apparmor: let image label setting loop over backing files

When adding a rule for an image file and that image file has a chain of backing files then we need to add a rule for each of those files. To get that iterate over the backing file chain the same way as dac/selinux already do and add a label for each. Fixes: https://gitlab.com/libvirt/libvirt/-/issues/118 Reviewed-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Jim Fehlig <jfehlig@suse.com> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2025-03-07 17:28:15 +00:00 · 2021-01-13 12:32:18 +01:00 · 2021-01-13 12:32:18 +01:00 · d51ad0008d
commit d51ad0008d
parent d40aa77c8e
1 changed files with 27 additions and 12 deletions
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@ -756,22 +756,13 @@ AppArmorRestoreInputLabel(virSecurityManagerPtr mgr,

 /* Called when hotplugging */
 static int
-AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
+AppArmorSetSecurityImageLabelInternal(virSecurityManagerPtr mgr,
                                      virDomainDefPtr def,
-                              virStorageSourcePtr src,
-                              virSecurityDomainImageLabelFlags flags G_GNUC_UNUSED)
+                                      virStorageSourcePtr src)
 {
-    virSecurityLabelDefPtr secdef;
    g_autofree char *vfioGroupDev = NULL;
    const char *path;

-    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
-    if (!secdef || !secdef->relabel)
-        return 0;
-
-    if (!secdef->imagelabel)
-        return 0;
-
    if (src->type == VIR_STORAGE_TYPE_NVME) {
        const virStorageSourceNVMeDef *nvme = src->nvme;

@ -797,6 +788,30 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
    return reload_profile(mgr, def, path, true);
 }

+static int
+AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
+                              virDomainDefPtr def,
+                              virStorageSourcePtr src,
+                              virSecurityDomainImageLabelFlags flags G_GNUC_UNUSED)
+{
+    virSecurityLabelDefPtr secdef;
+    virStorageSourcePtr n;
+
+    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
+    if (!secdef || !secdef->relabel)
+        return 0;
+
+    if (!secdef->imagelabel)
+        return 0;
+
+    for (n = src; virStorageSourceIsBacking(n); n = n->backingStore) {
+        if (AppArmorSetSecurityImageLabelInternal(mgr, def, n) < 0)
+            return -1;
+    }
+
+    return 0;
+}
+
 static int
 AppArmorSecurityVerify(virSecurityManagerPtr mgr G_GNUC_UNUSED,
                       virDomainDefPtr def)