security: AppArmor: Implement per-image seclabel set

Refactor the code and reuse it to implement the functionality.
2025-02-22 19:32:19 +00:00 · 2014-06-24 17:04:21 +02:00 · 2014-06-24 17:04:21 +02:00 · cd7b63e663
commit cd7b63e663
parent 15cad6577f
1 changed files with 22 additions and 15 deletions
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@ -704,41 +704,39 @@ AppArmorRestoreSecurityDiskLabel(virSecurityManagerPtr mgr,

 /* Called when hotplugging */
 static int
-AppArmorSetSecurityDiskLabel(virSecurityManagerPtr mgr,
-                             virDomainDefPtr def, virDomainDiskDefPtr disk)
+AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
+                              virDomainDefPtr def,
+                              virStorageSourcePtr src)
 {
    int rc = -1;
    char *profile_name = NULL;
-    virSecurityLabelDefPtr secdef =
-        virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
+    virSecurityLabelDefPtr secdef;

-    if (!secdef)
+    if (!src->path || !virStorageSourceIsLocalStorage(src))
+        return 0;
+
+    if (!(secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME)))
        return -1;

    if (secdef->norelabel)
        return 0;

-    if (!virDomainDiskGetSource(disk) ||
-        virDomainDiskGetType(disk) == VIR_STORAGE_TYPE_NETWORK)
-        return 0;
-
    if (secdef->imagelabel) {
        /* if the device doesn't exist, error out */
-        if (!virFileExists(virDomainDiskGetSource(disk))) {
+        if (!virFileExists(src->path)) {
            virReportError(VIR_ERR_INTERNAL_ERROR,
                           _("\'%s\' does not exist"),
-                           virDomainDiskGetSource(disk));
-            return rc;
+                           src->path);
+            return -1;
        }

        if ((profile_name = get_profile_name(def)) == NULL)
-            return rc;
+            return -1;

        /* update the profile only if it is loaded */
        if (profile_loaded(secdef->imagelabel) >= 0) {
            if (load_profile(mgr, secdef->imagelabel, def,
-                             virDomainDiskGetSource(disk),
-                             false) < 0) {
+                             src->path, false) < 0) {
                virReportError(VIR_ERR_INTERNAL_ERROR,
                               _("cannot update AppArmor profile "
                                 "\'%s\'"),
@ -755,6 +753,14 @@ AppArmorSetSecurityDiskLabel(virSecurityManagerPtr mgr,
    return rc;
 }

+static int
+AppArmorSetSecurityDiskLabel(virSecurityManagerPtr mgr,
+                             virDomainDefPtr def,
+                             virDomainDiskDefPtr disk)
+{
+    return AppArmorSetSecurityImageLabel(mgr, def, disk->src);
+}
+
 static int
 AppArmorSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                       virDomainDefPtr def)
@ -983,6 +989,7 @@ virSecurityDriver virAppArmorSecurityDriver = {
    .domainSetSecurityDiskLabel         = AppArmorSetSecurityDiskLabel,
    .domainRestoreSecurityDiskLabel     = AppArmorRestoreSecurityDiskLabel,

+    .domainSetSecurityImageLabel        = AppArmorSetSecurityImageLabel,
    .domainRestoreSecurityImageLabel    = AppArmorRestoreSecurityImageLabel,

    .domainSetSecurityDaemonSocketLabel = AppArmorSetSecurityDaemonSocketLabel,