Guannan Ren wrote:
On 03/02/2013 12:41 AM, Jim Fehlig wrote:
Guannan Ren wrote:
Hi Jim
In selinux, libvirt added a label for tapfd. Do you think this patch makes sense for apparmor? https://www.redhat.com/archives/libvir-list/2012-October/msg01461.html
Hi Gunannan,
Apologies for missing your initial post of that series. I see that you fixed this exact bug in 2/3 :(.
I think 3/3 does make sense for apparmor, but I'm not sure about using AppArmorSetImageFDLabel() as a common function. It returns if secdef->imagelabel == NULL, which would be incorrect if labeling a tap fd right?
I promise not to miss the patch if you respin it :).
Regards, Jim
Nothing to apologize, I really don't know much about apparmor. The tapfd I mean here is not used by libvirt deamon, it is a tapfd created on particular guest which is using macvtap driver to attach virtual NIC to a given physical interface. From the code, the secdef->imagelabel have the same value as secdef->label which is libvirt-{uuid} file in /etc/apparmor.d/libvirt folder. If it is null, that means the guest will not be confined by apparmor, so is this tapfd, I think this is fine.
Yes, agreed.
If you think it is reasonable, I will rebase that patch and send a v2.
Yep, I think it is reasonable and necessary. I finally got around to testing your patch and it is indeed needed when using macvtap with apparmor-confined guests. Thanks for looking into this! Regards, Jim