From nobody Sun May 5 16:58:03 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com ARC-Seal: i=1; a=rsa-sha256; t=1611052785; cv=none; d=zohomail.com; s=zohoarc; b=ZPIirlPE4wydySWQo5RtHygClbaVCySWIDDXpEV9NT929AUVMwM/oNUCQoZw3TWIbGwd79D0pfw7YA9WCwzlKDMU7q9eL0BjT2BYtuuIdc97qCw4XrBjUaytImAqX/EBUgVz0d30j0iRbW/kVylBFWg08L910cRo/FebgeN4L8A= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1611052785; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=aSgM7rQX3Y41YWDmnnBxkk/Ji5ion/swfKoCnLX7mbs=; b=Nfl/hBgE5LJT9xpQ81s4nnPGfO1uzQcjrxUz7igsaxfvMeUgSfwaG+KttsE6ESO3UT+ZzmkanMpJA7Wtw5+35uZv07B4KXkQhSL+THUs2W5OOsZPLtIWj1tQBR6Z37gC0FbFLThpXugclQS8tppxBN2B+kCTdTGwbNvqq0U3PgY= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1611052785872799.4658324897116; Tue, 19 Jan 2021 02:39:45 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-51-ZywEc78TOS6s62IJKlCPgw-1; Tue, 19 Jan 2021 05:39:42 -0500 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 673098797E2; Tue, 19 Jan 2021 10:39:35 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EB19A722C1; Tue, 19 Jan 2021 10:39:33 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id E3A6F180954D; Tue, 19 Jan 2021 10:39:29 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 10JAdR1V022687 for ; Tue, 19 Jan 2021 05:39:27 -0500 Received: by smtp.corp.redhat.com (Postfix) id 50C902166B2C; Tue, 19 Jan 2021 10:39:27 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast02.extmail.prod.ext.rdu2.redhat.com [10.11.55.18]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4BBDE2166B29 for ; Tue, 19 Jan 2021 10:39:23 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id CC53D8007D9 for ; Tue, 19 Jan 2021 10:39:23 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-341-e--bbZFgMMWu0JmZTSN_bQ-1; Tue, 19 Jan 2021 05:39:21 -0500 Received: from 114-062-210-188.ip-addr.inexio.net ([188.210.62.114] helo=Keschdeichel.fritz.box) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1l1oAR-0006KS-OP; Tue, 19 Jan 2021 10:23:19 +0000 X-MC-Unique: ZywEc78TOS6s62IJKlCPgw-1 X-MC-Unique: e--bbZFgMMWu0JmZTSN_bQ-1 From: Christian Ehrhardt To: libvir-list@redhat.com Subject: [PATCH] apparmor: let image label setting loop over backing files Date: Tue, 19 Jan 2021 11:23:16 +0100 Message-Id: <20210119102316.270452-1-christian.ehrhardt@canonical.com> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-loop: libvir-list@redhat.com Cc: Peter Krempa , Andrea Bolognani , jamie@strandboge.com, Christian Ehrhardt X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When adding a rule for an image file and that image file has a chain of backing files then we need to add a rule for each of those files. To get that iterate over the backing file chain the same way as dac/selinux already do and add a label for each. Fixes: https://gitlab.com/libvirt/libvirt/-/issues/118 Signed-off-by: Christian Ehrhardt Reviewed-by: Peter Krempa --- src/security/security_apparmor.c | 39 ++++++++++++++++++++++---------- 1 file changed, 27 insertions(+), 12 deletions(-) diff --git a/src/security/security_apparmor.c b/src/security/security_appar= mor.c index 29f0956d22..1f309c0c9f 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -756,22 +756,13 @@ AppArmorRestoreInputLabel(virSecurityManagerPtr mgr, =20 /* Called when hotplugging */ static int -AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainDefPtr def, - virStorageSourcePtr src, - virSecurityDomainImageLabelFlags flags G_GNU= C_UNUSED) +AppArmorSetSecurityImageLabelInternal(virSecurityManagerPtr mgr, + virDomainDefPtr def, + virStorageSourcePtr src) { - virSecurityLabelDefPtr secdef; g_autofree char *vfioGroupDev =3D NULL; const char *path; =20 - secdef =3D virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME= ); - if (!secdef || !secdef->relabel) - return 0; - - if (!secdef->imagelabel) - return 0; - if (src->type =3D=3D VIR_STORAGE_TYPE_NVME) { const virStorageSourceNVMeDef *nvme =3D src->nvme; =20 @@ -797,6 +788,30 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr mg= r, return reload_profile(mgr, def, path, true); } =20 +static int +AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def, + virStorageSourcePtr src, + virSecurityDomainImageLabelFlags flags G_GNU= C_UNUSED) +{ + virSecurityLabelDefPtr secdef; + virStorageSourcePtr n; + + secdef =3D virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME= ); + if (!secdef || !secdef->relabel) + return 0; + + if (!secdef->imagelabel) + return 0; + + for (n =3D src; virStorageSourceIsBacking(n); n =3D n->backingStore) { + if (AppArmorSetSecurityImageLabelInternal(mgr, def, n) < 0) + return -1; + } + + return 0; +} + static int AppArmorSecurityVerify(virSecurityManagerPtr mgr G_GNUC_UNUSED, virDomainDefPtr def) --=20 2.30.0