f167ba3466
- apparmor: don't fail on non-apparmor <seclabel> apparmor-errormsg-fix.patch, apparmor-alt-seclabel.patch bsc#1023436 - libxl: fix reporting of domain maximum memory ff225538-libxl-autoballoon-setting.patch, c89a6e78-libxl-physinfo-cleanup.patch, d2b77608-libxl-maxmem-fix.patch, 79692c38-libxl-dom0-maxmem.patch bsc#1017762 - libxl: set disk format to raw if not specified and fix disk detach 321a28c6-libxl-default-disk-format.patch, bd116810-libxl-fix-disk-detach.patch bsc#1003379 - libxl: fix timer configurations 6e4759d0-libxl-timer-fix.patch, 87df87e0-libxl-timer-tsc-emulate.patch, b4386fda-xenconfig-timer-fix.patch, d3970925-timer-tests.patch bsc#1019969 OBS-URL: https://build.opensuse.org/request/show/456194 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=583
168 lines
5.5 KiB
Diff
168 lines
5.5 KiB
Diff
commit 8f6a7866102346691fce84ade9a6d8534aaffcdc
|
|
Author: Jim Fehlig <jfehlig@suse.com>
|
|
Date: Thu Feb 2 19:26:13 2017 -0700
|
|
|
|
apparmor: don't fail on non-apparmor <seclabel>
|
|
|
|
If the apparmor security driver is loaded/enabled and domain config
|
|
contains a <seclabel> element whose type attribute is not 'apparmor',
|
|
starting the domain fails when attempting to label resources such
|
|
as tap FDs.
|
|
|
|
Many of the apparmor driver entry points attempt to retrieve the
|
|
apparmor security label from the domain def, returning failure if
|
|
not found. Functions such as AppArmorSetFDLabel fail even though
|
|
domain config contains an explicit 'none' secuirty driver, e.g.
|
|
|
|
<seclabel type='none' model='none'/>
|
|
|
|
Change the entry points to succeed if the domain config <seclabel>
|
|
is not apparmor. This matches the behavior of the selinux driver.
|
|
|
|
Index: libvirt-3.0.0/src/security/security_apparmor.c
|
|
===================================================================
|
|
--- libvirt-3.0.0.orig/src/security/security_apparmor.c
|
|
+++ libvirt-3.0.0/src/security/security_apparmor.c
|
|
@@ -289,10 +289,7 @@ reload_profile(virSecurityManagerPtr mgr
|
|
virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(
|
|
def, SECURITY_APPARMOR_NAME);
|
|
|
|
- if (!secdef)
|
|
- return rc;
|
|
-
|
|
- if (!secdef->relabel)
|
|
+ if (!secdef || !secdef->relabel)
|
|
return 0;
|
|
|
|
if ((profile_name = get_profile_name(def)) == NULL)
|
|
@@ -435,7 +432,7 @@ AppArmorGenSecurityLabel(virSecurityMana
|
|
SECURITY_APPARMOR_NAME);
|
|
|
|
if (!secdef)
|
|
- return -1;
|
|
+ return 0;
|
|
|
|
if ((secdef->type == VIR_DOMAIN_SECLABEL_STATIC) ||
|
|
(secdef->type == VIR_DOMAIN_SECLABEL_NONE))
|
|
@@ -495,10 +492,7 @@ AppArmorSetSecurityAllLabel(virSecurityM
|
|
{
|
|
virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def,
|
|
SECURITY_APPARMOR_NAME);
|
|
- if (!secdef)
|
|
- return -1;
|
|
-
|
|
- if (!secdef->relabel)
|
|
+ if (!secdef || !secdef->relabel)
|
|
return 0;
|
|
|
|
/* Reload the profile if stdin_path is specified. Note that
|
|
@@ -559,12 +553,11 @@ AppArmorReleaseSecurityLabel(virSecurity
|
|
{
|
|
virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def,
|
|
SECURITY_APPARMOR_NAME);
|
|
- if (!secdef)
