External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-02-23 11:52:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: AppArmor: Implement per-image seclabel set

Browse Source 
Refactor the code and reuse it to implement the functionality.
This commit is contained in:
Peter Krempa 2014-06-24 17:04:21 +02:00
parent 15cad6577f
commit cd7b63e663
1 changed files with 22 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
src/security/security_apparmor.c
View File

@ -704,41 +704,39 @@ AppArmorRestoreSecurityDiskLabel(virSecurityManagerPtr mgr,
/* Called when hotplugging */ /* Called when hotplugging */
static int static int
AppArmorSetSecurityDiskLabel(virSecurityManagerPtr mgr, AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def, virDomainDiskDefPtr disk) virDomainDefPtr def,
virStorageSourcePtr src)
{ {
int rc = -1; int rc = -1;
char *profile_name = NULL; char *profile_name = NULL;
virSecurityLabelDefPtr secdef = virSecurityLabelDefPtr secdef;
virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
if (!secdef) if (!src->path || !virStorageSourceIsLocalStorage(src))
return 0;
if (!(secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME)))
return -1; return -1;
if (secdef->norelabel) if (secdef->norelabel)
return 0; return 0;
if (!virDomainDiskGetSource(disk) ||
virDomainDiskGetType(disk) == VIR_STORAGE_TYPE_NETWORK)
return 0;
if (secdef->imagelabel) { if (secdef->imagelabel) {
/* if the device doesn't exist, error out */ /* if the device doesn't exist, error out */
if (!virFileExists(virDomainDiskGetSource(disk))) { if (!virFileExists(src->path)) {
virReportError(VIR_ERR_INTERNAL_ERROR, virReportError(VIR_ERR_INTERNAL_ERROR,
_("\'%s\' does not exist"), _("\'%s\' does not exist"),
virDomainDiskGetSource(disk)); src->path);
return rc; return -1;
} }
if ((profile_name = get_profile_name(def)) == NULL) if ((profile_name = get_profile_name(def)) == NULL)
return rc; return -1;
/* update the profile only if it is loaded */ /* update the profile only if it is loaded */
if (profile_loaded(secdef->imagelabel) >= 0) { if (profile_loaded(secdef->imagelabel) >= 0) {
if (load_profile(mgr, secdef->imagelabel, def, if (load_profile(mgr, secdef->imagelabel, def,
virDomainDiskGetSource(disk), src->path, false) < 0) {
false) < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR, virReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot update AppArmor profile " _("cannot update AppArmor profile "
"\'%s\'"), "\'%s\'"),
@ -755,6 +753,14 @@ AppArmorSetSecurityDiskLabel(virSecurityManagerPtr mgr,
return rc; return rc;
} }
static int
AppArmorSetSecurityDiskLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
virDomainDiskDefPtr disk)
{
return AppArmorSetSecurityImageLabel(mgr, def, disk->src);
}
static int static int
AppArmorSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, AppArmorSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainDefPtr def) virDomainDefPtr def)
@ -983,6 +989,7 @@ virSecurityDriver virAppArmorSecurityDriver = {
.domainSetSecurityDiskLabel = AppArmorSetSecurityDiskLabel, .domainSetSecurityDiskLabel = AppArmorSetSecurityDiskLabel,
.domainRestoreSecurityDiskLabel = AppArmorRestoreSecurityDiskLabel, .domainRestoreSecurityDiskLabel = AppArmorRestoreSecurityDiskLabel,
.domainSetSecurityImageLabel = AppArmorSetSecurityImageLabel,
.domainRestoreSecurityImageLabel = AppArmorRestoreSecurityImageLabel, .domainRestoreSecurityImageLabel = AppArmorRestoreSecurityImageLabel,
.domainSetSecurityDaemonSocketLabel = AppArmorSetSecurityDaemonSocketLabel, .domainSetSecurityDaemonSocketLabel = AppArmorSetSecurityDaemonSocketLabel,