[libvirt] [PATCH v4 0/5] Apparmor support for less common devices

Christian Ehrhardt posted 5 patches 6 years ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/1521667361-15170-1-git-send-email-christian.ehrhardt@canonical.com
Test syntax-check passed
src/security/security_apparmor.c | 94 ++++++++++++++++++++++++++++++++++++++++
src/security/virt-aa-helper.c    | 16 +++++++
tests/virt-aa-helper-test        | 87 ++++++++++++++++++++++---------------
3 files changed, 163 insertions(+), 34 deletions(-)
[libvirt] [PATCH v4 0/5] Apparmor support for less common devices
Posted by Christian Ehrhardt 6 years ago
So far users added manual rules for most of these uncommon devices,
but recent changes made some of the callbacks mandatory for hotplug
so we should take shot at implementing them as those callbacks as well
as for the initial start of a guest via virt-aa-helper.

*Updates since v1*
 - Set(Memory|Input)Label: remove seclabel check already done in reload_profile
 - virt-aa-helper: check pointers before accessing them
 - add tests for new virt-aa-helper supported xml elements
 - extend tests to check for expected content (new patch in series)

*Updates since v2*
 - Restore(Memory|Input)Label: drop secdef/relabel check
 - Set(Memory|Input)Label: check more pointers to be valid before using them

*Updates since v3*
 - added the Acked-by of Jamie Strandboge on patches 1-4
 - reuse the already existing tmpdir in virt-aa-helper-test for better cleanup

Christian Ehrhardt (5):
  security, apparmor: add (Set|Restore)MemoryLabel
  security, apparmor: add (Set|Restore)InputLabel
  virt-aa-helper: generate rules for passthrough input devices
  virt-aa-helper: generate rules for nvdimm memory
  virt-aa-helper: test: check for expected profile content

 src/security/security_apparmor.c | 94 ++++++++++++++++++++++++++++++++++++++++
 src/security/virt-aa-helper.c    | 16 +++++++
 tests/virt-aa-helper-test        | 87 ++++++++++++++++++++++---------------
 3 files changed, 163 insertions(+), 34 deletions(-)

-- 
2.7.4

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v4 0/5] Apparmor support for less common devices
Posted by Christian Ehrhardt 6 years ago
On Wed, Mar 21, 2018 at 10:22 PM, Christian Ehrhardt <
christian.ehrhardt@canonical.com> wrote:

> So far users added manual rules for most of these uncommon devices,
> but recent changes made some of the callbacks mandatory for hotplug
> so we should take shot at implementing them as those callbacks as well
> as for the initial start of a guest via virt-aa-helper.
>
> *Updates since v1*
>  - Set(Memory|Input)Label: remove seclabel check already done in
> reload_profile
>  - virt-aa-helper: check pointers before accessing them
>  - add tests for new virt-aa-helper supported xml elements
>  - extend tests to check for expected content (new patch in series)
>
> *Updates since v2*
>  - Restore(Memory|Input)Label: drop secdef/relabel check
>  - Set(Memory|Input)Label: check more pointers to be valid before using
> them
>
> *Updates since v3*
>  - added the Acked-by of Jamie Strandboge on patches 1-4
>  - reuse the already existing tmpdir in virt-aa-helper-test for better
> cleanup
>
> Christian Ehrhardt (5):
>   security, apparmor: add (Set|Restore)MemoryLabel
>   security, apparmor: add (Set|Restore)InputLabel
>   virt-aa-helper: generate rules for passthrough input devices
>   virt-aa-helper: generate rules for nvdimm memory
>

Rebased (no change), retested and pushed patches 1-4 being up a few days
and having acks.


>   virt-aa-helper: test: check for expected profile content
>

Keeping this last one up for more review to either push or reiterate on it
after more review.

 src/security/security_apparmor.c | 94 ++++++++++++++++++++++++++++++
> ++++++++++
>  src/security/virt-aa-helper.c    | 16 +++++++
>  tests/virt-aa-helper-test        | 87 ++++++++++++++++++++++--------
> -------
>  3 files changed, 163 insertions(+), 34 deletions(-)
>
> --
> 2.7.4
>
>


-- 
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list