From nobody Mon Apr 29 03:40:37 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com ARC-Seal: i=1; a=rsa-sha256; t=1571236635; cv=none; d=zoho.com; s=zohoarc; b=Wsq7vIDzCCv9O7NTrGtcpR5WSfhCnmo5ljE+RttwppFbqmAHeyPmSVheczXaJNC0TpOGBBo5bVRdZ04t3HrvX0dUcYtNadmWW81BD4XUAHEPTo1XmPtaF908QNhAI32Mp1By6cvwGmI7gUsU+mWNVI/y5+pZR8cqeCvM/ElVbh8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1571236635; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=us0mbKPTQLdgFwzlDb5QrSp3nbyd+m6jdT2iKXVXf70=; b=aeZ9fm9ODksEqMlrCoWkXK48Rvr0vonxUoKYwO1DEHVEP94y86bJXc1fgcwv4QEwVefdKsUkxu5Aze4Ef3TZR+POXjTUa8uBJQs08pZ+/6Hbl01bRywYhAojGnPrvSQC2ty3tGt+XkDvQRpTmeWBsgdHegOs/wJyy0tL8fsIQrU= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1571236635995524.4257775478619; Wed, 16 Oct 2019 07:37:15 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 52023307C828; Wed, 16 Oct 2019 14:37:14 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2965951761; Wed, 16 Oct 2019 14:37:14 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id D1FC918037CA; Wed, 16 Oct 2019 14:37:13 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x9GERK1S028393 for ; Wed, 16 Oct 2019 10:27:20 -0400 Received: by smtp.corp.redhat.com (Postfix) id 74BA060C5D; Wed, 16 Oct 2019 14:27:20 +0000 (UTC) Received: from mx1.redhat.com (ext-mx29.extmail.prod.ext.phx2.redhat.com [10.5.110.70]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6DE215FCA2 for ; Wed, 16 Oct 2019 14:27:15 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id ED16418021B0 for ; Wed, 16 Oct 2019 14:27:14 +0000 (UTC) Received: from 2.general.paelzer.uk.vpn ([10.172.196.173] helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iKkGf-0000DK-ON; Wed, 16 Oct 2019 14:27:13 +0000 From: Christian Ehrhardt To: libvir-list@redhat.com Date: Wed, 16 Oct 2019 16:27:07 +0200 Message-Id: <20191016142710.1217-2-christian.ehrhardt@canonical.com> In-Reply-To: <20191016142710.1217-1-christian.ehrhardt@canonical.com> References: <20191016142710.1217-1-christian.ehrhardt@canonical.com> MIME-Version: 1.0 X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 238 matched, not delayed by milter-greylist-4.6.2 (mx1.redhat.com [10.5.110.70]); Wed, 16 Oct 2019 14:27:15 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.6.2 (mx1.redhat.com [10.5.110.70]); Wed, 16 Oct 2019 14:27:15 +0000 (UTC) for IP:'91.189.89.112' DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com' FROM:'christian.ehrhardt@canonical.com' RCPT:'' X-RedHat-Spam-Score: -4.998 (RCVD_IN_DNSWL_HI, SPF_HELO_NONE, SPF_NONE) 91.189.89.112 youngberry.canonical.com 91.189.89.112 youngberry.canonical.com X-Scanned-By: MIMEDefang 2.84 on 10.5.110.70 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-loop: libvir-list@redhat.com Cc: Christian Ehrhardt Subject: [libvirt] [PATCH 1/4] virt-aa-helper: clarify command line options X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); Wed, 16 Oct 2019 14:37:14 +0000 (UTC) Content-Type: text/plain; charset="utf-8" While only used internally from libvirt the options still are misleading enough to cause issues every now and then. Group modes, options and an adding extra file and extend the wording of the latter which had the biggest lack of clarity. Both add a file to the end of the rules, but one re-generates the rules from XML and the other keeps the existing rules as-is not considering the XML content. Signed-off-by: Christian Ehrhardt Reviewed-by: Cole Robinson --- src/security/virt-aa-helper.