提交 a1bdf04b 编写于 作者: C Cédric Bosdonnat

apparmor: differentiate between error and unconfined profiles

profile_status function was not making any difference between error
cases and unconfined profiles. The problem with this approach is that
dominfo was throwing an error on unconfined domains.
上级 51a4178f
...@@ -66,10 +66,11 @@ struct SDPDOP { ...@@ -66,10 +66,11 @@ struct SDPDOP {
}; };
/* /*
* profile_status returns '-1' on error, '0' if loaded * profile_status returns '-2' on error, '-1' if not loaded, '0' if loaded
* *
* If check_enforcing is set to '1', then returns '-1' on error, '0' if * If check_enforcing is set to '1', then returns '-2' on error, '-1' if
* loaded in complain mode, and '1' if loaded in enforcing mode. * not loaded, '0' if loaded in complain mode, and '1' if loaded in
* enforcing mode.
*/ */
static int static int
profile_status(const char *str, const int check_enforcing) profile_status(const char *str, const int check_enforcing)
...@@ -77,7 +78,7 @@ profile_status(const char *str, const int check_enforcing) ...@@ -77,7 +78,7 @@ profile_status(const char *str, const int check_enforcing)
char *content = NULL; char *content = NULL;
char *tmp = NULL; char *tmp = NULL;
char *etmp = NULL; char *etmp = NULL;
int rc = -1; int rc = -2;
/* create string that is '<str> \0' for accurate matching */ /* create string that is '<str> \0' for accurate matching */
if (virAsprintf(&tmp, "%s ", str) == -1) if (virAsprintf(&tmp, "%s ", str) == -1)
...@@ -100,6 +101,8 @@ profile_status(const char *str, const int check_enforcing) ...@@ -100,6 +101,8 @@ profile_status(const char *str, const int check_enforcing)
if (strstr(content, tmp) != NULL) if (strstr(content, tmp) != NULL)
rc = 0; rc = 0;
else
rc = -1; /* return -1 if not loaded */
if (check_enforcing != 0) { if (check_enforcing != 0) {
if (rc == 0 && strstr(content, etmp) != NULL) if (rc == 0 && strstr(content, etmp) != NULL)
rc = 1; /* return '1' if loaded and enforcing */ rc = 1; /* return '1' if loaded and enforcing */
...@@ -262,6 +265,9 @@ use_apparmor(void) ...@@ -262,6 +265,9 @@ use_apparmor(void)
goto cleanup; goto cleanup;
rc = profile_status(libvirt_daemon, 1); rc = profile_status(libvirt_daemon, 1);
/* Error or unconfined should all result in -1*/
if (rc < 0)
rc = -1;
cleanup: cleanup:
VIR_FREE(libvirt_daemon); VIR_FREE(libvirt_daemon);
...@@ -517,23 +523,29 @@ AppArmorGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, ...@@ -517,23 +523,29 @@ AppArmorGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virSecurityLabelPtr sec) virSecurityLabelPtr sec)
{ {
int rc = -1; int rc = -1;
int status;
char *profile_name = NULL; char *profile_name = NULL;
if ((profile_name = get_profile_name(def)) == NULL) if ((profile_name = get_profile_name(def)) == NULL)
return rc; return rc;
if (virStrcpy(sec->label, profile_name, status = profile_status(profile_name, 1);
VIR_SECURITY_LABEL_BUFLEN) == NULL) { if (status < -1) {
virReportError(VIR_ERR_INTERNAL_ERROR, virReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("error copying profile name")); "%s", _("error getting profile status"));
goto cleanup; goto cleanup;
} else if (status == -1) {
profile_name[0] = '\0';
} }
if ((sec->enforcing = profile_status(profile_name, 1)) < 0) { if (virStrcpy(sec->label, profile_name,
VIR_SECURITY_LABEL_BUFLEN) == NULL) {
virReportError(VIR_ERR_INTERNAL_ERROR, virReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("error calling profile_status()")); "%s", _("error copying profile name"));
goto cleanup; goto cleanup;
} }
sec->enforcing = status == 1;
rc = 0; rc = 0;
cleanup: cleanup:
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册