File 411cdaf8-apparmor-check-profile-name.patch of Package libvirt.11459

Overview Repositories Revisions Requests Users Attributes Meta

File 411cdaf8-apparmor-check-profile-name.patch of Package libvirt.11459

commit 411cdaf884f35b8dac2be17fcc24e052e11b7d60
Author: Jim Fehlig <jfehlig@suse.com>
Date:   Fri Mar 1 14:34:17 2019 -0700

apparmor: Check libvirtd profile status by name
    
    Commit a3ab6d42 changed the libvirtd profile to a named profile,
    breaking the apparmor driver's ability to detect if the profile is
    active. When the apparmor driver loads it checks the status of the
    libvirtd profile using the full binary path, which fails since the
    profile is now referenced by name. If the apparmor driver is
    explicitly requested in /etc/libvirt/qemu.conf, then libvirtd fails
    to load too.
    
    Instead of only checking the profile status by full binary path,
    also check by profile name. The full path check is retained in case
    users have a customized libvirtd profile with full path.
    
    Signed-off-by: Jim Fehlig <jfehlig@suse.com>
    Acked-by: Jamie Strandboge <jamie@canonical.com>

Index: libvirt-5.1.0/src/security/security_apparmor.c
===================================================================
--- libvirt-5.1.0.orig/src/security/security_apparmor.c
+++ libvirt-5.1.0/src/security/security_apparmor.c
@@ -257,10 +257,16 @@ use_apparmor(void)
     if (access(APPARMOR_PROFILES_PATH, R_OK) != 0)
         goto cleanup;
 
+    /* First check profile status using full binary path. If that fails
+     * check using profile name.
+     */
     rc = profile_status(libvirt_daemon, 1);
-    /* Error or unconfined should all result in -1*/
-    if (rc < 0)
-        rc = -1;
+    if (rc < 0) {
+        rc = profile_status("libvirtd", 1);
+        /* Error or unconfined should all result in -1*/
+        if (rc < 0)
+            rc = -1;
+    }
 
  cleanup:
     VIR_FREE(libvirt_daemon);

Places

File 411cdaf8-apparmor-check-profile-name.patch of Package libvirt.11459

Places