SHA256
1
0
forked from pool/libvirt
libvirt/0001-apparmor-Check-libvirtd-profile-status-by-name.patch
James Fehlig c50e323c11 Accepting request 682276 from home:jfehlig:branches:Virtualization
- apparmor: fix more fallout from changing libvirtd profile to a
  named profile
  4ec3cf9a-apparmor-rules.patch,
  0001-apparmor-Check-libvirtd-profile-status-by-name.patch
  boo#1125841

OBS-URL: https://build.opensuse.org/request/show/682276
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=735
2019-03-06 20:25:56 +00:00

47 lines
1.7 KiB
Diff

From b1a50c10c95747dacd31a23b5c73ec4f938af329 Mon Sep 17 00:00:00 2001
From: Jim Fehlig <jfehlig@suse.com>
Date: Fri, 1 Mar 2019 14:34:17 -0700
Subject: [PATCH 1/2] apparmor: Check libvirtd profile status by name
Commit a3ab6d42 changed the libvirtd profile to a named profile,
breaking the apparmor driver's ability to detect if the profile is
active. When the apparmor driver loads it checks the status of the
libvirtd profile using the full binary path, which fails since the
profile is now referenced by name. If the apparmor driver is
explicitly requested in /etc/libvirt/qemu.conf, then libvirtd fails
to load too.
Instead of only checking the profile status by full binary path,
also check by profile name. The full path check is retained in case
users have a customized libvirtd profile with full path.
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
---
src/security/security_apparmor.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
Index: libvirt-5.1.0/src/security/security_apparmor.c
===================================================================
--- libvirt-5.1.0.orig/src/security/security_apparmor.c
+++ libvirt-5.1.0/src/security/security_apparmor.c
@@ -257,10 +257,16 @@ use_apparmor(void)
if (access(APPARMOR_PROFILES_PATH, R_OK) != 0)
goto cleanup;
+ /* First check profile status using full binary path. If that fails
+ * check using profile name.
+ */
rc = profile_status(libvirt_daemon, 1);
- /* Error or unconfined should all result in -1*/
- if (rc < 0)
- rc = -1;
+ if (rc < 0) {
+ rc = profile_status("libvirtd", 1);
+ /* Error or unconfined should all result in -1*/
+ if (rc < 0)
+ rc = -1;
+ }
cleanup:
VIR_FREE(libvirt_daemon);