On Fri, 2011-12-02 at 13:10 -0600, Serge Hallyn wrote:
The pathname for the pipe for tunnelled migration is unresolvable.
The
libvirt apparmor driver therefore refuses access, causing migration to
fail. If we can't resolve the path, the worst that can happen is that
we should have given permission to the file but didn't. Otherwise
(especially since this is a /proc/$$/fd/N file) the file is already open
and libvirt won't be refused access by apparmor anyway.
Also adjust virt-aa-helper to allow access to the
*.tunnelmigrate.dest.name files.
Changelog: Dec 2: per jdstrand comment, also change the Error to a VIR_WARN.
For more information, see
https://launchpad.net/bugs/869553.
Signed-off-by: Serge Hallyn <serge.hallyn(a)canonical.com>
---
src/security/security_apparmor.c | 6 +++---
src/security/virt-aa-helper.c | 4 ++++
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 299dcc6..5e68da8 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -791,9 +791,9 @@ AppArmorSetImageFDLabel(virSecurityManagerPtr mgr,
}
if (virFileResolveLink(proc, &fd_path) < 0) {
- virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
- "%s", _("could not find path for
descriptor"));
- return rc;
+ /* it's a deleted file, presumably. Ignore? */
+ VIR_WARN("could not find path for descriptor %s, skipping", proc);
+ return 0;
}
return reload_profile(mgr, vm, fd_path, true);
ACK
diff --git a/src/security/virt-aa-helper.c
b/src/security/virt-aa-helper.c
index 14399cc..4561bb9 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1220,6 +1220,10 @@ main(int argc, char **argv)
LOCALSTATEDIR, ctl->def->name);
virBufferAsprintf(&buf, " \"/run/libvirt/**/%s.pid\"
rwk,\n",
ctl->def->name);
+ virBufferAsprintf(&buf, "
\"%s/run/libvirt/**/*.tunnelmigrate.dest.%s\" rw,\n",
+ LOCALSTATEDIR, ctl->def->name);
+ virBufferAsprintf(&buf, "
\"/run/libvirt/**/*.tunnelmigrate.dest.%s\" rw,\n",
+ ctl->def->name);
if (ctl->files)
virBufferAdd(&buf, ctl->files, -1);
}
ACK
--
Jamie Strandboge |
http://www.canonical.com