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 9157411133..e0c72e1b9c 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -95,18 +95,20 @@ vahDeinit(vahControl * ctl) static void vah_usage(void) { - printf(_("\n%s [options] [< def.xml]\n\n" - " Options:\n" + printf(_("\n%s mode [options] [extra file] [< def.xml]\n\n" + " Modes:\n" " -a | --add load profile\n" " -c | --create create profile from templa= te\n" - " -d | --dryrun dry run\n" " -D | --delete unload and delete profile\= n" - " -f | --add-file add file to profile\n" - " -F | --append-file append file to profile\n" " -r | --replace reload profile\n" " -R | --remove unload profile\n" - " -h | --help this help\n" + " Options:\n" + " -d | --dryrun dry run\n" " -u | --uuid uuid (profile name)\n" + " -h | --help this help\n" + " Extra File:\n" + " -f | --add-file add file to a profile gene= rated from XML\n" + " -F | --append-file append file to an existing= profile\n" "\n"), progname); =20 puts(_("This command is intended to be used by libvirtd " --=20 2.23.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Mon Apr 29 03:40:37 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com ARC-Seal: i=1; a=rsa-sha256; t=1571236628; cv=none; d=zoho.com; s=zohoarc; b=kxEwb9YGdZHyADt1QPW0KbkAR6IZsEZxM2vCYYaWV9iVnzKxcYXiRGbiojje0a4Y//IF5I5Dpbqk6iYfId3WY9E3Y7i2CkYRgrWoTXw4O5oetjkzuWvRPy3IKUg8rr2kKhKPXy0AjwpSVCJ75xndTd9xNHI9qeex8sOPcZJr7kU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1571236628; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=wHZrF3ted+KXyHIk7IyzRkyD5z6YirKZDj+fEECEsnU=; b=QS1bKFbSZkLYCBGQ4nGL5TTiitH08m1Jog7p1vl3cfZj5fH+u1lo695P9g0+HqEt1Im203jIe3xYT4QKZO7unfQ8WY4OCB5yoFY137wvxidjm8ErJ8SgT09TMzSwHElpdx/ShO0h8qpDoWFHiq/n2lJXLZtxLdIdnUgBz7MVouA= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 157123662818799.62922224086776; Wed, 16 Oct 2019 07:37:08 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 9B3A53060398; Wed, 16 Oct 2019 14:37:06 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 64FC75C54A; Wed, 16 Oct 2019 14:37:06 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 203801800535; Wed, 16 Oct 2019 14:37:06 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x9GERI8c028368 for ; Wed, 16 Oct 2019 10:27:18 -0400 Received: by smtp.corp.redhat.com (Postfix) id 828DF5C1D6; Wed, 16 Oct 2019 14:27:18 +0000 (UTC) Received: from mx1.redhat.com (ext-mx07.extmail.prod.ext.phx2.redhat.com [10.5.110.31]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7CE825C1B5 for ; Wed, 16 Oct 2019 14:27:15 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1A0CCC049E17 for ; Wed, 16 Oct 2019 14:27:15 +0000 (UTC) Received: from 2.general.paelzer.uk.vpn ([10.172.196.173] helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iKkGf-0000DK-TZ; Wed, 16 Oct 2019 14:27:13 +0000 From: Christian Ehrhardt To: libvir-list@redhat.com Date: Wed, 16 Oct 2019 16:27:08 +0200 Message-Id: <20191016142710.1217-3-christian.ehrhardt@canonical.com> In-Reply-To: <20191016142710.1217-1-christian.ehrhardt@canonical.com> References: <20191016142710.1217-1-christian.ehrhardt@canonical.com> MIME-Version: 1.0 X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 238 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Wed, 16 Oct 2019 14:27:15 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Wed, 16 Oct 2019 14:27:15 +0000 (UTC) for IP:'91.189.89.112' DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com' FROM:'christian.ehrhardt@canonical.com' RCPT:'' X-RedHat-Spam-Score: -4.998 (RCVD_IN_DNSWL_HI, SPF_HELO_NONE, SPF_NONE) 91.189.89.112 youngberry.canonical.com 91.189.89.112 youngberry.canonical.com X-Scanned-By: MIMEDefang 2.78 on 10.5.110.31 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Cc: Christian Ehrhardt Subject: [libvirt] [PATCH 2/4] apparmor: drop useless call to get_profile_name X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.46]); Wed, 16 Oct 2019 14:37:07 +0000 (UTC) Content-Type: text/plain; charset="utf-8" reload_profile calls get_profile_name for no particular gain, lets remove that