On Tue, 2018-03-20 at 13:08 +0100, Christian Ehrhardt wrote: > d8116b5a "security: Introduce functions for input device hot(un)plug" > implemented the code (Set|Restore)InputLabel for several security > modules, > this patch adds an AppArmor implementation for it as well. > > That fixes hot-plugging event input devices by generating a rule for > the > path that needs to be accessed. > > Example hot adding: > <input type='passthrough' bus='virtio'> > <source evdev='/dev/input/event0' /> > </input> > Creates now: > "/dev/input/event0" rwk, > > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> > --- > src/security/security_apparmor.c | 51 > ++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 51 insertions(+) > > diff --git a/src/security/security_apparmor.c > b/src/security/security_apparmor.c > index 4ae1e3d..7924b9a 100644 > --- a/src/security/security_apparmor.c > +++ b/src/security/security_apparmor.c > @@ -765,6 +765,54 @@ AppArmorRestoreMemoryLabel(virSecurityManagerPtr > mgr, > > /* Called when hotplugging */ > static int > +AppArmorSetInputLabel(virSecurityManagerPtr mgr, > + virDomainDefPtr def, > + virDomainInputDefPtr input) > +{ > + virSecurityLabelDefPtr secdef; > + > + secdef = virDomainDefGetSecurityLabelDef(def, > SECURITY_APPARMOR_NAME); > + if (!secdef || !secdef->relabel) > + return 0; > + > + switch ((virDomainInputType) input->type) { > + case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH: > + if (!virFileExists(input->source.evdev)) { > + virReportError(VIR_ERR_INTERNAL_ERROR, > + _("%s: \'%s\' does not exist"), > + __func__, input->source.evdev); > + return -1; > + } > + return reload_profile(mgr, def, input->source.evdev, true); > + break; > + > + case VIR_DOMAIN_INPUT_TYPE_MOUSE: > + case VIR_DOMAIN_INPUT_TYPE_TABLET: > + case VIR_DOMAIN_INPUT_TYPE_KBD: > + case VIR_DOMAIN_INPUT_TYPE_LAST: > + break; > + } > + > + return 0; > +} > + > + > +static int > +AppArmorRestoreInputLabel(virSecurityManagerPtr mgr, > + virDomainDefPtr def, > + virDomainInputDefPtr input > ATTRIBUTE_UNUSED) > +{ > + virSecurityLabelDefPtr secdef = > + virDomainDefGetSecurityLabelDef(def, > SECURITY_APPARMOR_NAME); > + > + if (!secdef || !secdef->relabel) > + return 0; > + > + return reload_profile(mgr, def, NULL, false); > +} > + > +/* Called when hotplugging */ > +static int > AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr, > virDomainDefPtr def, > virStorageSourcePtr src) > @@ -1165,6 +1213,9 @@ virSecurityDriver virAppArmorSecurityDriver = { > .domainSetSecurityMemoryLabel = AppArmorSetMemoryLabel, > .domainRestoreSecurityMemoryLabel = > AppArmorRestoreMemoryLabel, > > + .domainSetSecurityInputLabel = AppArmorSetInputLabel, > + .domainRestoreSecurityInputLabel = AppArmorRestoreInputLabel, > + > .domainSetSecurityDaemonSocketLabel = > AppArmorSetSecurityDaemonSocketLabel, > .domainSetSecuritySocketLabel = > AppArmorSetSecuritySocketLabel, > .domainClearSecuritySocketLabel = > AppArmorClearSecuritySocketLabel, Same comments on this as for '[PATCH 1/4] security, apparmor: add (Set|Restore)MemoryLabel'. -- Jamie Strandboge | http://www.canonical.com
Attachment:
signature.asc
Description: This is a digitally signed message part
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list