From nobody Sun Apr 28 05:04:18 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.24 as permitted sender) client-ip=209.132.183.24; envelope-from=libvir-list-bounces@redhat.com; helo=mx3-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.24 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx3-phx2.redhat.com (mx3-phx2.redhat.com [209.132.183.24]) by mx.zohomail.com with SMTPS id 1486143371835734.3654223975909; Fri, 3 Feb 2017 09:36:11 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx3-phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v13HWOMk030022; Fri, 3 Feb 2017 12:32:24 -0500 Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v13HWN0L004344 for ; Fri, 3 Feb 2017 12:32:23 -0500 Received: from mx1.redhat.com (ext-mx06.extmail.prod.ext.phx2.redhat.com [10.5.110.30]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v13HWNPZ010636 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 3 Feb 2017 12:32:23 -0500 Received: from smtp2.provo.novell.com (smtp2.provo.novell.com [137.65.250.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7C91C3B731 for ; Fri, 3 Feb 2017 17:32:22 +0000 (UTC) Received: from linux-tbji.provo.novell.com (prv-ext-foundry1int.gns.novell.com [137.65.251.240]) by smtp2.provo.novell.com with ESMTP (NOT encrypted); Fri, 03 Feb 2017 10:32:20 -0700 From: Jim Fehlig To: libvir-list@redhat.com Date: Fri, 3 Feb 2017 10:32:11 -0700 Message-Id: <20170203173212.27480-2-jfehlig@suse.com> In-Reply-To: <20170203173212.27480-1-jfehlig@suse.com> References: <20170203173212.27480-1-jfehlig@suse.com> X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 200 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Fri, 03 Feb 2017 17:32:22 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Fri, 03 Feb 2017 17:32:22 +0000 (UTC) for IP:'137.65.250.81' DOMAIN:'smtp2.provo.novell.com' HELO:'smtp2.provo.novell.com' FROM:'jfehlig@suse.com' RCPT:'' X-RedHat-Spam-Score: -1.501 (BAYES_50, RCVD_IN_DNSWL_MED, SPF_PASS) 137.65.250.81 smtp2.provo.novell.com 137.65.250.81 smtp2.provo.novell.com X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27 X-Scanned-By: MIMEDefang 2.78 on 10.5.110.30 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 1/2] apparmor: don't overwrite error from reload_profile X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Like other callers of reload_profile, don't overwrite errors in AppArmorSetSecurityHostdevLabelHelper. Signed-off-by: Jim Fehlig --- src/security/security_apparmor.c | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/src/security/security_apparmor.c b/src/security/security_appar= mor.c index 2c33abb..ad50b08 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -322,19 +322,7 @@ AppArmorSetSecurityHostdevLabelHelper(const char *file= , void *opaque) struct SDPDOP *ptr =3D opaque; virDomainDefPtr def =3D ptr->def; =20 - if (reload_profile(ptr->mgr, def, file, true) < 0) { - virSecurityLabelDefPtr secdef =3D virDomainDefGetSecurityLabelDef( - def, SECURITY_APPARMOR_NAM= E); - if (!secdef) { - virReportOOMError(); - return -1; - } - virReportError(VIR_ERR_INTERNAL_ERROR, - _("cannot update AppArmor profile \'%s\'"), - secdef->imagelabel); - return -1; - } - return 0; + return reload_profile(ptr->mgr, def, file, true); } =20 static int --=20 2.9.2 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun Apr 28 05:04:18 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.24 as permitted sender) client-ip=209.132.183.24; envelope-from=libvir-list-bounces@redhat.com; helo=mx3-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.24 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx3-phx2.redhat.com (mx3-phx2.redhat.com [209.132.183.24]) by mx.zohomail.com with SMTPS id 1486143372937435.38022889723834; Fri, 3 Feb 2017 09:36:12 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx3-phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v13HWal6030042; Fri, 3 Feb 2017 12:32:36 -0500 Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v13HWOGI004358 for ; Fri, 3 Feb 2017 12:32:24 -0500 Received: from mx1.redhat.com (ext-mx04.extmail.prod.ext.phx2.redhat.com [10.5.110.28]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v13HWOx9010642 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 3 Feb 2017 12:32:24 -0500 Received: from smtp2.provo.novell.com (smtp2.provo.novell.com [137.65.250.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6428D14BFE7 for ; Fri, 3 Feb 2017 17:32:23 +0000 (UTC) Received: from linux-tbji.provo.novell.com (prv-ext-foundry1int.gns.novell.com [137.65.251.240]) by smtp2.provo.novell.com with ESMTP (NOT encrypted); Fri, 03 Feb 2017 10:32:20 -0700 From: Jim Fehlig To: libvir-list@redhat.com Date: Fri, 3 Feb 2017 10:32:12 -0700 Message-Id: <20170203173212.27480-3-jfehlig@suse.com> In-Reply-To: <20170203173212.27480-1-jfehlig@suse.com> References: <20170203173212.27480-1-jfehlig@suse.com> X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 200 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Fri, 03 Feb 2017 17:32:23 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Fri, 03 Feb 2017 17:32:23 +0000 (UTC) for IP:'137.65.250.81' DOMAIN:'smtp2.provo.novell.com' HELO:'smtp2.provo.novell.com' FROM:'jfehlig@suse.com' RCPT:'' X-RedHat-Spam-Score: -1.501 (BAYES_50, RCVD_IN_DNSWL_MED, SPF_PASS) 137.65.250.81 smtp2.provo.novell.com 137.65.250.81 smtp2.provo.novell.com X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27 X-Scanned-By: MIMEDefang 2.78 on 10.5.110.28 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 2/2] apparmor: don't fail on non-apparmor X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" If the apparmor security driver is loaded/enabled and domain config contains a element whose type attribute is not 'apparmor', starting the domain fails when attempting to label resources such as tap FDs. Many of the apparmor driver entry points attempt to retrieve the apparmor security label from the domain def, returning failure if not found. Functions such as AppArmorSetFDLabel fail even though domain config contains an explicit 'none' secuirty driver, e.g. Change the entry points to succeed if the domain config is not apparmor. This matches the behavior of the selinux driver. Signed-off-by: Jim Fehlig --- src/security/security_apparmor.c | 58 ++++++++++++------------------------= ---- 1 file changed, 17 insertions(+), 41 deletions(-) diff --git a/src/security/security_apparmor.c b/src/security/security_appar= mor.c index ad50b08..f871e60 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -289,10 +289,7 @@ reload_profile(virSecurityManagerPtr mgr, virSecurityLabelDefPtr secdef =3D virDomainDefGetSecurityLabelDef( def, SECURITY_APPARMOR_NAM= E); =20 - if (!secdef) - return rc; - - if (!secdef->relabel) + if (!secdef || !secdef->relabel) return 0; =20 if ((profile_name =3D get_profile_name(def)) =3D=3D NULL) @@ -435,7 +432,7 @@ AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTR= IBUTE_UNUSED, SECURITY_APPARMOR_NAME); =20 if (!secdef) - return -1; + return 0; =20 if ((secdef->type =3D=3D VIR_DOMAIN_SECLABEL_STATIC) || (secdef->type =3D=3D VIR_DOMAIN_SECLABEL_NONE)) @@ -495,10 +492,7 @@ AppArmorSetSecurityAllLabel(virSecurityManagerPtr mgr, { virSecurityLabelDefPtr