[PATCHv5 20/28] security: AppArmor: Implement per-image seclabel set

Peter Krempa <pkrempa@xxxxxxxxxx> · Fri, 4 Jul 2014 13:29:35 +0200

Refactor the code and reuse it to implement the functionality.
---
 src/security/security_apparmor.c | 37 ++++++++++++++++++++++---------------
 1 file changed, 22 insertions(+), 15 deletions(-)

diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 391bf60..1e2a38b 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -704,41 +704,39 @@ AppArmorRestoreSecurityDiskLabel(virSecurityManagerPtr mgr,

 /* Called when hotplugging */
 static int
-AppArmorSetSecurityDiskLabel(virSecurityManagerPtr mgr,
-                             virDomainDefPtr def, virDomainDiskDefPtr disk)
+AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
+                              virDomainDefPtr def,
+                              virStorageSourcePtr src)
 {
     int rc = -1;
     char *profile_name = NULL;
-    virSecurityLabelDefPtr secdef =
-        virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
+    virSecurityLabelDefPtr secdef;

-    if (!secdef)
+    if (!src->path || !virStorageSourceIsLocalStorage(src))
+        return 0;
+
+    if (!(secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME)))
         return -1;

     if (secdef->norelabel)
         return 0;

-    if (!virDomainDiskGetSource(disk) ||
-        virDomainDiskGetType(disk) == VIR_STORAGE_TYPE_NETWORK)
-        return 0;
-
     if (secdef->imagelabel) {
         /* if the device doesn't exist, error out */
-        if (!virFileExists(virDomainDiskGetSource(disk))) {
+        if (!virFileExists(src->path)) {
             virReportError(VIR_ERR_INTERNAL_ERROR,
                            _("\'%s\' does not exist"),
-                           virDomainDiskGetSource(disk));
-            return rc;
+                           src->path);
+            return -1;
         }

         if ((profile_name = get_profile_name(def)) == NULL)
-            return rc;
+            return -1;

         /* update the profile only if it is loaded */
         if (profile_loaded(secdef->imagelabel) >= 0) {
             if (load_profile(mgr, secdef->imagelabel, def,
-                             virDomainDiskGetSource(disk),
-                             false) < 0) {
+                             src->path, false) < 0) {
                 virReportError(VIR_ERR_INTERNAL_ERROR,
                                _("cannot update AppArmor profile "
                                  "\'%s\'"),
@@ -756,6 +754,14 @@ AppArmorSetSecurityDiskLabel(virSecurityManagerPtr mgr,
 }

 static int
+AppArmorSetSecurityDiskLabel(virSecurityManagerPtr mgr,
+                             virDomainDefPtr def,
+                             virDomainDiskDefPtr disk)
+{
+    return AppArmorSetSecurityImageLabel(mgr, def, disk->src);
+}
+
+static int
 AppArmorSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                        virDomainDefPtr def)
 {
@@ -983,6 +989,7 @@ virSecurityDriver virAppArmorSecurityDriver = {
     .domainSetSecurityDiskLabel         = AppArmorSetSecurityDiskLabel,
     .domainRestoreSecurityDiskLabel     = AppArmorRestoreSecurityDiskLabel,

+    .domainSetSecurityImageLabel        = AppArmorSetSecurityImageLabel,
     .domainRestoreSecurityImageLabel    = AppArmorRestoreSecurityImageLabel,

     .domainSetSecurityDaemonSocketLabel = AppArmorSetSecurityDaemonSocketLabel,
-- 
1.9.3

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list







