libvirt/apparmor-alt-seclabel.patch

168 lines
5.5 KiB
Diff
Raw Normal View History

commit 8f6a7866102346691fce84ade9a6d8534aaffcdc
Author: Jim Fehlig <jfehlig@suse.com>
Date: Thu Feb 2 19:26:13 2017 -0700
apparmor: don't fail on non-apparmor <seclabel>
If the apparmor security driver is loaded/enabled and domain config
contains a <seclabel> element whose type attribute is not 'apparmor',
starting the domain fails when attempting to label resources such
as tap FDs.
Many of the apparmor driver entry points attempt to retrieve the
apparmor security label from the domain def, returning failure if
not found. Functions such as AppArmorSetFDLabel fail even though
domain config contains an explicit 'none' secuirty driver, e.g.
<seclabel type='none' model='none'/>
Change the entry points to succeed if the domain config <seclabel>
is not apparmor. This matches the behavior of the selinux driver.
Index: libvirt-3.0.0/src/security/security_apparmor.c
===================================================================
--- libvirt-3.0.0.orig/src/security/security_apparmor.c
+++ libvirt-3.0.0/src/security/security_apparmor.c
@@ -289,10 +289,7 @@ reload_profile(virSecurityManagerPtr mgr
virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(
def, SECURITY_APPARMOR_NAME);
- if (!secdef)
- return rc;
-
- if (!secdef->relabel)
+ if (!secdef || !secdef->relabel)
return 0;
if ((profile_name = get_profile_name(def)) == NULL)
@@ -435,7 +432,7 @@ AppArmorGenSecurityLabel(virSecurityMana
SECURITY_APPARMOR_NAME);
if (!secdef)
- return -1;
+ return 0;
if ((secdef->type == VIR_DOMAIN_SECLABEL_STATIC) ||
(secdef->type == VIR_DOMAIN_SECLABEL_NONE))
@@ -495,10 +492,7 @@ AppArmorSetSecurityAllLabel(virSecurityM
{
virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def,
SECURITY_APPARMOR_NAME);
- if (!secdef)
- return -1;
-
- if (!secdef->relabel)
+ if (!secdef || !secdef->relabel)
return 0;
/* Reload the profile if stdin_path is specified. Note that
@@ -559,12 +553,11 @@ AppArmorReleaseSecurityLabel(virSecurity
{
virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def,
SECURITY_APPARMOR_NAME);
- if (!secdef)
- return -1;
-
- VIR_FREE(secdef->model);
- VIR_FREE(secdef->label);
- VIR_FREE(secdef->imagelabel);
+ if (secdef) {
+ VIR_FREE(secdef->model);
+ VIR_FREE(secdef->label);
+ VIR_FREE(secdef->imagelabel);
+ }
return 0;
}
@@ -580,7 +573,7 @@ AppArmorRestoreSecurityAllLabel(virSecur
virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
if (!secdef)
- return -1;
+ return 0;
if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
if ((rc = remove_profile(secdef->label)) != 0) {
@@ -604,10 +597,7 @@ AppArmorSetSecurityProcessLabel(virSecur
virSecurityLabelDefPtr secdef =
virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
- if (!secdef)
- return -1;
-
- if (secdef->label == NULL)
+ if (!secdef || !secdef->label)
return 0;
if ((profile_name = get_profile_name(def)) == NULL)
@@ -653,10 +643,7 @@ AppArmorSetSecurityChildProcessLabel(vir
virSecurityLabelDefPtr secdef =
virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
- if (!secdef)
- goto cleanup;
-
- if (secdef->label == NULL)
+ if (!secdef || !secdef->label)
return 0;
if (STRNEQ(SECURITY_APPARMOR_NAME, secdef->model)) {
@@ -738,10 +725,8 @@ AppArmorSetSecurityImageLabel(virSecurit
if (!src->path || !virStorageSourceIsLocalStorage(src))
return 0;
- if (!(secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME)))
- return -1;
-
- if (!secdef->relabel)
+ secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
+ if (!secdef || !secdef->relabel)
return 0;
if (secdef->imagelabel) {
@@ -792,7 +777,7 @@ AppArmorSecurityVerify(virSecurityManage
virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
if (!secdef)
- return -1;
+ return 0;
if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC) {
if (use_apparmor() < 0 || profile_status(secdef->label, 0) < 0) {
@@ -829,10 +814,7 @@ AppArmorSetSecurityHostdevLabel(virSecur
virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
virDomainHostdevSubsysSCSIVHostPtr hostsrc = &dev->source.subsys.u.scsi_host;
- if (!secdef)
- return -1;
-
- if (!secdef->relabel)
+ if (!secdef || !secdef->relabel)
return 0;
if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
@@ -940,10 +922,7 @@ AppArmorRestoreSecurityHostdevLabel(virS
virSecurityLabelDefPtr secdef =
virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
- if (!secdef)
- return -1;
-
- if (!secdef->relabel)
+ if (!secdef || !secdef->relabel)
return 0;
return reload_profile(mgr, def, NULL, false);
@@ -978,10 +957,7 @@ AppArmorSetFDLabel(virSecurityManagerPtr
virSecurityLabelDefPtr secdef =
virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
- if (!secdef)
- return -1;
-
- if (secdef->imagelabel == NULL)
+ if (!secdef || !secdef->imagelabel)
return 0;
if (virAsprintf(&proc, "/proc/self/fd/%d", fd) == -1)