[Pkg-libvirt-commits] [Git][libvirt-team/libvirt][debian/master] apparmor: allow hot-plug for qcow backing chains
Andrea Bolognani
gitlab at salsa.debian.org
Tue Jan 26 21:11:22 GMT 2021
Andrea Bolognani pushed to branch debian/master at Libvirt Packaging Team / libvirt
Commits:
6568c681 by Christian Ehrhardt at 2021-01-26T10:06:53+01:00
apparmor: allow hot-plug for qcow backing chains
Closes: #981001
- - - - -
2 changed files:
- + debian/patches/backport/apparmor-let-image-label-setting-loop-over-backing-files.patch
- debian/patches/series
Changes:
=====================================
debian/patches/backport/apparmor-let-image-label-setting-loop-over-backing-files.patch
=====================================
@@ -0,0 +1,81 @@
+From: Christian Ehrhardt <christian.ehrhardt at canonical.com>
+Date: Wed, 13 Jan 2021 12:32:18 +0100
+Subject: apparmor: let image label setting loop over backing files
+
+When adding a rule for an image file and that image file has a chain
+of backing files then we need to add a rule for each of those files.
+
+To get that iterate over the backing file chain the same way as
+dac/selinux already do and add a label for each.
+
+Fixes: https://gitlab.com/libvirt/libvirt/-/issues/118
+
+Reviewed-by: Peter Krempa <pkrempa at redhat.com>
+Reviewed-by: Jim Fehlig <jfehlig at suse.com>
+Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
+(cherry picked from commit d51ad0008dc2df0257f69e767ab3e3c5fd1457ff)
+---
+ src/security/security_apparmor.c | 39 +++++++++++++++++++++++++++------------
+ 1 file changed, 27 insertions(+), 12 deletions(-)
+
+diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
+index c2d86c6..a840d36 100644
+--- a/src/security/security_apparmor.c
++++ b/src/security/security_apparmor.c
+@@ -764,22 +764,13 @@ AppArmorRestoreInputLabel(virSecurityManagerPtr mgr,
+
+ /* Called when hotplugging */
+ static int
+-AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
+- virDomainDefPtr def,
+- virStorageSourcePtr src,
+- virSecurityDomainImageLabelFlags flags G_GNUC_UNUSED)
++AppArmorSetSecurityImageLabelInternal(virSecurityManagerPtr mgr,
++ virDomainDefPtr def,
++ virStorageSourcePtr src)
+ {
+- virSecurityLabelDefPtr secdef;
+ g_autofree char *vfioGroupDev = NULL;
+ const char *path;
+
+- secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
+- if (!secdef || !secdef->relabel)
+- return 0;
+-
+- if (!secdef->imagelabel)
+- return 0;
+-
+ if (src->type == VIR_STORAGE_TYPE_NVME) {
+ const virStorageSourceNVMeDef *nvme = src->nvme;
+
+@@ -805,6 +796,30 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
+ return reload_profile(mgr, def, path, true);
+ }
+
++static int
++AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
++ virDomainDefPtr def,
++ virStorageSourcePtr src,
++ virSecurityDomainImageLabelFlags flags G_GNUC_UNUSED)
++{
++ virSecurityLabelDefPtr secdef;
++ virStorageSourcePtr n;
++
++ secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME);
++ if (!secdef || !secdef->relabel)
++ return 0;
++
++ if (!secdef->imagelabel)
++ return 0;
++
++ for (n = src; virStorageSourceIsBacking(n); n = n->backingStore) {
++ if (AppArmorSetSecurityImageLabelInternal(mgr, def, n) < 0)
++ return -1;
++ }
++
++ return 0;
++}
++
+ static int
+ AppArmorSecurityVerify(virSecurityManagerPtr mgr G_GNUC_UNUSED,
+ virDomainDefPtr def)
=====================================
debian/patches/series
=====================================
@@ -1,3 +1,4 @@
+backport/apparmor-let-image-label-setting-loop-over-backing-files.patch
forward/Skip-vircgrouptest.patch
forward/Reduce-udevadm-settle-timeout-to-10-seconds.patch
forward/Pass-GPG_TTY-env-var-to-the-ssh-binary.patch
View it on GitLab: https://salsa.debian.org/libvirt-team/libvirt/-/commit/6568c681e174e5b35a7e1e7a47ad2417617a521b
--
View it on GitLab: https://salsa.debian.org/libvirt-team/libvirt/-/commit/6568c681e174e5b35a7e1e7a47ad2417617a521b
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-commits/attachments/20210126/9c4735a5/attachment-0001.html>
More information about the Pkg-libvirt-commits
mailing list