call. The string isn't used in that function later on and not registered/passed anywhere. It can only fail if it either can't allocate or if the virDomainDefPtr would have no uuid set (which isn't allowed). Thereby the only "check" it really provides is if it can allocate the string to then free it again. This was initially added in [1] when the code was still in AppArmorRestoreSecurityImageLabel (later moved) and even back then had no further effect than described above. [1]: https://libvirt.org/git/?p=3Dlibvirt.git;a=3Dblob;f=3Dsrc/security/sec= urity_apparmor.c;h=3D16de0f26f41689e0c50481120d9f8a59ba1f4073;hb=3Dbbaecd6a= 8f15345bc822ab4b79eb0955986bb2fd#l487 Signed-off-by: Christian Ehrhardt Reviewed-by: Cole Robinson --- src/security/security_apparmor.c | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/src/security/security_apparmor.c b/src/security/security_appar= mor.c index 75203cc43a..691833eb4b 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -282,17 +282,12 @@ reload_profile(virSecurityManagerPtr mgr, const char *fn, bool append) { - int rc =3D -1; - char *profile_name =3D NULL; virSecurityLabelDefPtr secdef =3D virDomainDefGetSecurityLabelDef( def, SECURITY_APPARMOR_NAM= E); =20 if (!secdef || !secdef->relabel) return 0; =20 - if ((profile_name =3D get_profile_name(def)) =3D=3D NULL) - return rc; - /* Update the profile only if it is loaded */ if (profile_loaded(secdef->imagelabel) >=3D 0) { if (load_profile(mgr, secdef->imagelabel, def, fn, append) < 0) { @@ -300,15 +295,10 @@ reload_profile(virSecurityManagerPtr mgr, _("cannot update AppArmor profile " "\'%s\'"), secdef->imagelabel); - goto cleanup; + return -1; } } - - rc =3D 0; - cleanup: - VIR_FREE(profile_name); - - return rc; + return 0; } =20 static int --=20 2.23.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Mon Apr 29 03:40:37 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com ARC-Seal: i=1; a=rsa-sha256; t=1571236633; cv=none; d=zoho.com; s=zohoarc; b=cbdwLEjLz4axyD5HMUHRsgDZbQ5xq5TQUfIMcFXe94T7V/YtbnxLPJFgDdRScPLwmK0IJ1STj6USMIKb6TT0zR9zXQQTJX+HWyUzO9nyZyKTPE6BxXyI+8lxawxYlm2NMr9o98DJJtFFr3N143FVjkNaXfKS6JNkAakDBkJq+uU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1571236633; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=/cNY58XRgE+S6mCCDbLOYOeClQzygQyVqwF4ZEh7KBg=; b=UEnEgZzfyXD8n6Bz+hQ+2Xcy0PXbWZasfYH4aucfXOmYBUoZudDJHrkmKXXWeEHhPPrqhAABtSTMkJWklOlRBATaIsAXt2a5RwSvcGMOCMUNzoqXYz9XdCEJGhVRarujqNkQnb8vou4ITE8odq4cib0HfLYs5yu90Int/3Qujls= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 157123663308816.035925398485006; Wed, 16 Oct 2019 07:37:13 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0A368307D978; Wed, 16 Oct 2019 14:37:11 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4B71060559; Wed, 16 Oct 2019 14:37:10 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id E8B66180B76F; Wed, 16 Oct 2019 14:37:09 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x9GERJ9l028383 for ; Wed, 16 Oct 2019 10:27:19 -0400 Received: by smtp.corp.redhat.com (Postfix) id 80D4E100164D; Wed, 16 Oct 2019 14:27:19 +0000 (UTC) Received: from mx1.redhat.com (ext-mx19.extmail.prod.ext.phx2.redhat.com [10.5.110.48]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7BB871001947 for ; Wed, 16 Oct 2019 14:27:15 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3EA91307D90E for ; Wed, 16 Oct 2019 14:27:15 +0000 (UTC) Received: from 2.general.paelzer.uk.vpn ([10.172.196.173] helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iKkGg-0000DK-2L; Wed, 16 Oct 2019 14:27:14 +0000 From: Christian Ehrhardt To: libvir-list@redhat.com Date: Wed, 16 Oct 2019 16:27:09 +0200 Message-Id: <20191016142710.1217-4-christian.ehrhardt@canonical.com> In-Reply-To: <20191016142710.1217-1-christian.ehrhardt@canonical.com> References: <20191016142710.1217-1-christian.ehrhardt@canonical.com> MIME-Version: 1.0 X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 238 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.48]); Wed, 16 Oct 2019 14:27:15 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.48]); Wed, 16 Oct 2019 14:27:15 +0000 (UTC) for IP:'91.189.89.112' DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com' FROM:'christian.ehrhardt@canonical.com' RCPT:'' X-RedHat-Spam-Score: -4.998 (RCVD_IN_DNSWL_HI, SPF_HELO_NONE, SPF_NONE) 91.189.89.112 youngberry.canonical.com 91.189.89.112 youngberry.canonical.com X-Scanned-By: MIMEDefang 2.84 on 10.5.110.48 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-loop: libvir-list@redhat.com Cc: Christian Ehrhardt Subject: [libvirt] [PATCH 3/4] apparmor: refactor AppArmorSetSecurityImageLabel X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.48]); Wed, 16 Oct 2019 14:37:11 +0000 (UTC) Content-Type: text/plain; charset="utf-8" A lot of the code in AppArmorSetSecurityImageLabel is a duplicate of what is in reload_profile, this refactors AppArmorSetSecurityImageLabel to use reload_profile instead. Signed-off-by: Christian Ehrhardt Reviewed-by: Cole Robinson --- src/security/security_apparmor.c | 38 ++++++++------------------------ 1 file changed, 9 insertions(+), 29 deletions(-) diff --git a/src/security/security_apparmor.c b/src/security/security_appar= mor.c index 691833eb4b..320d69e52a 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -792,8 +792,6 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr, virStorageSourcePtr src, virSecurityDomainImageLabelFlags flags G_GNU= C_UNUSED) { - int rc =3D -1; - char *profile_name =3D NULL; virSecurityLabelDefPtr secdef; =20 if (!src->path || !virStorageSourceIsLocalStorage(src)) @@ -803,36 +801,18 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr m= gr, if (!secdef || !secdef->relabel) return 0; =20 - if (secdef->imagelabel) { - /* if the device doesn't exist, error out */ - if (!virFileExists(src->path)) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("\'%s\' does not exist"), - src->path); - return -1; - } - - if ((profile_name =3D get_profile_name(def)) =3D=3D NULL) - return -1; + if (!secdef->imagelabel) + return 0; =20 - /* update the profile only if it is loaded */ - if (profile_loaded(secdef->imagelabel) >=3D 0) { - if (load_profile(mgr, secdef->imagelabel, def, - src->path, false) < 0) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("cannot update AppArmor profile " - "\'%s\'"), - secdef->imagelabel); - goto cleanup; - } - } + /* if the device doesn't exist, error out */ + if (!virFileExists(src->path)) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("\'%s\' does not exist"), + src->path); + return -1; } - rc =3D 0; =20 - cleanup: - VIR_FREE(profile_name); - - return rc; + return reload_profile(mgr, def, src->path, false); } =20 static int --=20 2.23.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Mon Apr 29 03:40:37 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com ARC-Seal: i=1; a=rsa-sha256; t=1571236643; cv=none; d=zoho.com; s=zohoarc; b=ec+h8ggIYME6N4QkdWYNp9dNVFktRUsY1R7gRQCVSOvQ1xrP4NTvXOI/PrQSEiI+Z/YsW3Umm1zKKyPiiXzT1ESfLqLo6V1szMowolpHYHulLUYJs6qj/02pBv3mTeOa+5s5r5rXxryhMP8aW7Vcs2PvJ7iLUTvDrHK3B8QnuIk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1571236643; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=O2RnaBIxfVX1zZcFX3YwrV4Q02C1KYGEtKg7nD8N8ew=; b=C154lhZzDN7mCsRk7pq4bQXLxVh0vENUE5jIirmIjQ5BPXr1P7Y6TGyRQPwlre1DbONPc2VS+F6F426Vi7Z5e70A5qyy/b8aa9R6uUy0Qa/cnIplSp9w5ugtXYEw2dTQL6x1f5N08tt62FBotHucwTenUXzfV6Aqt/TF8whzm4Y= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1571236643374732.4384378927238; Wed, 16 Oct 2019 07:37:23 