commit 8f6a7866102346691fce84ade9a6d8534aaffcdc Author: Jim Fehlig Date: Thu Feb 2 19:26:13 2017 -0700 apparmor: don't fail on non-apparmor If the apparmor security driver is loaded/enabled and domain config contains a element whose type attribute is not 'apparmor', starting the domain fails when attempting to label resources such as tap FDs. Many of the apparmor driver entry points attempt to retrieve the apparmor security label from the domain def, returning failure if not found. Functions such as AppArmorSetFDLabel fail even though domain config contains an explicit 'none' secuirty driver, e.g. Change the entry points to succeed if the domain config is not apparmor. This matches the behavior of the selinux driver. Index: libvirt-3.0.0/src/security/security_apparmor.c =================================================================== --- libvirt-3.0.0.orig/src/security/security_apparmor.c +++ libvirt-3.0.0/src/security/security_apparmor.c @@ -289,10 +289,7 @@ reload_profile(virSecurityManagerPtr mgr virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef( def, SECURITY_APPARMOR_NAME); - if (!secdef) - return rc; - - if (!secdef->relabel) + if (!secdef || !secdef->relabel) return 0; if ((profile_name = get_profile_name(def)) == NULL) @@ -435,7 +432,7 @@ AppArmorGenSecurityLabel(virSecurityMana SECURITY_APPARMOR_NAME); if (!secdef) - return -1; + return 0; if ((secdef->type == VIR_DOMAIN_SECLABEL_STATIC) || (secdef->type == VIR_DOMAIN_SECLABEL_NONE)) @@ -495,10 +492,7 @@ AppArmorSetSecurityAllLabel(virSecurityM { virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); - if (!secdef) - return -1; - - if (!secdef->relabel) + if (!secdef || !secdef->relabel) return 0; /* Reload the profile if stdin_path is specified. Note that @@ -559,12 +553,11 @@ AppArmorReleaseSecurityLabel(virSecurity { virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); - if (!secdef) - return -1; - - VIR_FREE(secdef->model); - VIR_FREE(secdef->label); - VIR_FREE(secdef->imagelabel); + if (secdef) { + VIR_FREE(secdef->model); + VIR_FREE(secdef->label); + VIR_FREE(secdef->imagelabel); + } return 0; } @@ -580,7 +573,7 @@ AppArmorRestoreSecurityAllLabel(virSecur virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); if (!secdef) - return -1; + return 0; if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) { if ((rc = remove_profile(secdef->label)) != 0) { @@ -604,10 +597,7 @@ AppArmorSetSecurityProcessLabel(virSecur virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); - if (!secdef) - return -1; - - if (secdef->label == NULL) + if (!secdef || !secdef->label) return 0; if ((profile_name = get_profile_name(def)) == NULL) @@ -653,10 +643,7 @@ AppArmorSetSecurityChildProcessLabel(vir virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); - if (!secdef) - goto cleanup; - - if (secdef->label == NULL) + if (!secdef || !secdef->label) return 0; if (STRNEQ(SECURITY_APPARMOR_NAME, secdef->model)) { @@ -738,10 +725,8 @@ AppArmorSetSecurityImageLabel(virSecurit if (!src->path || !virStorageSourceIsLocalStorage(src)) return 0; - if (!(secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME))) - return -1; - - if (!secdef->relabel) + secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); + if (!secdef || !secdef->relabel) return 0; if (secdef->imagelabel) { @@ -792,7 +777,7 @@ AppArmorSecurityVerify(virSecurityManage virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); if (!secdef) - return -1; + return 0; if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC) { if (use_apparmor() < 0 || profile_status(secdef->label, 0) < 0) { @@ -829,10 +814,7 @@ AppArmorSetSecurityHostdevLabel(virSecur virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi; virDomainHostdevSubsysSCSIVHostPtr hostsrc = &dev->source.subsys.u.scsi_host; - if (!secdef) - return -1; - - if (!secdef->relabel) + if (!secdef || !secdef->relabel) return 0; if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS) @@ -940,10 +922,7 @@ AppArmorRestoreSecurityHostdevLabel(virS virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); - if (!secdef) - return -1; - - if (!secdef->relabel) + if (!secdef || !secdef->relabel) return 0; return reload_profile(mgr, def, NULL, false); @@ -978,10 +957,7 @@ AppArmorSetFDLabel(virSecurityManagerPtr virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); - if (!secdef) - return -1; - - if (secdef->imagelabel == NULL) + if (!secdef || !secdef->imagelabel) return 0; if (virAsprintf(&proc, "/proc/self/fd/%d", fd) == -1)