forked from pool/libvirt
c50e323c11
- apparmor: fix more fallout from changing libvirtd profile to a named profile 4ec3cf9a-apparmor-rules.patch, 0001-apparmor-Check-libvirtd-profile-status-by-name.patch boo#1125841 OBS-URL: https://build.opensuse.org/request/show/682276 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=735
47 lines
1.7 KiB
Diff
47 lines
1.7 KiB
Diff
From b1a50c10c95747dacd31a23b5c73ec4f938af329 Mon Sep 17 00:00:00 2001
|
|
From: Jim Fehlig <jfehlig@suse.com>
|
|
Date: Fri, 1 Mar 2019 14:34:17 -0700
|
|
Subject: [PATCH 1/2] apparmor: Check libvirtd profile status by name
|
|
|
|
Commit a3ab6d42 changed the libvirtd profile to a named profile,
|
|
breaking the apparmor driver's ability to detect if the profile is
|
|
active. When the apparmor driver loads it checks the status of the
|
|
libvirtd profile using the full binary path, which fails since the
|
|
profile is now referenced by name. If the apparmor driver is
|
|
explicitly requested in /etc/libvirt/qemu.conf, then libvirtd fails
|
|
to load too.
|
|
|
|
Instead of only checking the profile status by full binary path,
|
|
also check by profile name. The full path check is retained in case
|
|
users have a customized libvirtd profile with full path.
|
|
|
|
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
|
|
---
|
|
src/security/security_apparmor.c | 12 +++++++++---
|
|
1 file changed, 9 insertions(+), 3 deletions(-)
|
|
|
|
Index: libvirt-5.1.0/src/security/security_apparmor.c
|
|
===================================================================
|
|
--- libvirt-5.1.0.orig/src/security/security_apparmor.c
|
|
+++ libvirt-5.1.0/src/security/security_apparmor.c
|
|
@@ -257,10 +257,16 @@ use_apparmor(void)
|
|
if (access(APPARMOR_PROFILES_PATH, R_OK) != 0)
|
|
goto cleanup;
|
|
|
|
+ /* First check profile status using full binary path. If that fails
|
|
+ * check using profile name.
|
|
+ */
|
|
rc = profile_status(libvirt_daemon, 1);
|
|
- /* Error or unconfined should all result in -1*/
|
|
- if (rc < 0)
|
|
- rc = -1;
|
|
+ if (rc < 0) {
|
|
+ rc = profile_status("libvirtd", 1);
|
|
+ /* Error or unconfined should all result in -1*/
|
|
+ if (rc < 0)
|
|
+ rc = -1;
|
|
+ }
|
|
|
|
cleanup:
|
|
VIR_FREE(libvirt_daemon);
|