secdef =3D virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME= ); - if (!secdef) - return -1; - - if (!secdef->relabel) + if (!secdef || !secdef->relabel) return 0; =20 /* Reload the profile if stdin_path is specified. Note that @@ -559,12 +553,11 @@ AppArmorReleaseSecurityLabel(virSecurityManagerPtr mg= r ATTRIBUTE_UNUSED, { virSecurityLabelDefPtr secdef =3D virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_= NAME); - if (!secdef) - return -1; - - VIR_FREE(secdef->model); - VIR_FREE(secdef->label); - VIR_FREE(secdef->imagelabel); + if (secdef) { + VIR_FREE(secdef->model); + VIR_FREE(secdef->label); + VIR_FREE(secdef->imagelabel);\ + } =20 return 0; } @@ -580,7 +573,7 @@ AppArmorRestoreSecurityAllLabel(virSecurityManagerPtr m= gr ATTRIBUTE_UNUSED, virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); =20 if (!secdef) - return -1; + return 0; =20 if (secdef->type =3D=3D VIR_DOMAIN_SECLABEL_DYNAMIC) { if ((rc =3D remove_profile(secdef->label)) !=3D 0) { @@ -604,10 +597,7 @@ AppArmorSetSecurityProcessLabel(virSecurityManagerPtr = mgr ATTRIBUTE_UNUSED, virSecurityLabelDefPtr secdef =3D virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); =20 - if (!secdef) - return -1; - - if (secdef->label =3D=3D NULL) + if (!secdef || !secdef->label) return 0; =20 if ((profile_name =3D get_profile_name(def)) =3D=3D NULL) @@ -653,10 +643,7 @@ AppArmorSetSecurityChildProcessLabel(virSecurityManage= rPtr mgr ATTRIBUTE_UNUSED, virSecurityLabelDefPtr secdef =3D virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); =20 - if (!secdef) - goto cleanup; - - if (secdef->label =3D=3D NULL) + if (!secdef || !secdef->label) return 0; =20 if (STRNEQ(SECURITY_APPARMOR_NAME, secdef->model)) { @@ -738,10 +725,8 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr mg= r, if (!src->path || !virStorageSourceIsLocalStorage(src)) return 0; =20 - if (!(secdef =3D virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMO= R_NAME))) - return -1; - - if (!secdef->relabel) + secdef =3D virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME= ); + if (!secdef || !secdef->relabel) return 0; =20 if (secdef->imagelabel) { @@ -792,7 +777,7 @@ AppArmorSecurityVerify(virSecurityManagerPtr mgr ATTRIB= UTE_UNUSED, virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); =20 if (!secdef) - return -1; + return 0; =20 if (secdef->type =3D=3D VIR_DOMAIN_SECLABEL_STATIC) { if (use_apparmor() < 0 || profile_status(secdef->label, 0) < 0) { @@ -829,10 +814,7 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr = mgr, virDomainHostdevSubsysSCSIPtr scsisrc =3D &dev->source.subsys.u.scsi; virDomainHostdevSubsysSCSIVHostPtr hostsrc =3D &dev->source.subsys.u.s= csi_host; =20 - if (!secdef) - return -1; - - if (!secdef->relabel) + if (!secdef || !secdef->relabel) return 0; =20 if (dev->mode !=3D VIR_DOMAIN_HOSTDEV_MODE_SUBSYS) @@ -940,10 +922,7 @@ AppArmorRestoreSecurityHostdevLabel(virSecurityManager= Ptr mgr, virSecurityLabelDefPtr secdef =3D virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); =20 - if (!secdef) - return -1; - - if (!secdef->relabel) + if (!secdef || !secdef->relabel) return 0; =20 return reload_profile(mgr, def, NULL, false); @@ -978,10 +957,7 @@ AppArmorSetFDLabel(virSecurityManagerPtr mgr, virSecurityLabelDefPtr secdef =3D virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); =20 - if (!secdef) - return -1; - - if (secdef->imagelabel =3D=3D NULL) + if (!secdef || !secdef->imagelabel) return 0; =20 if (virAsprintf(&proc, "/proc/self/fd/%d", fd) =3D=3D -1) --=20 2.9.2 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list