Quoting Cédric Bosdonnat (cbosdonnat@suse.com):
diff --git a/examples/apparmor/libvirt-lxc b/examples/apparmor/libvirt-lxc index d404328..4bfb503 100644 --- a/examples/apparmor/libvirt-lxc +++ b/examples/apparmor/libvirt-lxc @@ -2,16 +2,115 @@
Hi, this being a verbatim copy from lxc's policy, is there any plan for keeping the policy uptodate as the lxc policy is updated? Does lxc-enter-namespace --cmd /bin/bash still work? (I would expect so)
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index 1e2a38b..778d233 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -351,26 +351,36 @@ AppArmorSetSecuritySCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED, static int AppArmorSecurityManagerProbe(const char *virtDriver ATTRIBUTE_UNUSED) { - char *template = NULL; + char *template_qemu = NULL; + char *template_lxc = NULL; int rc = SECURITY_DRIVER_DISABLE;
if (use_apparmor() < 0) return rc;
/* see if template file exists */ - if (virAsprintf(&template, "%s/TEMPLATE", + if (virAsprintf(&template_qemu, "%s/TEMPLATE.qemu", APPARMOR_DIR "/libvirt") == -1) return rc;
- if (!virFileExists(template)) { + if (virAsprintf(&template_lxc, "%s/TEMPLATE.lxc", + APPARMOR_DIR "/libvirt") == -1)
(This remains a bug, a 'goto cleanup' is needed here)
+ + if (!virFileExists(template_qemu)) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("template \'%s\' does not exist"), template_qemu); + goto cleanup; + } + if (!virFileExists(template_lxc)) { virReportError(VIR_ERR_INTERNAL_ERROR, - _("template \'%s\' does not exist"), template); + _("template \'%s\' does not exist"), template_lxc); goto cleanup; } rc = SECURITY_DRIVER_ENABLE;
cleanup: - VIR_FREE(template); + VIR_FREE(template_qemu); + VIR_FREE(template_lxc);
return rc; } diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index d563b98..2a09145 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -336,24 +336,20 @@ create_profile(const char *profile, const char *profile_name, char *pcontent = NULL; char *replace_name = NULL; char *replace_files = NULL; - char *replace_driver = NULL; const char *template_name = "\nprofile LIBVIRT_TEMPLATE"; const char *template_end = "\n}"; - const char *template_driver = "libvirt-driver"; int tlen, plen; int fd; int rc = -1; - const char *driver_name = "qemu"; - - if (virtType == VIR_DOMAIN_VIRT_LXC) - driver_name = "lxc";
if (virFileExists(profile)) { vah_error(NULL, 0, _("profile exists")); goto end; }
- if (virAsprintfQuiet(&template, "%s/TEMPLATE", APPARMOR_DIR "/libvirt") < 0) { + + if (virAsprintfQuiet(&template, "%s/TEMPLATE.%s", APPARMOR_DIR "/libvirt", + virDomainVirtTypeToString(virtType)) < 0) { vah_error(NULL, 0, _("template name exceeds maximum length")); goto end; } @@ -378,11 +374,6 @@ create_profile(const char *profile, const char *profile_name, goto clean_tcontent; }
- if (strstr(tcontent, template_driver) == NULL) { - vah_error(NULL, 0, _("no replacement string in template")); - goto clean_tcontent; - } - /* '\nprofile <profile_name>\0' */ if (virAsprintfQuiet(&replace_name, "\nprofile %s", profile_name) == -1) { vah_error(NULL, 0, _("could not allocate memory for profile name")); @@ -397,15 +388,7 @@ create_profile(const char *profile, const char *profile_name, goto clean_tcontent; }
- /* 'libvirt-<driver_name>\0' */ - if (virAsprintfQuiet(&replace_driver, "libvirt-%s", driver_name) == -1) { - vah_error(NULL, 0, _("could not allocate memory for profile driver")); - VIR_FREE(replace_driver); - goto clean_tcontent; - } - - plen = tlen + strlen(replace_name) - strlen(template_name) + - strlen(replace_driver) - strlen(template_driver) + 1; + plen = tlen + strlen(replace_name) - strlen(template_name) + 1;
if (virtType != VIR_DOMAIN_VIRT_LXC) plen += strlen(replace_files) - strlen(template_end); @@ -422,9 +405,6 @@ create_profile(const char *profile, const char *profile_name, pcontent[0] = '\0'; strcpy(pcontent, tcontent);
- if (replace_string(pcontent, plen, template_driver, replace_driver) < 0) - goto clean_all; - if (replace_string(pcontent, plen, template_name, replace_name) < 0) goto clean_all;
@@ -455,7 +435,6 @@ create_profile(const char *profile, const char *profile_name, clean_replace: VIR_FREE(replace_name); VIR_FREE(replace_files); - VIR_FREE(replace_driver); clean_tcontent: VIR_FREE(tcontent); end: -- 1.8.4.5
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list