rpm/libvirt
SHA256
1
0
Fork 0
forked from pool/libvirt
Code Pull Requests Activity
f167ba3466
libvirt/apparmor-alt-seclabel.patch

168 lines
5.5 KiB
Diff
Raw Normal View History

Accepting request 456194 from home:jfehlig:branches:Virtualization - apparmor: don't fail on non-apparmor <seclabel> apparmor-errormsg-fix.patch, apparmor-alt-seclabel.patch bsc#1023436 - libxl: fix reporting of domain maximum memory ff225538-libxl-autoballoon-setting.patch, c89a6e78-libxl-physinfo-cleanup.patch, d2b77608-libxl-maxmem-fix.patch, 79692c38-libxl-dom0-maxmem.patch bsc#1017762 - libxl: set disk format to raw if not specified and fix disk detach 321a28c6-libxl-default-disk-format.patch, bd116810-libxl-fix-disk-detach.patch bsc#1003379 - libxl: fix timer configurations 6e4759d0-libxl-timer-fix.patch, 87df87e0-libxl-timer-tsc-emulate.patch, b4386fda-xenconfig-timer-fix.patch, d3970925-timer-tests.patch bsc#1019969 OBS-URL: https://build.opensuse.org/request/show/456194 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=583
2017-02-11 00:01:12 +01:00
commit 8f6a7866102346691fce84ade9a6d8534aaffcdc
Author: Jim Fehlig <jfehlig@suse.com>
Date: Thu Feb 2 19:26:13 2017 -0700
apparmor: don't fail on non-apparmor <seclabel>
If the apparmor security driver is loaded/enabled and domain config
contains a <seclabel> element whose type attribute is not 'apparmor',
starting the domain fails when attempting to label resources such
as tap FDs.
Many of the apparmor driver entry points attempt to retrieve the
apparmor security label from the domain def, returning failure if
not found. Functions such as AppArmorSetFDLabel fail even though
domain config contains an explicit 'none' secuirty driver, e.g.
<seclabel type='none' model='none'/>
Change the entry points to succeed if the domain config <seclabel>
is not apparmor. This matches the behavior of the selinux driver.
Index: libvirt-3.0.0/src/security/security_apparmor.c
===================================================================
--- libvirt-3.0.0.orig/src/security/security_apparmor.c
+++ libvirt-3.0.0/src/security/security_apparmor.c
@@ -289,10 +289,7 @@ reload_profile(virSecurityManagerPtr mgr
virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(
def, SECURITY_APPARMOR_NAME);
- if (!secdef)
- return rc;
-
- if (!secdef->relabel)
+ if (!secdef || !secdef->relabel)
return 0;
if ((profile_name = get_profile_name(def)) == NULL)
@@ -435,7 +432,7 @@ AppArmorGenSecurityLabel(virSecurityMana
SECURITY_APPARMOR_NAME);
if (!secdef)
- return -1;
+ return 0;
if ((secdef->type == VIR_DOMAIN_SECLABEL_STATIC) ||
(secdef->type == VIR_DOMAIN_SECLABEL_NONE))
@@ -495,10 +492,7 @@ AppArmorSetSecurityAllLabel(virSecurityM
{
virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def,
SECURITY_APPARMOR_NAME);
- if (!secdef)
- return -1;
-
- if (!secdef->relabel)
+ if (!secdef || !secdef->relabel)
return 0;
/* Reload the profile if stdin_path is specified. Note that
@@ -559,12 +553,11 @@ AppArmorReleaseSecurityLabel(virSecurity
{
virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def,
SECURITY_APPARMOR_NAME);
- if (!secdef)
- return -1;
-
- VIR_FREE(secdef->model);
- VIR_FREE(secdef->label);
- VIR_FREE(secdef->imagelabel);
+ if (secdef) {
+ VIR_FREE(secdef->model);
+ VIR_FREE(secdef->label);
+ VIR_FREE(secdef->imagelabel);
+ }
return 0;
}
@@ -580,7 +573,7 @@ AppArmorRestoreSecurityAllLabel(virSecur
virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
if (!secdef)
- return -1;
+ return 0;
if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
if ((rc = remove_profile(secdef->label)) != 0) {
@@ -604,10 +597,7 @@ AppArmorSetSecurityProcessLabel(virSecur
virSecurityLabelDefPtr secdef =
virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
- if (!secdef)
- return -1;
-
- if (secdef->label == NULL)
+ if (!secdef || !secdef->label)
return 0;
if ((profile_name = get_profile_name(def)) == NULL)
@@ -653,10 +643,7 @@ AppArmorSetSecurityChildProcessLabel(vir
virSecurityLabelDefPtr secdef =
virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
- if (!secdef)
- goto cleanup;
-
- if (secdef->label == NULL)
+ if (!secdef || !secdef->label)
return 0;
if (STRNEQ(SECURITY_APPARMOR_NAME, secdef->model)) {
@@ -738,10 +725,8 @@ AppArmorSetSecurityImageLabel(virSecurit
if (!src->path || !virStorageSourceIsLocalStorage(src))
return 0;
- if (!(secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME)))
- return -1;
-
- if (!secdef->relabel)
+ secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
+ if (!secdef || !secdef->relabel)
return 0;
if (secdef->imagelabel) {
@@ -792,7 +777,7 @@ AppArmorSecurityVerify(virSecurityManage
virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
if (!secdef)
- return -1;
+ return 0;
if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC) {
if (use_apparmor() < 0 || profile_status(secdef->label, 0) < 0) {
@@ -829,10 +814,7 @@ AppArmorSetSecurityHostdevLabel(virSecur
virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
virDomainHostdevSubsysSCSIVHostPtr hostsrc = &dev->source.subsys.u.scsi_host;
- if (!secdef)
- return -1;
-
- if (!secdef->relabel)
+ if (!secdef || !secdef->relabel)
return 0;
if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
@@ -940,10 +922,7 @@ AppArmorRestoreSecurityHostdevLabel(virS
virSecurityLabelDefPtr secdef =
virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
- if (!secdef)
- return -1;
-
- if (!secdef->relabel)
+ if (!secdef || !secdef->relabel)
return 0;
return reload_profile(mgr, def, NULL, false);
@@ -978,10 +957,7 @@ AppArmorSetFDLabel(virSecurityManagerPtr
virSecurityLabelDefPtr secdef =
virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
- if (!secdef)
- return -1;
-
- if (secdef->imagelabel == NULL)
+ if (!secdef || !secdef->imagelabel)
return 0;
if (virAsprintf(&proc, "/proc/self/fd/%d", fd) == -1)
Copy Permalink