4:23 p.m.
Without this patch, kvm and kqemu domains confined with apparmor can't start
due to virt-aa-helper not finding TEMPLATE.kvm or TEMPLATE.kqemu. This patch
points all kvm-related drivers to TEMPLATE.qemu.
---
src/security/virt-aa-helper.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 9afc8db..6b95fdb 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -341,15 +341,25 @@ create_profile(const char *profile, const char *profile_name,
int tlen, plen;
int fd;
int rc = -1;
+ const char *driver_name = NULL;
if (virFileExists(profile)) {
vah_error(NULL, 0, _("profile exists"));
goto end;
}
+ switch (virtType) {
+ case VIR_DOMAIN_VIRT_QEMU:
+ case VIR_DOMAIN_VIRT_KQEMU:
+ case VIR_DOMAIN_VIRT_KVM:
+ driver_name = "qemu";
+ break;
+ default:
+ driver_name = virDomainVirtTypeToString(virtType);
+ }
if (virAsprintfQuiet(&template, "%s/TEMPLATE.%s", APPARMOR_DIR
"/libvirt",
- virDomainVirtTypeToString(virtType)) < 0) {
+ driver_name) < 0) {
vah_error(NULL, 0, _("template name exceeds maximum length"));
goto end;
}
--
1.8.4.5
8:31 a.m.
Quoting Cédric Bosdonnat (cbosdonnat(a)suse.com):
Without this patch, kvm and kqemu domains confined with apparmor
can't start
due to virt-aa-helper not finding TEMPLATE.kvm or TEMPLATE.kqemu. This patch
points all kvm-related drivers to TEMPLATE.qemu.
D'oh, I dropped the ball here. I had a patch like this but it seems it never
made it to the list.
Thanks, Cédric.
Acked-by: Serge E. Hallyn <serge.hallyn(a)ubuntu.com>
---
src/security/virt-aa-helper.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 9afc8db..6b95fdb 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -341,15 +341,25 @@ create_profile(const char *profile, const char *profile_name,
int tlen, plen;
int fd;
int rc = -1;
+ const char *driver_name = NULL;
if (virFileExists(profile)) {
vah_error(NULL, 0, _("profile exists"));
goto end;
}
+ switch (virtType) {
+ case VIR_DOMAIN_VIRT_QEMU:
+ case VIR_DOMAIN_VIRT_KQEMU:
+ case VIR_DOMAIN_VIRT_KVM:
+ driver_name = "qemu";
+ break;
+ default:
+ driver_name = virDomainVirtTypeToString(virtType);
+ }
if (virAsprintfQuiet(&template, "%s/TEMPLATE.%s", APPARMOR_DIR
"/libvirt",
- virDomainVirtTypeToString(virtType)) < 0) {
+ driver_name) < 0) {
vah_error(NULL, 0, _("template name exceeds maximum length"));
goto end;
}
--
1.8.4.5
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
4:47 a.m.
On 10/29/14 14:31, Serge Hallyn wrote:
Quoting Cédric Bosdonnat (cbosdonnat(a)suse.com):
> Without this patch, kvm and kqemu domains confined with apparmor can't start
> due to virt-aa-helper not finding TEMPLATE.kvm or TEMPLATE.kqemu. This patch
> points all kvm-related drivers to TEMPLATE.qemu.
D'oh, I dropped the ball here. I had a patch like this but it seems it never
made it to the list.
Thanks, Cédric.
Acked-by: Serge E. Hallyn <serge.hallyn(a)ubuntu.com>
Thanks for confirming it's the right thing to do with apparmor. I'll
push this patch in a moment. I was about to ACK it but was afraid to do
so as I don't use apparmor actually.
Peter
>
> ---
> src/security/virt-aa-helper.c | 12 +++++++++++-
> 1 file changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index 9afc8db..6b95fdb 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -341,15 +341,25 @@ create_profile(const char *profile, const char *profile_name,
> int tlen, plen;
> int fd;
> int rc = -1;
> + const char *driver_name = NULL;
>
> if (virFileExists(profile)) {
> vah_error(NULL, 0, _("profile exists"));
> goto end;
> }
>
> + switch (virtType) {
> + case VIR_DOMAIN_VIRT_QEMU:
> + case VIR_DOMAIN_VIRT_KQEMU:
> + case VIR_DOMAIN_VIRT_KVM:
> + driver_name = "qemu";
> + break;
> + default:
> + driver_name = virDomainVirtTypeToString(virtType);
> + }
>
> if (virAsprintfQuiet(&template, "%s/TEMPLATE.%s", APPARMOR_DIR
"/libvirt",
> - virDomainVirtTypeToString(virtType)) < 0) {
> + driver_name) < 0) {
> vah_error(NULL, 0, _("template name exceeds maximum length"));
> goto end;
> }
> --
> 1.8.4.5
>
> --
> libvir-list mailing list
> libvir-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
4:53 a.m.
On 10/30/14 10:47, Peter Krempa wrote:
On 10/29/14 14:31, Serge Hallyn wrote:
> Quoting Cédric Bosdonnat (cbosdonnat(a)suse.com):
>> Without this patch, kvm and kqemu domains confined with apparmor can't start
>> due to virt-aa-helper not finding TEMPLATE.kvm or TEMPLATE.kqemu. This patch
>> points all kvm-related drivers to TEMPLATE.qemu.
>
> D'oh, I dropped the ball here. I had a patch like this but it seems it never
> made it to the list.
>
> Thanks, Cédric.
>
> Acked-by: Serge E. Hallyn <serge.hallyn(a)ubuntu.com>
Thanks for confirming it's the right thing to do with apparmor. I'll
push this patch in a moment. I was about to ACK it but was afraid to do
so as I don't use apparmor actually.
Ah, it actually is already pushed and I didn't notice. Sorry for the noise.
Peter
3661
days inactive
3663
days old
3 comments
3 participants
participants (3)
-
Cédric Bosdonnat -
Peter Krempa -
Serge Hallyn