1:51 a.m.
These three patches are generated when trying to make use of
libvirt apparmor security driver in openSUSU 11.4.
Patches fix some typoes and bugs and rename AppArmorSetImageFDLabel
to AppArmorSetFDLabel as the common labeling function that could
be used by domainSetSecurityImageFDLabel and domainSetSecurityTapFDLabel.
tapfd could be seen in the last line in specific profile named
/etc/apparmor.d/libvirt/libvirt-cdbebdfa-1d6d-65c3-be0f-fd74b978a773.files
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
"/var/log/libvirt/**/rhel6qcow2.log" w,
"/var/lib/libvirt/**/rhel6qcow2.monitor" rw,
"/var/run/libvirt/**/rhel6qcow2.pid" rwk,
"/run/libvirt/**/rhel6qcow2.pid" rwk,
"/var/run/libvirt/**/*.tunnelmigrate.dest.rhel6qcow2" rw,
"/run/libvirt/**/*.tunnelmigrate.dest.rhel6qcow2" rw,
"/var/lib/libvirt/images/rhel6u3qcow2.img" rw,
"/dev/tap45" rw,
Guannan Ren(3)
[PATCH 1/3] apparmor: fix typoes in virt-aa-helper
[PATCH 2/3] apparmor: no need to check security model
[PATCH 3/3] apparmor: use AppArmorSetFDLabel for both imageFD and tapFD
src/security/security_apparmor.c | 22 ++++++----------------
src/security/virt-aa-helper.c | 7 +++----
2 files changed, 9 insertions(+), 20 deletions(-)
1:51 a.m.
New subject: [libvirt] [PATCH 1/3] apparmor: fix typoes in virt-aa-helper
---
src/security/virt-aa-helper.c | 7 +++----
1 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 263fc92..3c3449c 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -924,10 +924,9 @@ get_files(vahControl * ctl)
/* XXX - if we knew the qemu user:group here we could send it in
* so that the open could be re-tried as that user:group.
*/
- disk->chain = virStorageFileGetMetadata(disk->src, disk->format,
- -1, -1,
- ctl->allowDiskFormatProbing,
- NULL);
+ disk->backingChain = virStorageFileGetMetadata(disk->src, disk->format,
+ -1, -1,
+ ctl->allowDiskFormatProbing);
/* XXX passing ignoreOpenFailure = true to get back to the behavior
* from before using virDomainDiskDefForeachPath. actually we should
--
1.7.3.4
3:24 a.m.
New subject: [libvirt] [PATCH 1/3] apparmor: fix typoes in virt-aa-helper
On Thu, Oct 25, 2012 at 14:51:37 +0800, Guannan Ren wrote:
---
src/security/virt-aa-helper.c | 7 +++----
1 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 263fc92..3c3449c 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -924,10 +924,9 @@ get_files(vahControl * ctl)
/* XXX - if we knew the qemu user:group here we could send it in
* so that the open could be re-tried as that user:group.
*/
- disk->chain = virStorageFileGetMetadata(disk->src, disk->format,
- -1, -1,
- ctl->allowDiskFormatProbing,
- NULL);
+ disk->backingChain = virStorageFileGetMetadata(disk->src,
disk->format,
+ -1, -1,
+ ctl->allowDiskFormatProbing);
/* XXX passing ignoreOpenFailure = true to get back to the behavior
* from before using virDomainDiskDefForeachPath. actually we should
This could potentially lead to leaking the memory pointed to be previous value
of disk->backingChain. Anyway, just drop this patch completely since I already
sent the fix for this issue yesterday and pushed it now as
commit 0111b409a393bd4c3f138419bc9bf5cb20ebbc77
Author: Jiri Denemark <jdenemar(a)redhat.com>
Date: Wed Oct 24 12:13:48 2012 +0200
Fix build with apparmor
Recent storage patches changed signature of virStorageFileGetMetadata
and replaced chain with backingChain in virDomainDiskDef.
Jirka
1:51 a.m.
