[PATCH 2/2] apparmor: don't fail on non-apparmor <seclabel>

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



If the apparmor security driver is loaded/enabled and domain config
contains a <seclabel> element whose type attribute is not 'apparmor',
starting the domain fails when attempting to label resources such
as tap FDs.

Many of the apparmor driver entry points attempt to retrieve the
apparmor security label from the domain def, returning failure if
not found. Functions such as AppArmorSetFDLabel fail even though
domain config contains an explicit 'none' secuirty driver, e.g.

  <seclabel type='none' model='none'/>

Change the entry points to succeed if the domain config <seclabel>
is not apparmor. This matches the behavior of the selinux driver.

Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx>
---
 src/security/security_apparmor.c | 58 ++++++++++++----------------------------
 1 file changed, 17 insertions(+), 41 deletions(-)

diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index ad50b08..f871e60 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -289,10 +289,7 @@ reload_profile(virSecurityManagerPtr mgr,
     virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(
                                                 def, SECURITY_APPARMOR_NAME);
 
-    if (!secdef)
-        return rc;
-
-    if (!secdef->relabel)
+    if (!secdef || !secdef->relabel)
         return 0;
 
     if ((profile_name = get_profile_name(def)) == NULL)
@@ -435,7 +432,7 @@ AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                                 SECURITY_APPARMOR_NAME);
 
     if (!secdef)
-        return -1;
+        return 0;
 
     if ((secdef->type == VIR_DOMAIN_SECLABEL_STATIC) ||
         (secdef->type == VIR_DOMAIN_SECLABEL_NONE))
@@ -495,10 +492,7 @@ AppArmorSetSecurityAllLabel(virSecurityManagerPtr mgr,
 {
     virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def,
                                                     SECURITY_APPARMOR_NAME);
-    if (!secdef)
-        return -1;
-
-    if (!secdef->relabel)
+    if (!secdef || !secdef->relabel)
         return 0;
 
     /* Reload the profile if stdin_path is specified. Note that
@@ -559,12 +553,11 @@ AppArmorReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
 {
     virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def,
                                                         SECURITY_APPARMOR_NAME);
-    if (!secdef)
-        return -1;
-
-    VIR_FREE(secdef->model);
-    VIR_FREE(secdef->label);
-    VIR_FREE(secdef->imagelabel);
+    if (secdef) {
+        VIR_FREE(secdef->model);
+        VIR_FREE(secdef->label);
+        VIR_FREE(secdef->imagelabel);\
+    }
 
     return 0;
 }
@@ -580,7 +573,7 @@ AppArmorRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
         virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
 
     if (!secdef)
-        return -1;
+        return 0;
 
     if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
         if ((rc = remove_profile(secdef->label)) != 0) {
@@ -604,10 +597,7 @@ AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
     virSecurityLabelDefPtr secdef =
         virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
 
-    if (!secdef)
-        return -1;
-
-    if (secdef->label == NULL)
+    if (!secdef || !secdef->label)
         return 0;
 
     if ((profile_name = get_profile_name(def)) == NULL)
@@ -653,10 +643,7 @@ AppArmorSetSecurityChildProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
     virSecurityLabelDefPtr secdef =
         virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
 
-    if (!secdef)
-        goto cleanup;
-
-    if (secdef->label == NULL)
+    if (!secdef || !secdef->label)
         return 0;
 
     if (STRNEQ(SECURITY_APPARMOR_NAME, secdef->model)) {
@@ -738,10 +725,8 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
     if (!src->path || !virStorageSourceIsLocalStorage(src))
         return 0;
 
-    if (!(secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME)))
-        return -1;
-
-    if (!secdef->relabel)
+    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
+    if (!secdef || !secdef->relabel)
         return 0;
 
     if (secdef->imagelabel) {
@@ -792,7 +777,7 @@ AppArmorSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
         virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
 
     if (!secdef)
-        return -1;
+        return 0;
 
     if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC) {
         if (use_apparmor() < 0 || profile_status(secdef->label, 0) < 0) {
@@ -829,10 +814,7 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
     virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
     virDomainHostdevSubsysSCSIVHostPtr hostsrc = &dev->source.subsys.u.scsi_host;
 
-    if (!secdef)
-        return -1;
-
-    if (!secdef->relabel)
+    if (!secdef || !secdef->relabel)
         return 0;
 
     if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
@@ -940,10 +922,7 @@ AppArmorRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
     virSecurityLabelDefPtr secdef =
         virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
 
-    if (!secdef)
-        return -1;
-
-    if (!secdef->relabel)
+    if (!secdef || !secdef->relabel)
         return 0;
 
     return reload_profile(mgr, def, NULL, false);
@@ -978,10 +957,7 @@ AppArmorSetFDLabel(virSecurityManagerPtr mgr,
     virSecurityLabelDefPtr secdef =
         virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
 
-    if (!secdef)
-        return -1;
-
-    if (secdef->imagelabel == NULL)
+    if (!secdef || !secdef->imagelabel)
         return 0;
 
     if (virAsprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-- 
2.9.2

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]
  Powered by Linux