46 lines
1.7 KiB
Diff
46 lines
1.7 KiB
Diff
|
commit 411cdaf884f35b8dac2be17fcc24e052e11b7d60
|
||
|
|
Author: Jim Fehlig <jfehlig@suse.com>
|
||
|
|
Date: Fri Mar 1 14:34:17 2019 -0700
|
||
|
|
|
||
|
|
apparmor: Check libvirtd profile status by name
|
||
|
|
|
||
|
|
Commit a3ab6d42 changed the libvirtd profile to a named profile,
|
||
|
|
breaking the apparmor driver's ability to detect if the profile is
|
||
|
|
active. When the apparmor driver loads it checks the status of the
|
||
|
|
libvirtd profile using the full binary path, which fails since the
|
||
|
|
profile is now referenced by name. If the apparmor driver is
|
||
|
|
explicitly requested in /etc/libvirt/qemu.conf, then libvirtd fails
|
||
|
|
to load too.
|
||
|
|
|
||
|
|
Instead of only checking the profile status by full binary path,
|
||
|
|
also check by profile name. The full path check is retained in case
|
||
|
|
users have a customized libvirtd profile with full path.
|
||
|
|
|
||
|
|
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
|
||
|
|
Acked-by: Jamie Strandboge <jamie@canonical.com>
|
||
|
|
|
||
|
|
Index: libvirt-5.1.0/src/security/security_apparmor.c
|
||
|
|
===================================================================
|
||
|
|
--- libvirt-5.1.0.orig/src/security/security_apparmor.c
|
||
|
|
+++ libvirt-5.1.0/src/security/security_apparmor.c
|
||
|
|
@@ -257,10 +257,16 @@ use_apparmor(void)
|
||
|
|
if (access(APPARMOR_PROFILES_PATH, R_OK) != 0)
|
||
|
|
goto cleanup;
|
||
|
|
|
||
|
|
+ /* First check profile status using full binary path. If that fails
|
||
|
|
+ * check using profile name.
|
||
|
|
+ */
|
||
|
|
rc = profile_status(libvirt_daemon, 1);
|
||
|
|
- /* Error or unconfined should all result in -1*/
|
||
|
|
- if (rc < 0)
|
||
|
|
- rc = -1;
|
||
|
|
+ if (rc < 0) {
|
||
|
|
+ rc = profile_status("libvirtd", 1);
|
||
|
|
+ /* Error or unconfined should all result in -1*/
|
||
|
|
+ if (rc < 0)
|
||
|
|
+ rc = -1;
|
||
|
|
+ }
|
||
|
|
|
||
|
|
cleanup:
|
||
|
|
VIR_FREE(libvirt_daemon);
|