New subject: [libvirt] [PATCH 2/3] apparmor: no need to check security model
The security model has been set already when allocating and adding
virSecurityLabelDefPtr struct into virDomainDefPtr, so the value of
secdef->model is always non-null.
So error: security label already defined for VM is reported.
The patch is to remove the checking of its value in If condition clause
---
src/security/security_apparmor.c | 7 +++----
1 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 1315fe1..1972ab0 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -435,8 +435,7 @@ AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
return rc;
}
- if ((secdef->label) ||
- (secdef->model) || (secdef->imagelabel)) {
+ if ((secdef->label) || (secdef->imagelabel)) {
virReportError(VIR_ERR_INTERNAL_ERROR,
"%s",
_("security label already defined for VM"));
@@ -460,8 +459,8 @@ AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
goto err;
}
- secdef->model = strdup(SECURITY_APPARMOR_NAME);
- if (!secdef->model) {
+ if (!secdef->model &&
+ !(secdef->model = strdup(SECURITY_APPARMOR_NAME))) {
virReportOOMError();
goto err;
}
--
1.7.3.4
1:51 a.m.
New subject: [libvirt] [PATCH 3/3] apparmor: use AppArmorSetFDLabel for both imageFD and tapFD
Rename AppArmorSetImageFDLabel to AppArmorSetFDLabel which could
be used as a common function for *ALL* fd relabelling in Linux.
In apparmor profile for specific vm with uuid cdbebdfa-1d6d-65c3-be0f-fd74b978a773
Path: /etc/apparmor.d/libvirt/libvirt-cdbebdfa-1d6d-65c3-be0f-fd74b978a773.files
The last line is for the tapfd relabelling.
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
"/var/log/libvirt/**/rhel6qcow2.log" w,
"/var/lib/libvirt/**/rhel6qcow2.monitor" rw,
"/var/run/libvirt/**/rhel6qcow2.pid" rwk,
"/run/libvirt/**/rhel6qcow2.pid" rwk,
"/var/run/libvirt/**/*.tunnelmigrate.dest.rhel6qcow2" rw,
"/run/libvirt/**/*.tunnelmigrate.dest.rhel6qcow2" rw,
"/var/lib/libvirt/images/rhel6u3qcow2.img" rw,
"/dev/tap45" rw,
---
src/security/security_apparmor.c | 15 +++------------
1 files changed, 3 insertions(+), 12 deletions(-)
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 1972ab0..953775c 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -840,7 +840,7 @@ AppArmorRestoreSavedStateLabel(virSecurityManagerPtr mgr,
}
static int
-AppArmorSetImageFDLabel(virSecurityManagerPtr mgr,
+AppArmorSetFDLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
int fd)
{
@@ -871,15 +871,6 @@ AppArmorSetImageFDLabel(virSecurityManagerPtr mgr,
return reload_profile(mgr, def, fd_path, true);
}
-/* TODO need code here */
-static int
-AppArmorSetTapFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainDefPtr def ATTRIBUTE_UNUSED,
- int fd ATTRIBUTE_UNUSED)
-{
- return 0;
-}
-
virSecurityDriver virAppArmorSecurityDriver = {
.privateDataLen = 0,
.name = SECURITY_APPARMOR_NAME,
@@ -915,6 +906,6 @@ virSecurityDriver virAppArmorSecurityDriver = {
.domainSetSavedStateLabel = AppArmorSetSavedStateLabel,
.domainRestoreSavedStateLabel = AppArmorRestoreSavedStateLabel,
- .domainSetSecurityImageFDLabel = AppArmorSetImageFDLabel,
- .domainSetSecurityTapFDLabel = AppArmorSetTapFDLabel,
+ .domainSetSecurityImageFDLabel = AppArmorSetFDLabel,
+ .domainSetSecurityTapFDLabel = AppArmorSetFDLabel,
};
--
1.7.3.4
4664
days inactive
4664
days old
4 comments
2 participants
participants (2)
-
Guannan Ren -
Jiri Denemark