libvirt/apparmor-alt-seclabel.patch
James Fehlig f167ba3466 Accepting request 456194 from home:jfehlig:branches:Virtualization
- apparmor: don't fail on non-apparmor <seclabel>
  apparmor-errormsg-fix.patch, apparmor-alt-seclabel.patch
  bsc#1023436

- libxl: fix reporting of domain maximum memory
  ff225538-libxl-autoballoon-setting.patch,
  c89a6e78-libxl-physinfo-cleanup.patch,
  d2b77608-libxl-maxmem-fix.patch,
  79692c38-libxl-dom0-maxmem.patch
  bsc#1017762

- libxl: set disk format to raw if not specified and fix disk
  detach
  321a28c6-libxl-default-disk-format.patch,
  bd116810-libxl-fix-disk-detach.patch
  bsc#1003379

- libxl: fix timer configurations
  6e4759d0-libxl-timer-fix.patch,
  87df87e0-libxl-timer-tsc-emulate.patch,
  b4386fda-xenconfig-timer-fix.patch, d3970925-timer-tests.patch
  bsc#1019969

OBS-URL: https://build.opensuse.org/request/show/456194
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=583
2017-02-10 23:01:12 +00:00

168 lines
5.5 KiB
Diff

commit 8f6a7866102346691fce84ade9a6d8534aaffcdc
Author: Jim Fehlig <jfehlig@suse.com>
Date: Thu Feb 2 19:26:13 2017 -0700
apparmor: don't fail on non-apparmor <seclabel>
If the apparmor security driver is loaded/enabled and domain config
contains a <seclabel> element whose type attribute is not 'apparmor',
starting the domain fails when attempting to label resources such
as tap FDs.
Many of the apparmor driver entry points attempt to retrieve the
apparmor security label from the domain def, returning failure if
not found. Functions such as AppArmorSetFDLabel fail even though
domain config contains an explicit 'none' secuirty driver, e.g.
<seclabel type='none' model='none'/>
Change the entry points to succeed if the domain config <seclabel>
is not apparmor. This matches the behavior of the selinux driver.
Index: libvirt-3.0.0/src/security/security_apparmor.c
===================================================================
--- libvirt-3.0.0.orig/src/security/security_apparmor.c
+++ libvirt-3.0.0/src/security/security_apparmor.c
@@ -289,10 +289,7 @@ reload_profile(virSecurityManagerPtr mgr
virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(
def, SECURITY_APPARMOR_NAME);
- if (!secdef)
- return rc;
-
- if (!secdef->relabel)
+ if (!secdef || !secdef->relabel)
return 0;
if ((profile_name = get_profile_name(def)) == NULL)
@@ -435,7 +432,7 @@ AppArmorGenSecurityLabel(virSecurityMana
SECURITY_APPARMOR_NAME);
if (!secdef)
- return -1;
+ return 0;
if ((secdef->type == VIR_DOMAIN_SECLABEL_STATIC) ||
(secdef->type == VIR_DOMAIN_SECLABEL_NONE))
@@ -495,10 +492,7 @@ AppArmorSetSecurityAllLabel(virSecurityM
{
virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def,
SECURITY_APPARMOR_NAME);
- if (!secdef)
- return -1;
-
- if (!secdef->relabel)
+ if (!secdef || !secdef->relabel)
return 0;
/* Reload the profile if stdin_path is specified. Note that
@@ -559,12 +553,11 @@ AppArmorReleaseSecurityLabel(virSecurity
{
virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def,
SECURITY_APPARMOR_NAME);
- if (!secdef)
- return -1;
-
- VIR_FREE(secdef->model);
- VIR_FREE(secdef->label);
- VIR_FREE(secdef->imagelabel);
+ if (secdef) {
+ VIR_FREE(secdef->model);
+ VIR_FREE(secdef->label);
+ VIR_FREE(secdef->imagelabel);
+ }
return 0;
}
@@ -580,7 +573,7 @@ AppArmorRestoreSecurityAllLabel(virSecur
virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
if (!secdef)
- return -1;
+ return 0;
if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
if ((rc = remove_profile(secdef->label)) != 0) {
@@ -604,10 +597,7 @@ AppArmorSetSecurityProcessLabel(virSecur
virSecurityLabelDefPtr secdef =
virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
- if (!secdef)
- return -1;
-
- if (secdef->label == NULL)
+ if (!secdef || !secdef->label)
return 0;
if ((profile_name = get_profile_name(def)) == NULL)
@@ -653,10 +643,7 @@ AppArmorSetSecurityChildProcessLabel(vir
virSecurityLabelDefPtr secdef =
virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
- if (!secdef)
- goto cleanup;
-
- if (secdef->label == NULL)
+ if (!secdef || !secdef->label)
return 0;
if (STRNEQ(SECURITY_APPARMOR_NAME, secdef->model)) {
@@ -738,10 +725,8 @@ AppArmorSetSecurityImageLabel(virSecurit
if (!src->path || !virStorageSourceIsLocalStorage(src))
return 0;
- if (!(secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME)))
- return -1;
-
- if (!secdef->relabel)
+ secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
+ if (!secdef || !secdef->relabel)
return 0;
if (secdef->imagelabel) {
@@ -792,7 +777,7 @@ AppArmorSecurityVerify(virSecurityManage
virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
if (!secdef)
- return -1;
+ return 0;
if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC) {
if (use_apparmor() < 0 || profile_status(secdef->label, 0) < 0) {
@@ -829,10 +814,7 @@ AppArmorSetSecurityHostdevLabel(virSecur
virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
virDomainHostdevSubsysSCSIVHostPtr hostsrc = &dev->source.subsys.u.scsi_host;
- if (!secdef)
- return -1;
-
- if (!secdef->relabel)
+ if (!secdef || !secdef->relabel)
return 0;
if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
@@ -940,10 +922,7 @@ AppArmorRestoreSecurityHostdevLabel(virS
virSecurityLabelDefPtr secdef =
virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
- if (!secdef)
- return -1;
-
- if (!secdef->relabel)
+ if (!secdef || !secdef->relabel)
return 0;
return reload_profile(mgr, def, NULL, false);
@@ -978,10 +957,7 @@ AppArmorSetFDLabel(virSecurityManagerPtr
virSecurityLabelDefPtr secdef =
virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
- if (!secdef)
- return -1;
-
- if (secdef->imagelabel == NULL)
+ if (!secdef || !secdef->imagelabel)
return 0;
if (virAsprintf(&proc, "/proc/self/fd/%d", fd) == -1)