1. Patchew
  2. Libvirt
  3. View series

[PATCH] security: apparmor: Remove hardcoded "libvirtd" profile name

Jim Fehlig via Devel posted 1 patch 2 weeks ago 
src/security/security_apparmor.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
[PATCH] security: apparmor: Remove hardcoded "libvirtd" profile name
Posted by Jim Fehlig via Devel 2 weeks ago 
The apparmor driver probe function checks for an active profile matching
the full path of the running daemon binary. If not found, it checks for
a profile named "libvirtd". This works fine when the running daemon is the
old monolithic libvirtd, but fails with modular daemons.

Remove the check for a hardcoded "libvirtd" profile and replace with the
basename of the running daemon binary.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
---
 src/security/security_apparmor.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index c8e77c6cd2..eed0f265d6 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -239,7 +239,9 @@ use_apparmor(void)
      */
     rc = profile_status(libvirt_daemon, 1);
     if (rc < 0) {
-        rc = profile_status("libvirtd", 1);
+        g_autofree char *basename = g_path_get_basename(libvirt_daemon);
+
+        rc = profile_status(basename, 1);
         /* Error or unconfined should all result in -1 */
         if (rc < 0)
             rc = -1;
-- 
2.43.0
Re: [PATCH] security: apparmor: Remove hardcoded "libvirtd" profile name
Posted by Daniel P. Berrangé 2 weeks ago 
On Mon, Jan 06, 2025 at 01:30:45PM -0700, Jim Fehlig via Devel wrote:
> The apparmor driver probe function checks for an active profile matching
> the full path of the running daemon binary. If not found, it checks for
> a profile named "libvirtd". This works fine when the running daemon is the
> old monolithic libvirtd, but fails with modular daemons.
> 
> Remove the check for a hardcoded "libvirtd" profile and replace with the
> basename of the running daemon binary.
> 
> Signed-off-by: Jim Fehlig <jfehlig@suse.com>
> ---
>  src/security/security_apparmor.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.