security: apparmor: Use translated disk definitions for disk type=volume

The 'virt-aa-helper' process gets a XML of the VM it needs to create a profile for. For a disk type='volume' this XML contained only the pool and volume name. The 'virt-aa-helper' needs a local path though for anything it needs to label. This means that we'd either need to invoke connection to the storage driver and re-resolve the volume. Alternative which makes more sense is to pass the proper data in the XML already passed to it via the new XML formatter and parser flags. This was indirectly reported upstream in https://gitlab.com/libvirt/libvirt/-/issues/546 The configuration in the issue above was created by Cockpit on Debian. Since Cockpit is getting more popular it's more likely that users will be impacted by this problem. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2024-07-01 23:52:37 +00:00 · 2023-10-12 16:03:41 +02:00 · 2023-10-12 16:03:41 +02:00 · be96fd77a9
commit be96fd77a9
parent 433f0d2b9a
2 changed files with 8 additions and 3 deletions
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@ -159,13 +159,17 @@ load_profile(virSecurityManager *mgr G_GNUC_UNUSED,
             bool append)
 {
    bool create = true;
+    g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
    g_autofree char *xml = NULL;
    g_autoptr(virCommand) cmd = NULL;

-    xml = virDomainDefFormat(def, NULL, VIR_DOMAIN_DEF_FORMAT_SECURE);
-    if (!xml)
+    if (virDomainDefFormatInternal(def, NULL, &buf,
+                                   VIR_DOMAIN_DEF_FORMAT_SECURE |
+                                   VIR_DOMAIN_DEF_FORMAT_VOLUME_TRANSLATED) < 0)
        return -1;

+    xml = virBufferContentAndReset(&buf);
+
    if (profile_status_file(profile) >= 0)
        create = false;

--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@ -654,7 +654,8 @@ get_definition(vahControl * ctl, const char *xmlStr)
    ctl->def = virDomainDefParseString(xmlStr,
                                       ctl->xmlopt, NULL,
                                       VIR_DOMAIN_DEF_PARSE_SKIP_SECLABEL |
-                                       VIR_DOMAIN_DEF_PARSE_SKIP_VALIDATE);
+                                       VIR_DOMAIN_DEF_PARSE_SKIP_VALIDATE |
+                                       VIR_DOMAIN_DEF_PARSE_VOLUME_TRANSLATED);

    if (ctl->def == NULL) {
        vah_error(ctl, 0, _("could not parse XML"));