Re: [PATCH 1/2] apparmor: Check libvirtd profile status by name

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 01 Mar 2019, Jim Fehlig wrote:

> Commit a3ab6d42 changed the libvirtd profile to a named profile,
> breaking the apparmor driver's ability to detect if the profile is
> active. When the apparmor driver loads it checks the status of the
> libvirtd profile using the full binary path, which fails since the
> profile is now referenced by name. If the apparmor driver is
> explicitly requested in /etc/libvirt/qemu.conf, then libvirtd fails
> to load too.
> 
> Instead of only checking the profile status by full binary path,
> also check by profile name. The full path check is retained in case
> users have a customized libvirtd profile with full path.
> 
> Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx>
> ---
>  src/security/security_apparmor.c | 12 +++++++++---
>  1 file changed, 9 insertions(+), 3 deletions(-)
> 
> diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
> index 4afdef065a..6d16b15c65 100644
> --- a/src/security/security_apparmor.c
> +++ b/src/security/security_apparmor.c
> @@ -257,10 +257,16 @@ use_apparmor(void)
>      if (access(APPARMOR_PROFILES_PATH, R_OK) != 0)
>          goto cleanup;
>  
> +    /* First check profile status using full binary path. If that fails
> +     * check using profile name.
> +     */
>      rc = profile_status(libvirt_daemon, 1);
> -    /* Error or unconfined should all result in -1*/
> -    if (rc < 0)
> -        rc = -1;
> +    if (rc < 0) {
> +        rc = profile_status("libvirtd", 1);
> +        /* Error or unconfined should all result in -1*/
> +        if (rc < 0)
> +            rc = -1;
> +    }

LGTM. +1 to apply. Thanks!

-- 
Jamie Strandboge             | http://www.canonical.com

Attachment: signature.asc
Description: PGP signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux