[libvirt] [PATCH] Teach virt-aa-helper to use TEMPLATE.qemu if the domain is kvm or kqemu
Without this patch, kvm and kqemu domains confined with apparmor can't start due to virt-aa-helper not finding TEMPLATE.kvm or TEMPLATE.kqemu. This patch points all kvm-related drivers to TEMPLATE.qemu. --- src/security/virt-aa-helper.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 9afc8db..6b95fdb 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -341,15 +341,25 @@ create_profile(const char *profile, const char *profile_name, int tlen, plen; int fd; int rc = -1; + const char *driver_name = NULL; if (virFileExists(profile)) { vah_error(NULL, 0, _("profile exists")); goto end; } + switch (virtType) { + case VIR_DOMAIN_VIRT_QEMU: + case VIR_DOMAIN_VIRT_KQEMU: + case VIR_DOMAIN_VIRT_KVM: + driver_name = "qemu"; + break; + default: + driver_name = virDomainVirtTypeToString(virtType); + } if (virAsprintfQuiet(&template, "%s/TEMPLATE.%s", APPARMOR_DIR "/libvirt", - virDomainVirtTypeToString(virtType)) < 0) { + driver_name) < 0) { vah_error(NULL, 0, _("template name exceeds maximum length")); goto end; } -- 1.8.4.5
Quoting Cédric Bosdonnat (cbosdonnat@suse.com):
Without this patch, kvm and kqemu domains confined with apparmor can't start due to virt-aa-helper not finding TEMPLATE.kvm or TEMPLATE.kqemu. This patch points all kvm-related drivers to TEMPLATE.qemu.
D'oh, I dropped the ball here. I had a patch like this but it seems it never made it to the list. Thanks, Cédric. Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
--- src/security/virt-aa-helper.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 9afc8db..6b95fdb 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -341,15 +341,25 @@ create_profile(const char *profile, const char *profile_name, int tlen, plen; int fd; int rc = -1; + const char *driver_name = NULL;
if (virFileExists(profile)) { vah_error(NULL, 0, _("profile exists")); goto end; }
+ switch (virtType) { + case VIR_DOMAIN_VIRT_QEMU: + case VIR_DOMAIN_VIRT_KQEMU: + case VIR_DOMAIN_VIRT_KVM: + driver_name = "qemu"; + break; + default: + driver_name = virDomainVirtTypeToString(virtType); + }
if (virAsprintfQuiet(&template, "%s/TEMPLATE.%s", APPARMOR_DIR "/libvirt", - virDomainVirtTypeToString(virtType)) < 0) { + driver_name) < 0) { vah_error(NULL, 0, _("template name exceeds maximum length")); goto end; } -- 1.8.4.5
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On 10/29/14 14:31, Serge Hallyn wrote:
Quoting Cédric Bosdonnat (cbosdonnat@suse.com):
Without this patch, kvm and kqemu domains confined with apparmor can't start due to virt-aa-helper not finding TEMPLATE.kvm or TEMPLATE.kqemu. This patch points all kvm-related drivers to TEMPLATE.qemu.
D'oh, I dropped the ball here. I had a patch like this but it seems it never made it to the list.
Thanks, Cédric.
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Thanks for confirming it's the right thing to do with apparmor. I'll push this patch in a moment. I was about to ACK it but was afraid to do so as I don't use apparmor actually. Peter
--- src/security/virt-aa-helper.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 9afc8db..6b95fdb 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -341,15 +341,25 @@ create_profile(const char *profile, const char *profile_name, int tlen, plen; int fd; int rc = -1; + const char *driver_name = NULL;
if (virFileExists(profile)) { vah_error(NULL, 0, _("profile exists")); goto end; }
+ switch (virtType) { + case VIR_DOMAIN_VIRT_QEMU: + case VIR_DOMAIN_VIRT_KQEMU: + case VIR_DOMAIN_VIRT_KVM: + driver_name = "qemu"; + break; + default: + driver_name = virDomainVirtTypeToString(virtType); + }
if (virAsprintfQuiet(&template, "%s/TEMPLATE.%s", APPARMOR_DIR "/libvirt", - virDomainVirtTypeToString(virtType)) < 0) { + driver_name) < 0) { vah_error(NULL, 0, _("template name exceeds maximum length")); goto end; } -- 1.8.4.5
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On 10/30/14 10:47, Peter Krempa wrote:
On 10/29/14 14:31, Serge Hallyn wrote:
Quoting Cédric Bosdonnat (cbosdonnat@suse.com):
Without this patch, kvm and kqemu domains confined with apparmor can't start due to virt-aa-helper not finding TEMPLATE.kvm or TEMPLATE.kqemu. This patch points all kvm-related drivers to TEMPLATE.qemu.
D'oh, I dropped the ball here. I had a patch like this but it seems it never made it to the list.
Thanks, Cédric.
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Thanks for confirming it's the right thing to do with apparmor. I'll push this patch in a moment. I was about to ACK it but was afraid to do so as I don't use apparmor actually.
Ah, it actually is already pushed and I didn't notice. Sorry for the noise.
Peter
participants (3)
-
Cédric Bosdonnat -
Peter Krempa -
Serge Hallyn