Move load of AppArmor profile to GenLabel()

Commit 12317957 introduced an incompatible architectural change for the AppArmor security driver. Specifically, virSecurityManagerSetAllLabel() is now called much later in src/qemu/qemu_process.c:qemuProcessStart(). Previously, SetAllLabel() was called immediately after GenLabel() such that after the dynamic label (profile name) was generated, SetAllLabel() would be called to create and load the AppArmor profile into the kernel before qemuProcessHook() was executed. With 12317957, qemuProcessHook() is now called before SetAllLabel(), such that aa_change_profile() ends up being called before the AppArmor profile is loaded into the kernel (via ProcessLabel() in qemuProcessHook()). This patch addresses the change by making GenLabel() load the AppArmor profile into the kernel after the label (profile name) is generated. SetAllLabel() is then adjusted to only reload_profile() and append stdin_fn to the profile when it is specified. This also makes the AppArmor driver work like its SELinux counterpart with regard to SetAllLabel() and stdin_fn. Bug-Ubuntu: https://launchpad.net/bugs/801569

Move load of AppArmor profile to GenLabel()
Commit 12317957 introduced an incompatible architectural change for the AppArmor security driver. Specifically, virSecurityManagerSetAllLabel() is now called much later in src/qemu/qemu_process.c:qemuProcessStart(). Previously, SetAllLabel() was called immediately after GenLabel() such that after the dynamic label (profile name) was generated, SetAllLabel() would be called to create and load the AppArmor profile into the kernel before qemuProcessHook() was executed. With 12317957, qemuProcessHook() is now called before SetAllLabel(), such that aa_change_profile() ends up being called before the AppArmor profile is loaded into the kernel (via ProcessLabel() in qemuProcessHook()). This patch addresses the change by making GenLabel() load the AppArmor profile into the kernel after the label (profile name) is generated. SetAllLabel() is then adjusted to only reload_profile() and append stdin_fn to the profile when it is specified. This also makes the AppArmor driver work like its SELinux counterpart with regard to SetAllLabel() and stdin_fn. Bug-Ubuntu: https://launchpad.net/bugs/801569
0b501bd4 · Jamie Strandboge · Eric Blake · db323e3b · 0b501bd4
隐藏空白更改
内联并排

Showing with 12 addition and 10 deletion

src/security/security_apparmor.c src/security/security_apparmor.c +12 -10

未找到文件。
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -429,6 +429,14 @@ AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
        goto err;
    }
+    /* Now that we have a label, load the profile into the kernel. */
+    if (load_profile(mgr, vm->def->seclabel.label, vm, NULL, false) < 0) {
+        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
+                               _("cannot load AppArmor profile "
+                               "\'%s\'"), vm->def->seclabel.label);
+        goto err;
+    }
    rc = 0;
    goto clean;
@@ -450,16 +458,10 @@ AppArmorSetSecurityAllLabel(virSecurityManagerPtr mgr,
    if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
        return 0;
-    /* if the profile is not already loaded, then load one */
+    /* Reload the profile if stdin_path is specified. Note that
-    if (profile_loaded(vm->def->seclabel.label) < 0) {
+       GenSecurityLabel() will have already been run. */
-        if (load_profile(mgr, vm->def->seclabel.label, vm, stdin_path,
+    if (stdin_path)
-                         false) < 0) {
+        return reload_profile(mgr, vm, stdin_path, true);
-            virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
-                                   _("cannot generate AppArmor profile "
-                                   "\'%s\'"), vm->def->seclabel.label);
-            return -1;
-        }
-    }
    return 0;
 }