External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-03-07 17:28:15 +00:00
Code

apparmor: differentiate between error and unconfined profiles

Browse Source 
profile_status function was not making any difference between error
cases and unconfined profiles. The problem with this approach is that
dominfo was throwing an error on unconfined domains.
This commit is contained in:
Cédric Bosdonnat 2015-10-06 11:12:29 +02:00
parent 51a4178f24
commit a1bdf04b27
1 changed files with 21 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
src/security/security_apparmor.c
View File

@ -66,10 +66,11 @@ struct SDPDOP {
}; };
/* /*
* profile_status returns '-1' on error, '0' if loaded * profile_status returns '-2' on error, '-1' if not loaded, '0' if loaded
* *
* If check_enforcing is set to '1', then returns '-1' on error, '0' if * If check_enforcing is set to '1', then returns '-2' on error, '-1' if
* loaded in complain mode, and '1' if loaded in enforcing mode. * not loaded, '0' if loaded in complain mode, and '1' if loaded in
* enforcing mode.
*/ */
static int static int
profile_status(const char *str, const int check_enforcing) profile_status(const char *str, const int check_enforcing)
@ -77,7 +78,7 @@ profile_status(const char *str, const int check_enforcing)
char *content = NULL; char *content = NULL;
char *tmp = NULL; char *tmp = NULL;
char *etmp = NULL; char *etmp = NULL;
int rc = -1; int rc = -2;
/* create string that is '<str> \0' for accurate matching */ /* create string that is '<str> \0' for accurate matching */
if (virAsprintf(&tmp, "%s ", str) == -1) if (virAsprintf(&tmp, "%s ", str) == -1)
@ -100,6 +101,8 @@ profile_status(const char *str, const int check_enforcing)
if (strstr(content, tmp) != NULL) if (strstr(content, tmp) != NULL)
rc = 0; rc = 0;
else
rc = -1; /* return -1 if not loaded */
if (check_enforcing != 0) { if (check_enforcing != 0) {
if (rc == 0 && strstr(content, etmp) != NULL) if (rc == 0 && strstr(content, etmp) != NULL)
rc = 1; /* return '1' if loaded and enforcing */ rc = 1; /* return '1' if loaded and enforcing */
@ -262,6 +265,9 @@ use_apparmor(void)
goto cleanup; goto cleanup;
rc = profile_status(libvirt_daemon, 1); rc = profile_status(libvirt_daemon, 1);
/* Error or unconfined should all result in -1*/
if (rc < 0)
rc = -1;
cleanup: cleanup:
VIR_FREE(libvirt_daemon); VIR_FREE(libvirt_daemon);
@ -517,11 +523,21 @@ AppArmorGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virSecurityLabelPtr sec) virSecurityLabelPtr sec)
{ {
int rc = -1; int rc = -1;
int status;
char *profile_name = NULL; char *profile_name = NULL;
if ((profile_name = get_profile_name(def)) == NULL) if ((profile_name = get_profile_name(def)) == NULL)
return rc; return rc;
status = profile_status(profile_name, 1);
if (status < -1) {
virReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("error getting profile status"));
goto cleanup;
} else if (status == -1) {
profile_name[0] = '\0';
}
if (virStrcpy(sec->label, profile_name, if (virStrcpy(sec->label, profile_name,
VIR_SECURITY_LABEL_BUFLEN) == NULL) { VIR_SECURITY_LABEL_BUFLEN) == NULL) {
virReportError(VIR_ERR_INTERNAL_ERROR, virReportError(VIR_ERR_INTERNAL_ERROR,
@ -529,11 +545,7 @@ AppArmorGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
goto cleanup; goto cleanup;
} }
if ((sec->enforcing = profile_status(profile_name, 1)) < 0) { sec->enforcing = status == 1;
virReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("error calling profile_status()"));
goto cleanup;
}
rc = 0; rc = 0;
cleanup: cleanup: