniel P. Berrange wrote:
...
Add a new security driver method for labelling an FD with
the process label, rather than the image label
...

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 90725cd..2d3f9d8 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -852,6 +852,7 @@ virSecurityManagerSetAllLabel;
 virSecurityManagerSetImageFDLabel;
 virSecurityManagerSetImageLabel;
 virSecurityManagerSetHostdevLabel;
+virSecurityManagerSetProcessFDLabel;
 virSecurityManagerSetProcessLabel;
 virSecurityManagerSetSavedStateLabel;
 virSecurityManagerSetSocketLabel;
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 50a7383..df8c66c 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -784,6 +784,34 @@ AppArmorSetImageFDLabel(virSecurityManagerPtr mgr,
     return reload_profile(mgr, vm, fd_path, true);
 }
+static int
+AppArmorSetProcessFDLabel(virSecurityManagerPtr mgr,
+                          virDomainObjPtr vm,
+                          int fd)
+{
+    int rc = -1;
+    char *proc = NULL;
+    char *fd_path = NULL;
+
+    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+
+    if (secdef->imagelabel == NULL)
+        return 0;
+
+    if (virAsprintf(&proc, "/proc/self/fd/%d", fd) == -1) {
+        virReportOOMError();
+        return rc;
+    }
+
+    if (virFileResolveLink(proc, &fd_path) < 0) {
+        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
+                               "%s", _("could not find path for descriptor"));
+        return rc;
+    }
+
+    return reload_profile(mgr, vm, fd_path, true);
+}
+
 virSecurityDriver virAppArmorSecurityDriver = {
     0,
     SECURITY_APPARMOR_NAME,
@@ -819,4 +847,5 @@ virSecurityDriver virAppArmorSecurityDriver = {
     AppArmorRestoreSavedStateLabel,
AppArmorSetImageFDLabel,
+    AppArmorSetProcessFDLabel,
 };
ACK, though this and AppArmorSetImageFDLabel() are now identical and
could therefore be refactored. I've made a note to check on this after
the SetProcessFDLabel() changes are in place.

-- 
Jamie Strandboge             | http://www.canonical.com

    