Re: [libvirt] Resubmission #2: [PATCH 1/3] sVirt AppArmor security driver

On Fri, 25 Sep 2009, Jamie Strandboge wrote: > [PATCH 1] > patch_1_reenable-nonfile-labels.patch (Updated based on prior feedback): > When James Morris originally submitted his sVirt patches (as seen in > libvirt 0.6.1), he did not require on disk labelling for > virSecurityDomainRestoreImageLabel. A later commit[2] changed this > behavior to assume on disk labelling, which halts implementations for > path-based MAC systems such as AppArmor and TOMOYO where > vm->def->seclabel is required to obtain the label. This patch simply > adds the 'virDomainObjPtr vm' argument back to *RestoreImageLabel. -- Jamie Strandboge | http://www.canonical.com

diff -Naurp libvirt.orig/src/qemu/qemu_driver.c libvirt/src/qemu/qemu_driver.c --- libvirt.orig/src/qemu/qemu_driver.c 2009-09-25 10:50:21.000000000 -0500 +++ libvirt/src/qemu/qemu_driver.c 2009-09-25 16:56:32.000000000 -0500 @@ -6309,7 +6309,7 @@ static int qemudDomainDetachDevice(virDo dev->data.disk->bus == VIR_DOMAIN_DISK_BUS_VIRTIO)) { ret = qemudDomainDetachPciDiskDevice(dom->conn, vm, dev); if (driver->securityDriver) - driver->securityDriver->domainRestoreSecurityImageLabel(dom->conn, dev->data.disk); + driver->securityDriver->domainRestoreSecurityImageLabel(dom->conn, vm, dev->data.disk); if (qemuDomainSetDeviceOwnership(dom->conn, driver, dev, 1) < 0) VIR_WARN0("Fail to restore disk device ownership"); } else if (dev->type == VIR_DOMAIN_DEVICE_NET) { diff -Naurp libvirt.orig/src/security/security_driver.h libvirt/src/security/security_driver.h --- libvirt.orig/src/security/security_driver.h 2009-09-22 12:51:57.000000000 -0500 +++ libvirt/src/security/security_driver.h 2009-09-25 16:56:32.000000000 -0500 @@ -32,6 +32,7 @@ typedef virSecurityDriverStatus (*virSec typedef int (*virSecurityDriverOpen) (virConnectPtr conn, virSecurityDriverPtr drv); typedef int (*virSecurityDomainRestoreImageLabel) (virConnectPtr conn, + virDomainObjPtr vm, virDomainDiskDefPtr disk); typedef int (*virSecurityDomainSetImageLabel) (virConnectPtr conn, virDomainObjPtr vm, diff -Naurp libvirt.orig/src/security/security_selinux.c libvirt/src/security/security_selinux.c --- libvirt.orig/src/security/security_selinux.c 2009-09-22 12:51:57.000000000 -0500 +++ libvirt/src/security/security_selinux.c 2009-09-25 16:56:32.000000000 -0500 @@ -377,6 +377,7 @@ err: static int SELinuxRestoreSecurityImageLabel(virConnectPtr conn, + virDomainObjPtr vm ATTRIBUTE_UNUSED, virDomainDiskDefPtr disk) { /* Don't restore labels on readoly/shared disks, because @@ -581,7 +582,8 @@ SELinuxRestoreSecurityLabel(virConnectPt rc = -1; } for (i = 0 ; i < vm->def->ndisks ; i++) { - if (SELinuxRestoreSecurityImageLabel(conn, vm->def->disks[i]) < 0) + if (SELinuxRestoreSecurityImageLabel(conn, vm, + vm->def->disks[i]) < 0) rc = -1; } VIR_FREE(secdef->model);