mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-03 03:25:20 +00:00
apparmor: Don't check for existence of templates upfront
Currently, if either template is missing AppArmor support is completely disabled. This means that uninstalling the LXC driver from a system results in QEMU domains being started without AppArmor confinement, which obviously doesn't make any sense. The problematic scenario was impossible to hit in Debian until very recently, because all AppArmor files were shipped as part of the same package; now that the Debian package is much closer to the Fedora one, and specifically ships the AppArmor files together with the corresponding driver, it becomes trivial to trigger it. Drop the checks entirely. virt-aa-helper, which is responsible for creating the per-domain profiles starting from the driver-specific template, already fails if the latter is not present, so they were always redundant. https://bugs.debian.org/1081396 Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
parent
4b68c7e55b
commit
d622ca04f6
@ -318,27 +318,9 @@ AppArmorSetSecurityHostLabel(virSCSIVHostDevice *dev G_GNUC_UNUSED,
|
||||
static virSecurityDriverStatus
|
||||
AppArmorSecurityManagerProbe(const char *virtDriver G_GNUC_UNUSED)
|
||||
{
|
||||
g_autofree char *template_qemu = NULL;
|
||||
g_autofree char *template_lxc = NULL;
|
||||
|
||||
if (use_apparmor() < 0)
|
||||
return SECURITY_DRIVER_DISABLE;
|
||||
|
||||
/* see if template file exists */
|
||||
template_qemu = g_strdup_printf("%s/TEMPLATE.qemu", APPARMOR_DIR "/libvirt");
|
||||
template_lxc = g_strdup_printf("%s/TEMPLATE.lxc", APPARMOR_DIR "/libvirt");
|
||||
|
||||
if (!virFileExists(template_qemu)) {
|
||||
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||
_("template \'%1$s\' does not exist"), template_qemu);
|
||||
return SECURITY_DRIVER_DISABLE;
|
||||
}
|
||||
if (!virFileExists(template_lxc)) {
|
||||
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||
_("template \'%1$s\' does not exist"), template_lxc);
|
||||
return SECURITY_DRIVER_DISABLE;
|
||||
}
|
||||
|
||||
return SECURITY_DRIVER_ENABLE;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user