|
|
- return -1;
|
|
-
|
|
- VIR_FREE(secdef->model);
|
|
- VIR_FREE(secdef->label);
|
|
- VIR_FREE(secdef->imagelabel);
|
|
+ if (secdef) {
|
|
+ VIR_FREE(secdef->model);
|
|
+ VIR_FREE(secdef->label);
|
|
+ VIR_FREE(secdef->imagelabel);
|
|
+ }
|
|
|
|
return 0;
|
|
}
|
|
@@ -580,7 +573,7 @@ AppArmorRestoreSecurityAllLabel(virSecur
|
|
virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
|
|
|
|
if (!secdef)
|
|
- return -1;
|
|
+ return 0;
|
|
|
|
if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
|
|
if ((rc = remove_profile(secdef->label)) != 0) {
|
|
@@ -604,10 +597,7 @@ AppArmorSetSecurityProcessLabel(virSecur
|
|
virSecurityLabelDefPtr secdef =
|
|
virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
|
|
|
|
- if (!secdef)
|
|
- return -1;
|
|
-
|
|
- if (secdef->label == NULL)
|
|
+ if (!secdef || !secdef->label)
|
|
return 0;
|
|
|
|
if ((profile_name = get_profile_name(def)) == NULL)
|
|
@@ -653,10 +643,7 @@ AppArmorSetSecurityChildProcessLabel(vir
|
|
virSecurityLabelDefPtr secdef =
|
|
virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
|
|
|
|
- if (!secdef)
|
|
- goto cleanup;
|
|
-
|
|
- if (secdef->label == NULL)
|
|
+ if (!secdef || !secdef->label)
|
|
return 0;
|
|
|
|
if (STRNEQ(SECURITY_APPARMOR_NAME, secdef->model)) {
|
|
@@ -738,10 +725,8 @@ AppArmorSetSecurityImageLabel(virSecurit
|
|
if (!src->path || !virStorageSourceIsLocalStorage(src))
|
|
return 0;
|
|
|
|
- if (!(secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME)))
|
|
- return -1;
|
|
-
|
|
- if (!secdef->relabel)
|
|
+ secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
|
|
+ if (!secdef || !secdef->relabel)
|
|
return 0;
|
|
|
|
if (secdef->imagelabel) {
|
|
@@ -792,7 +777,7 @@ AppArmorSecurityVerify(virSecurityManage
|
|
virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
|
|
|
|
if (!secdef)
|
|
- return -1;
|
|
+ return 0;
|
|
|
|
if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC) {
|
|
if (use_apparmor() < 0 || profile_status(secdef->label, 0) < 0) {
|
|
@@ -829,10 +814,7 @@ AppArmorSetSecurityHostdevLabel(virSecur
|
|
virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
|
|
virDomainHostdevSubsysSCSIVHostPtr hostsrc = &dev->source.subsys.u.scsi_host;
|
|
|
|
- if (!secdef)
|
|
- return -1;
|
|
-
|
|
- if (!secdef->relabel)
|
|
+ if (!secdef || !secdef->relabel)
|
|
return 0;
|
|
|
|
if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
|
|
@@ -940,10 +922,7 @@ AppArmorRestoreSecurityHostdevLabel(virS
|
|
virSecurityLabelDefPtr secdef =
|
|
virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
|
|
|
|
- if (!secdef)
|
|
- return -1;
|
|
-
|
|
- if (!secdef->relabel)
|
|
+ if (!secdef || !secdef->relabel)
|
|
return 0;
|
|
|
|
return reload_profile(mgr, def, NULL, false);
|
|
@@ -978,10 +957,7 @@ AppArmorSetFDLabel(virSecurityManagerPtr
|
|
virSecurityLabelDefPtr secdef =
|
|
virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
|
|
|
|
- if (!secdef)
|
|
- return -1;
|
|
-
|
|
- if (secdef->imagelabel == NULL)
|
|
+ if (!secdef || !secdef->imagelabel)
|
|
return 0;
|
|
|
|
if (virAsprintf(&proc, "/proc/self/fd/%d", fd) == -1)
|