On Thu, Jun 16, 2011 at 02:01:34PM -0500, Jamie Strandboge wrote: > During a savevm operation, libvirt will now use fd migration if qemu > supports it. When the AppArmor driver is enabled, AppArmorSetFDLabel() > is used but since this function simply returns '0', the dynamic AppArmor > profile is not updated and AppArmor blocks access to the save file. This > patch implements AppArmorSetFDLabel() to get the pathname of the file by > resolving the fd symlink in /proc, and then gives that pathname to > reload_profile(), which fixes 'virsh save' when AppArmor is enabled. > > Passes 'check' and 'syntax-check' (though po_check failed for unrelated > reasons). > > Reference: https://launchpad.net/bugs/795800 > > -- > Jamie Strandboge | http://www.canonical.com > Author: Jamie Strandboge <jamie@xxxxxxxxxxxxx> > Description: implement AppArmorSetFDLabel() > During a savevm operation, libvirt will now use fd migration if qemu supports > it. When the AppArmor driver is enabled, AppArmorSetFDLabel() is used but > since this function simply returns '0', the dynamic AppArmor profile is not > updated and AppArmor blocks access to the save file. This patch implements > AppArmorSetFDLabel() to get the pathname of the file by resolving the fd > symlink in /proc, and then gives that pathname to reload_profile(), which > fixes 'virsh save' when AppArmor is enabled. > Bug-Ubuntu: https://launchpad.net/bugs/795800 > > diff -Naurp libvirt.orig/src/security/security_apparmor.c libvirt/src/security/security_apparmor.c > --- libvirt.orig/src/security/security_apparmor.c 2011-06-16 12:05:46.000000000 -0500 > +++ libvirt/src/security/security_apparmor.c 2011-06-16 13:38:09.000000000 -0500 > @@ -757,11 +757,31 @@ AppArmorRestoreSavedStateLabel(virSecuri > } > > static int > -AppArmorSetFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, > - virDomainObjPtr vm ATTRIBUTE_UNUSED, > - int fd ATTRIBUTE_UNUSED) > +AppArmorSetFDLabel(virSecurityManagerPtr mgr, > + virDomainObjPtr vm, > + int fd) > { > - return 0; > + int rc = -1; > + char *proc = NULL; > + char *fd_path = NULL; > + > + const virSecurityLabelDefPtr secdef = &vm->def->seclabel; > + > + if (secdef->imagelabel == NULL) > + return 0; > + > + if (virAsprintf(&proc, "/proc/self/fd/%d", fd) == -1) { > + virReportOOMError(); > + return rc; > + } > + > + if (virFileResolveLink(proc, &fd_path) < 0) { > + virSecurityReportError(VIR_ERR_INTERNAL_ERROR, > + "%s", _("could not find path for descriptor")); > + return rc; > + } > + > + return reload_profile(mgr, vm, fd_path, true); > } > > virSecurityDriver virAppArmorSecurityDriver = { ACK Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list