Fix AppArmor save/restore.Add stdin_path to qemudStartVMDaemon() args.

Refactor to update AppArmor security driver to adjust profile for save/restore. This addresses the following bugs: https://bugzilla.redhat.com/show_bug.cgi?id=529363 https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/457716
2025-03-07 17:28:15 +00:00 · 2010-06-04 12:20:29 -04:00 · 2010-06-04 12:20:29 -04:00 · 97b68a4943
commit 97b68a4943
parent 2b57478ef0
1 changed files with 58 additions and 32 deletions
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@ -149,7 +149,7 @@ profile_status_file(const char *str)
 */
 static int
 load_profile(const char *profile, virDomainObjPtr vm,
-             virDomainDiskDefPtr disk)
+             const char *fn)
 {
    int rc = -1, status, ret;
    bool create = true;
@ -175,9 +175,9 @@ load_profile(const char *profile, virDomainObjPtr vm,
        };
        ret = virExec(argv, NULL, NULL, &child,
                      pipefd[0], NULL, NULL, VIR_EXEC_NONE);
-    } else if (disk && disk->src) {
+    } else if (fn) {
        const char *const argv[] = {
-            VIRT_AA_HELPER, "-r", "-u", profile, "-f", disk->src, NULL
+            VIRT_AA_HELPER, "-r", "-u", profile, "-f", fn, NULL
        };
        ret = virExec(argv, NULL, NULL, &child,
                      pipefd[0], NULL, NULL, VIR_EXEC_NONE);
@ -277,6 +277,40 @@ cleanup:
    return rc;
 }

+/* reload the profile, adding read/write file specified by fn if it is not
+ * NULL.
+ */
+static int
+reload_profile(virDomainObjPtr vm, const char *fn)
+{
+    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    int rc = -1;
+    char *profile_name = NULL;
+
+    if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
+        return 0;
+
+    if ((profile_name = get_profile_name(vm)) == NULL)
+        return rc;
+
+    /* Update the profile only if it is loaded */
+    if (profile_loaded(secdef->imagelabel) >= 0) {
+        if (load_profile(secdef->imagelabel, vm, fn) < 0) {
+            virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
+                                   _("cannot update AppArmor profile "
+                                     "\'%s\'"),
+                                   secdef->imagelabel);
+            goto clean;
+        }
+    }
+
+    rc = 0;
+  clean:
+    VIR_FREE(profile_name);
+
+    return rc;
+}
+
 /* Called on libvirtd startup to see if AppArmor is available */
 static int
 AppArmorSecurityDriverProbe(void)
@ -377,14 +411,14 @@ AppArmorGenSecurityLabel(virDomainObjPtr vm)
 }

 static int
-AppArmorSetSecurityAllLabel(virDomainObjPtr vm)
+AppArmorSetSecurityAllLabel(virDomainObjPtr vm, const char *stdin_path)
 {
    if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
        return 0;

    /* if the profile is not already loaded, then load one */
    if (profile_loaded(vm->def->seclabel.label) < 0) {
-        if (load_profile(vm->def->seclabel.label, vm, NULL) < 0) {
+        if (load_profile(vm->def->seclabel.label, vm, stdin_path) < 0) {
            virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                                   _("cannot generate AppArmor profile "
                                   "\'%s\'"), vm->def->seclabel.label);
@ -502,32 +536,7 @@ static int
 AppArmorRestoreSecurityImageLabel(virDomainObjPtr vm,
                                  virDomainDiskDefPtr disk ATTRIBUTE_UNUSED)
 {
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
-    int rc = -1;
-    char *profile_name = NULL;
-
-    if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
-        return 0;
-
-    if ((profile_name = get_profile_name(vm)) == NULL)
-        return rc;
-
-    /* Update the profile only if it is loaded */
-    if (profile_loaded(secdef->imagelabel) >= 0) {
-        if (load_profile(secdef->imagelabel, vm, NULL) < 0) {
-            virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
-                                   _("cannot update AppArmor profile "
-                                     "\'%s\'"),
-                                   secdef->imagelabel);
-            goto clean;
-        }
-    }
-
-    rc = 0;
-  clean:
-    VIR_FREE(profile_name);
-
-    return rc;
+    return reload_profile(vm, NULL);
 }

 /* Called when hotplugging */
@ -557,7 +566,7 @@ AppArmorSetSecurityImageLabel(virDomainObjPtr vm, virDomainDiskDefPtr disk)

        /* update the profile only if it is loaded */
        if (profile_loaded(secdef->imagelabel) >= 0) {
-            if (load_profile(secdef->imagelabel, vm, disk) < 0) {
+            if (load_profile(secdef->imagelabel, vm, disk->src) < 0) {
                virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                                     _("cannot update AppArmor profile "
                                     "\'%s\'"),
@ -624,6 +633,21 @@ AppArmorRestoreSecurityHostdevLabel(virDomainObjPtr vm,
    return 0;
 }

+static int
+AppArmorSetSavedStateLabel(virDomainObjPtr vm,
+                          const char *savefile)
+{
+    return reload_profile(vm, savefile);
+}
+
+
+static int
+AppArmorRestoreSavedStateLabel(virDomainObjPtr vm,
+                               const char *savefile ATTRIBUTE_UNUSED)
+{
+    return reload_profile(vm, NULL);
+}
+
 virSecurityDriver virAppArmorSecurityDriver = {
    .name = SECURITY_APPARMOR_NAME,
    .probe = AppArmorSecurityDriverProbe,
@ -640,4 +664,6 @@ virSecurityDriver virAppArmorSecurityDriver = {
    .domainSetSecurityAllLabel = AppArmorSetSecurityAllLabel,
    .domainSetSecurityHostdevLabel = AppArmorSetSecurityHostdevLabel,
    .domainRestoreSecurityHostdevLabel = AppArmorRestoreSecurityHostdevLabel,
+    .domainSetSavedStateLabel = AppArmorSetSavedStateLabel,
+    .domainRestoreSavedStateLabel = AppArmorRestoreSavedStateLabel,
 };