Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:Update
libvirt.6841
apparmor-alt-seclabel.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File apparmor-alt-seclabel.patch of Package libvirt.6841
commit 8f6a7866102346691fce84ade9a6d8534aaffcdc Author: Jim Fehlig <jfehlig@suse.com> Date: Thu Feb 2 19:26:13 2017 -0700 apparmor: don't fail on non-apparmor <seclabel> If the apparmor security driver is loaded/enabled and domain config contains a <seclabel> element whose type attribute is not 'apparmor', starting the domain fails when attempting to label resources such as tap FDs. Many of the apparmor driver entry points attempt to retrieve the apparmor security label from the domain def, returning failure if not found. Functions such as AppArmorSetFDLabel fail even though domain config contains an explicit 'none' secuirty driver, e.g. <seclabel type='none' model='none'/> Change the entry points to succeed if the domain config <seclabel> is not apparmor. This matches the behavior of the selinux driver. Index: libvirt-2.0.0/src/security/security_apparmor.c =================================================================== --- libvirt-2.0.0.orig/src/security/security_apparmor.c +++ libvirt-2.0.0/src/security/security_apparmor.c @@ -288,10 +288,7 @@ reload_profile(virSecurityManagerPtr mgr virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef( def, SECURITY_APPARMOR_NAME); - if (!secdef) - return rc; - - if (!secdef->relabel) + if (!secdef || !secdef->relabel) return 0; if ((profile_name = get_profile_name(def)) == NULL) @@ -427,7 +424,7 @@ AppArmorGenSecurityLabel(virSecurityMana SECURITY_APPARMOR_NAME); if (!secdef) - return -1; + return 0; if ((secdef->type == VIR_DOMAIN_SECLABEL_STATIC) || (secdef->type == VIR_DOMAIN_SECLABEL_NONE)) @@ -487,10 +484,7 @@ AppArmorSetSecurityAllLabel(virSecurityM { virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); - if (!secdef) - return -1; - - if (!secdef->relabel) + if (!secdef || !secdef->relabel) return 0; /* Reload the profile if stdin_path is specified. Note that @@ -551,12 +545,11 @@ AppArmorReleaseSecurityLabel(virSecurity { virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); - if (!secdef) - return -1; - - VIR_FREE(secdef->model); - VIR_FREE(secdef->label); - VIR_FREE(secdef->imagelabel); + if (secdef) { + VIR_FREE(secdef->model); + VIR_FREE(secdef->label); + VIR_FREE(secdef->imagelabel); + } return 0; } @@ -572,7 +565,7 @@ AppArmorRestoreSecurityAllLabel(virSecur virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); if (!secdef) - return -1; + return 0; if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) { if ((rc = remove_profile(secdef->label)) != 0) { @@ -596,10 +589,7 @@ AppArmorSetSecurityProcessLabel(virSecur virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); - if (!secdef) - return -1; - - if (secdef->label == NULL) + if (!secdef || !secdef->label) return 0; if ((profile_name = get_profile_name(def)) == NULL) @@ -645,10 +635,7 @@ AppArmorSetSecurityChildProcessLabel(vir virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); - if (!secdef) - goto cleanup; - - if (secdef->label == NULL) + if (!secdef || !secdef->label) return 0; if (STRNEQ(SECURITY_APPARMOR_NAME, secdef->model)) { @@ -730,10 +717,8 @@ AppArmorSetSecurityImageLabel(virSecurit if (!src->path || !virStorageSourceIsLocalStorage(src)) return 0; - if (!(secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME))) - return -1; - - if (!secdef->relabel) + secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); + if (!secdef || !secdef->relabel) return 0; if (secdef->imagelabel) { @@ -784,7 +769,7 @@ AppArmorSecurityVerify(virSecurityManage virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); if (!secdef) - return -1; + return 0; if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC) { if (use_apparmor() < 0 || profile_status(secdef->label, 0) < 0) { @@ -820,10 +805,7 @@ AppArmorSetSecurityHostdevLabel(virSecur virDomainHostdevSubsysPCIPtr pcisrc = &dev->source.subsys.u.pci; virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi; - if (!secdef) - return -1; - - if (!secdef->relabel) + if (!secdef || !secdef->relabel) return 0; if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS) @@ -918,10 +900,7 @@ AppArmorRestoreSecurityHostdevLabel(virS virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); - if (!secdef) - return -1; - - if (!secdef->relabel) + if (!secdef || !secdef->relabel) return 0; return reload_profile(mgr, def, NULL, false); @@ -956,10 +935,7 @@ AppArmorSetFDLabel(virSecurityManagerPtr virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); - if (!secdef) - return -1; - - if (secdef->imagelabel == NULL) + if (!secdef || !secdef->imagelabel) return 0; if (virAsprintf(&proc, "/proc/self/fd/%d", fd) == -1)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