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 564D4898105; Wed, 16 Oct 2019 14:37:21 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0E87B60BD7; Wed, 16 Oct 2019 14:37:21 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id B76C54EE72; Wed, 16 Oct 2019 14:37:20 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x9GERJpT028378 for ; Wed, 16 Oct 2019 10:27:19 -0400 Received: by smtp.corp.redhat.com (Postfix) id 07B0A60166; Wed, 16 Oct 2019 14:27:19 +0000 (UTC) Received: from mx1.redhat.com (ext-mx26.extmail.prod.ext.phx2.redhat.com [10.5.110.67]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 02777601AF for ; Wed, 16 Oct 2019 14:27:16 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6A95E89AFBA for ; Wed, 16 Oct 2019 14:27:15 +0000 (UTC) Received: from 2.general.paelzer.uk.vpn ([10.172.196.173] helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iKkGg-0000DK-7D; Wed, 16 Oct 2019 14:27:14 +0000 From: Christian Ehrhardt To: libvir-list@redhat.com Date: Wed, 16 Oct 2019 16:27:10 +0200 Message-Id: <20191016142710.1217-5-christian.ehrhardt@canonical.com> In-Reply-To: <20191016142710.1217-1-christian.ehrhardt@canonical.com> References: <20191016142710.1217-1-christian.ehrhardt@canonical.com> MIME-Version: 1.0 X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 238 matched, not delayed by milter-greylist-4.6.2 (mx1.redhat.com [10.5.110.67]); Wed, 16 Oct 2019 14:27:15 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.6.2 (mx1.redhat.com [10.5.110.67]); Wed, 16 Oct 2019 14:27:15 +0000 (UTC) for IP:'91.189.89.112' DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com' FROM:'christian.ehrhardt@canonical.com' RCPT:'' X-RedHat-Spam-Score: -4.998 (RCVD_IN_DNSWL_HI, SPF_HELO_NONE, SPF_NONE) 91.189.89.112 youngberry.canonical.com 91.189.89.112 youngberry.canonical.com X-Scanned-By: MIMEDefang 2.84 on 10.5.110.67 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Cc: Christian Ehrhardt Subject: [libvirt] [PATCH 4/4] apparmor: let AppArmorSetSecurityImageLabel append rules X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (mx1.redhat.com [10.5.110.67]); Wed, 16 Oct 2019 14:37:21 +0000 (UTC) Content-Type: text/plain; charset="utf-8" There are currently broken use cases, e.g. snapshotting more than one disk = at once like: $ virsh snapshot-create-as --domain eoan --disk-only --atomic --diskspec vda,snapshot=3Dno --diskspec vdb,snapshot=3Dno --diskspec vdc,file=3D/test/disk1.snapshot1.qcow,snapshot=3Dexternal --diskspec vdd,file=3D/test/disk2.snapshot1.qcow,snapshot=3Dexternal The command above will iterate from qemuDomainSnapshotCreateDiskActive and eventually add /test/disk1.snapshot1.qcow first (appears in the rules) to then later add /test/disk2.snapshot1.qcow and while doing so throwing away the former rule causing it to fail. All other calls to (re)load_profile already use append=3Dtrue when adding rules append=3Dfalse is only used when restoring rules [1]. Fix this by letting AppArmorSetSecurityImageLabel use append=3Dtrue as well. Bugs: https://bugs.launchpad.net/libvirt/+bug/1845506 https://bugzilla.redhat.com/show_bug.cgi?id=3D1746684 [1]: https://bugs.launchpad.net/libvirt/+bug/1845506/comments/13 Signed-off-by: Christian Ehrhardt Reviewed-by: Cole Robinson --- src/security/security_apparmor.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/security/security_apparmor.c b/src/security/security_appar= mor.c index 320d69e52a..4dd7ba20b4 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -812,7 +812,7 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr, return -1; } =20 - return reload_profile(mgr, def, src->path, false); + return reload_profile(mgr, def, src->path, true); } =20 static int --=20 2.23.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list