From nobody Mon Feb 9 00:31:09 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1551479359876421.3538555584647; Fri, 1 Mar 2019 14:29:19 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B45693084298; Fri, 1 Mar 2019 22:29:17 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2DFD760856; Fri, 1 Mar 2019 22:29:17 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id CCFDB41F3C; Fri, 1 Mar 2019 22:29:12 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x21MTBWW011551 for ; Fri, 1 Mar 2019 17:29:11 -0500 Received: by smtp.corp.redhat.com (Postfix) id C99BF1001E6D; Fri, 1 Mar 2019 22:29:11 +0000 (UTC) Received: from mx1.redhat.com (ext-mx12.extmail.prod.ext.phx2.redhat.com [10.5.110.41]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C39E61001E6C for ; Fri, 1 Mar 2019 22:29:09 +0000 (UTC) Received: from smtp2.provo.novell.com (smtp2.provo.novell.com [137.65.250.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7AF92318A5F4 for ; Fri, 1 Mar 2019 22:29:08 +0000 (UTC) Received: from linux-tbji.provo.novell.com (prv-ext-foundry1int.gns.novell.com [137.65.251.240]) by smtp2.provo.novell.com with ESMTP (NOT encrypted); Fri, 01 Mar 2019 15:28:59 -0700 From: Jim Fehlig To: libvir-list@redhat.com Date: Fri, 1 Mar 2019 15:28:49 -0700 Message-Id: <20190301222850.28394-2-jfehlig@suse.com> In-Reply-To: <20190301222850.28394-1-jfehlig@suse.com> References: <20190301222850.28394-1-jfehlig@suse.com> MIME-Version: 1.0 X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 216 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.41]); Fri, 01 Mar 2019 22:29:08 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.41]); Fri, 01 Mar 2019 22:29:08 +0000 (UTC) for IP:'137.65.250.81' DOMAIN:'smtp2.provo.novell.com' HELO:'smtp2.provo.novell.com' FROM:'jfehlig@suse.com' RCPT:'' X-RedHat-Spam-Score: -2.301 (RCVD_IN_DNSWL_MED, SPF_PASS) 137.65.250.81 smtp2.provo.novell.com 137.65.250.81 smtp2.provo.novell.com X-Scanned-By: MIMEDefang 2.84 on 10.5.110.41 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 1/2] apparmor: Check libvirtd profile status by name X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); Fri, 01 Mar 2019 22:29:18 +0000 (UTC) Content-Type: text/plain; charset="utf-8" Commit a3ab6d42 changed the libvirtd profile to a named profile, breaking the apparmor driver's ability to detect if the profile is active. When the apparmor driver loads it checks the status of the libvirtd profile using the full binary path, which fails since the profile is now referenced by name. If the apparmor driver is explicitly requested in /etc/libvirt/qemu.conf, then libvirtd fails to load too. Instead of only checking the profile status by full binary path, also check by profile name. The full path check is retained in case users have a customized libvirtd profile with full path. Signed-off-by: Jim Fehlig --- src/security/security_apparmor.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/security/security_apparmor.c b/src/security/security_appar= mor.c index 4afdef065a..6d16b15c65 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -257,10 +257,16 @@ use_apparmor(void) if (access(APPARMOR_PROFILES_PATH, R_OK) !=3D 0) goto cleanup; =20 + /* First check profile status using full binary path. If that fails + * check using profile name. + */ rc =3D profile_status(libvirt_daemon, 1); - /* Error or unconfined should all result in -1*/ - if (rc < 0) - rc =3D -1; + if (rc < 0) { + rc =3D profile_status("libvirtd", 1); + /* Error or unconfined should all result in -1*/ + if (rc < 0) + rc =3D -1; + } =20 cleanup: VIR_FREE(libvirt_daemon); --=20 2.20.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list