Since 1b4f66e "security: introduce virSecurityManager (Set|Restore)ChardevLabel" this is a public API of security manager. Implementing this in apparmor avoids miss any rules that should be added for devices labeled via these calls. Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> --- src/security/security_apparmor.c | 74 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index 432fab5..a989992 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -946,6 +946,77 @@ AppArmorRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, } static int +AppArmorSetChardevLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def, + virDomainChrSourceDefPtr dev_source, + bool chardevStdioLogd ATTRIBUTE_UNUSED) +{ + char *in = NULL, *out = NULL; + int ret = -1; + virSecurityLabelDefPtr secdef; + + secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); + if (!secdef) + return 0; + + switch ((virDomainChrType) dev_source->type) { + case VIR_DOMAIN_CHR_TYPE_DEV: + case VIR_DOMAIN_CHR_TYPE_FILE: + case VIR_DOMAIN_CHR_TYPE_UNIX: + case VIR_DOMAIN_CHR_TYPE_PTY: + ret = reload_profile(mgr, def, dev_source->data.file.path, true); + break; + + case VIR_DOMAIN_CHR_TYPE_PIPE: + if (virAsprintf(&in, "%s.in", dev_source->data.file.path) < 0 || + virAsprintf(&out, "%s.out", dev_source->data.file.path) < 0) + goto done; + if (virFileExists(in)) { + if (reload_profile(mgr, def, in, true) < 0) + goto done; + } + if (virFileExists(out)) { + if (reload_profile(mgr, def, out, true) < 0) + goto done; + } + ret = reload_profile(mgr, def, dev_source->data.file.path, true); + break; + + case VIR_DOMAIN_CHR_TYPE_SPICEPORT: + case VIR_DOMAIN_CHR_TYPE_NULL: + case VIR_DOMAIN_CHR_TYPE_VC: + case VIR_DOMAIN_CHR_TYPE_STDIO: + case VIR_DOMAIN_CHR_TYPE_UDP: + case VIR_DOMAIN_CHR_TYPE_TCP: + case VIR_DOMAIN_CHR_TYPE_SPICEVMC: + case VIR_DOMAIN_CHR_TYPE_NMDM: + case VIR_DOMAIN_CHR_TYPE_LAST: + ret = 0; + break; + } + + done: + VIR_FREE(in); + VIR_FREE(out); + return ret; +} + +static int +AppArmorRestoreChardevLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def, + virDomainChrSourceDefPtr dev_source ATTRIBUTE_UNUSED, + bool chardevStdioLogd ATTRIBUTE_UNUSED) +{ + virSecurityLabelDefPtr secdef; + + secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); + if (!secdef) + return 0; + + return reload_profile(mgr, def, NULL, false); +} + +static int AppArmorSetSavedStateLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, const char *savefile) @@ -1067,6 +1138,9 @@ virSecurityDriver virAppArmorSecurityDriver = { .domainSetPathLabel = AppArmorSetPathLabel, + .domainSetSecurityChardevLabel = AppArmorSetChardevLabel, + .domainRestoreSecurityChardevLabel = AppArmorRestoreChardevLabel, + .domainSetSecurityImageFDLabel = AppArmorSetFDLabel, .domainSetSecurityTapFDLabel = AppArmorSetFDLabel, -- 2.7.4 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list