External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-03-07 17:28:15 +00:00
Code

apparmor: let image label setting loop over backing files

Browse Source 
When adding a rule for an image file and that image file has a chain
of backing files then we need to add a rule for each of those files.

To get that iterate over the backing file chain the same way as
dac/selinux already do and add a label for each.

Fixes: https://gitlab.com/libvirt/libvirt/-/issues/118

Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Jim Fehlig <jfehlig@suse.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
This commit is contained in:
Christian Ehrhardt 2021-01-13 12:32:18 +01:00
parent d40aa77c8e
commit d51ad0008d
No known key found for this signature in database
GPG Key ID: BA3E29338280B242
1 changed files with 27 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
src/security/security_apparmor.c
View File

@ -756,22 +756,13 @@ AppArmorRestoreInputLabel(virSecurityManagerPtr mgr,
/* Called when hotplugging */ /* Called when hotplugging */
static int static int
AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr, AppArmorSetSecurityImageLabelInternal(virSecurityManagerPtr mgr,
virDomainDefPtr def, virDomainDefPtr def,
virStorageSourcePtr src, virStorageSourcePtr src)
virSecurityDomainImageLabelFlags flags G_GNUC_UNUSED)
{ {
virSecurityLabelDefPtr secdef;
g_autofree char *vfioGroupDev = NULL; g_autofree char *vfioGroupDev = NULL;
const char *path; const char *path;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
if (!secdef || !secdef->relabel)
return 0;
if (!secdef->imagelabel)
return 0;
if (src->type == VIR_STORAGE_TYPE_NVME) { if (src->type == VIR_STORAGE_TYPE_NVME) {
const virStorageSourceNVMeDef *nvme = src->nvme; const virStorageSourceNVMeDef *nvme = src->nvme;
@ -797,6 +788,30 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
return reload_profile(mgr, def, path, true); return reload_profile(mgr, def, path, true);
} }
static int
AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
virStorageSourcePtr src,
virSecurityDomainImageLabelFlags flags G_GNUC_UNUSED)
{
virSecurityLabelDefPtr secdef;
virStorageSourcePtr n;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
if (!secdef || !secdef->relabel)
return 0;
if (!secdef->imagelabel)
return 0;
for (n = src; virStorageSourceIsBacking(n); n = n->backingStore) {
if (AppArmorSetSecurityImageLabelInternal(mgr, def, n) < 0)
return -1;
}
return 0;
}
static int static int
AppArmorSecurityVerify(virSecurityManagerPtr mgr G_GNUC_UNUSED, AppArmorSecurityVerify(virSecurityManagerPtr mgr G_GNUC_UNUSED,
virDomainDefPtr def) virDomainDefPtr def)