Re: [libvirt] [PATCH 2/3] Add a virSecurityManagerSetProcessFDLabel

Add a new security driver method for labelling an FD with the process label, rather than the image label

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 90725cd..2d3f9d8 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -852,6 +852,7 @@ virSecurityManagerSetAllLabel; virSecurityManagerSetImageFDLabel; virSecurityManagerSetImageLabel; virSecurityManagerSetHostdevLabel; +virSecurityManagerSetProcessFDLabel; virSecurityManagerSetProcessLabel; virSecurityManagerSetSavedStateLabel; virSecurityManagerSetSocketLabel; diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index 50a7383..df8c66c 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -784,6 +784,34 @@ AppArmorSetImageFDLabel(virSecurityManagerPtr mgr, return reload_profile(mgr, vm, fd_path, true); } +static int +AppArmorSetProcessFDLabel(virSecurityManagerPtr mgr, + virDomainObjPtr vm, + int fd) +{ + int rc = -1; + char *proc = NULL; + char *fd_path = NULL; + + const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + + if (secdef->imagelabel == NULL) + return 0; + + if (virAsprintf(&proc, "/proc/self/fd/%d", fd) == -1) { + virReportOOMError(); + return rc; + } + + if (virFileResolveLink(proc, &fd_path) < 0) { + virSecurityReportError(VIR_ERR_INTERNAL_ERROR, + "%s", _("could not find path for descriptor")); + return rc; + } + + return reload_profile(mgr, vm, fd_path, true); +} + virSecurityDriver virAppArmorSecurityDriver = { 0, SECURITY_APPARMOR_NAME, @@ -819,4 +847,5 @@ virSecurityDriver virAppArmorSecurityDriver = { AppArmorRestoreSavedStateLabel, AppArmorSetImageFDLabel, + AppArmorSetProcessFDLabel, };