security, apparmor: add (Set|Restore)InputLabel

d8116b5a "security: Introduce functions for input device hot(un)plug" implemented the code (Set|Restore)InputLabel for several security modules, this patch adds an AppArmor implementation for it as well. That fixes hot-plugging event input devices by generating a rule for the path that needs to be accessed. Example hot adding: <input type='passthrough' bus='virtio'> <source evdev='/dev/input/event0' /> </input> Creates now: "/dev/input/event0" rwk, Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1755153Acked-by: N Jamie Strandboge <jamie@canonical.com> Signed-off-by: N Christian Ehrhardt <christian.ehrhardt@canonical.com>

security, apparmor: add (Set|Restore)InputLabel
d8116b5a "security: Introduce functions for input device hot(un)plug" implemented the code (Set|Restore)InputLabel for several security modules, this patch adds an AppArmor implementation for it as well. That fixes hot-plugging event input devices by generating a rule for the path that needs to be accessed. Example hot adding: <input type='passthrough' bus='virtio'> <source evdev='/dev/input/event0' /> </input> Creates now: "/dev/input/event0" rwk, Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1755153Acked-by: N Jamie Strandboge <jamie@canonical.com> Signed-off-by: N Christian Ehrhardt <christian.ehrhardt@canonical.com>
943c1fd9 · Christian Ehrhardt · 999998a7 · 943c1fd9
隐藏空白更改
内联并排

Showing with 48 addition and 0 deletion

src/security/security_apparmor.c src/security/security_apparmor.c +48 -0

未找到文件。
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -759,6 +759,51 @@ AppArmorRestoreMemoryLabel(virSecurityManagerPtr mgr,
    return reload_profile(mgr, def, NULL, false);
 }

+/* Called when hotplugging */
+static int
+AppArmorSetInputLabel(virSecurityManagerPtr mgr,
+                      virDomainDefPtr def,
+                      virDomainInputDefPtr input)
+{
+    if (input == NULL)
+        return 0;
+
+    switch ((virDomainInputType) input->type) {
+    case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH:
+        if (input->source.evdev == NULL) {
+            virReportError(VIR_ERR_INTERNAL_ERROR,
+                           _("%s: passthrough input device has no source"),
+                           __func__);
+            return -1;
+        }
+        if (!virFileExists(input->source.evdev)) {
+            virReportError(VIR_ERR_INTERNAL_ERROR,
+                           _("%s: \'%s\' does not exist"),
+                           __func__, input->source.evdev);
+            return -1;
+        }
+        return reload_profile(mgr, def, input->source.evdev, true);
+        break;
+
+    case VIR_DOMAIN_INPUT_TYPE_MOUSE:
+    case VIR_DOMAIN_INPUT_TYPE_TABLET:
+    case VIR_DOMAIN_INPUT_TYPE_KBD:
+    case VIR_DOMAIN_INPUT_TYPE_LAST:
+        break;
+    }
+
+    return 0;
+}
+
+
+static int
+AppArmorRestoreInputLabel(virSecurityManagerPtr mgr,
+                          virDomainDefPtr def,
+                          virDomainInputDefPtr input ATTRIBUTE_UNUSED)
+{
+    return reload_profile(mgr, def, NULL, false);
+}
+
 /* Called when hotplugging */
 static int
 AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
@@ -1161,6 +1206,9 @@ virSecurityDriver virAppArmorSecurityDriver = {
    .domainSetSecurityMemoryLabel       = AppArmorSetMemoryLabel,
    .domainRestoreSecurityMemoryLabel   = AppArmorRestoreMemoryLabel,

+    .domainSetSecurityInputLabel        = AppArmorSetInputLabel,
+    .domainRestoreSecurityInputLabel    = AppArmorRestoreInputLabel,
+
    .domainSetSecurityDaemonSocketLabel = AppArmorSetSecurityDaemonSocketLabel,
    .domainSetSecuritySocketLabel       = AppArmorSetSecuritySocketLabel,
    .domainClearSecuritySocketLabel     = AppArmorClearSecuritySocketLabel,