libvirt/src/security
Christian Ehrhardt 5a21fd513a
apparmor: fix qemu_bridge_helper for named profile
Since a3ab6d42 "apparmor: convert libvirtd profile to a named profile"
the detection of the subelement for qemu_bridge_helper is wrong.

In combination with the older 123cc3e1 "apparmor: allow
/usr/lib/qemu/qemu-bridge-helper" it now detects qemu-bridge-helper no
more with its path, but instead as a proper subelement of the named profile
like: label=libvirtd//qemu_bridge_helper

In the same fashion the reverse rule in the qemu_bridge_helper
sub-profile still uses the path and not the named profile label.

Triggering denies like:
apparmor="DENIED" operation="file_inherit"
  profile="libvirtd//qemu_bridge_helper" pid=5629 comm="qemu-bridge-hel"
  family="unix" sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send receive" addr=none peer_addr=none peer="libvirtd"

This patch fixes the unix socket rules for the communication between
libvirtd and qemu-bridge-helper to match that.

Fixes: a3ab6d42d8
Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1655111

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2020-01-31 08:32:00 +01:00
..
apparmor apparmor: fix qemu_bridge_helper for named profile 2020-01-31 08:32:00 +01:00
Makefile.inc.am build: link to glib library 2019-10-14 10:54:42 +01:00
security_apparmor.c Add a space before ending a comment 2020-01-30 12:32:03 +01:00
security_apparmor.h src/security: use #pragma once in headers 2019-06-19 17:12:31 +02:00
security_dac.c src: conditionalize use of chown & stat constants 2020-01-29 14:51:40 +00:00
security_dac.h src/security: use #pragma once in headers 2019-06-19 17:12:31 +02:00
security_driver.c Use G_N_ELEMENTS instead of ARRAY_CARDINALITY 2019-10-15 16:14:19 +02:00
security_driver.h security: Pass @migrated to virSecurityManagerSetAllLabel 2019-10-14 17:14:13 +02:00
security_manager.c src: conditionalize use of S_ISSOCK macro 2020-01-29 14:51:40 +00:00
security_manager.h security: Introduce virSecurityManagerGetDriver() 2019-10-14 17:20:30 +02:00
security_nop.c Use g_strdup instead of ignoring VIR_STRDUP's value 2019-10-21 12:51:55 +02:00
security_nop.h src/security: use #pragma once in headers 2019-06-19 17:12:31 +02:00
security_selinux.c src: remove usage of strchrnul function 2020-01-29 14:51:39 +00:00
security_selinux.h src/security: use #pragma once in headers 2019-06-19 17:12:31 +02:00
security_stack.c security: use G_GNUC_UNUSED 2019-10-15 11:25:24 +02:00
security_stack.h src/security: use #pragma once in headers 2019-06-19 17:12:31 +02:00
security_util.c security: Use g_strdup_printf() instead of virAsprintf() 2019-11-12 16:15:58 +01:00
security_util.h security_util: Introduce virSecurityMoveRememberedLabel 2019-07-03 08:36:04 +02:00
virt-aa-helper.c virt-aa-helper: Drop unused variable in verify_xpath_context() 2020-01-07 16:55:50 +01:00