From nobody Mon Feb 9 01:22:38 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1697122114; cv=none; d=zohomail.com; s=zohoarc; b=DlodZuYLwLLJdJ52isF3xAiJYR7F5bU+5RCYyAWbiPO408yYXIGkMnseEcimzoI97YI2bYbC+jQfzAxPPOzZC96dJzWYIRAqJA5FT4HpD0KaVxBfofsOeBdkmIZRiG7220PJtSqkQkBLBiPsMj0VZjsS6DtSLU1Y8jUascucXGU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1697122114; h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To:Cc; bh=lZHW/to8ilQqQXF+tpciVrSpuJqNQl+IGP6bjR41e9w=; b=OZI4YmcrxVweWjVr8uKq63K0WYpL+otbWqjF85AvdEUpTTuRZDlUqwz/T+DKvNZM1f39YvYPEGO95iYKFjWgMYNQabPwCO7+xmdZSVGzKmlvYLXo7Q2zvqAR+E44sAw9h3YMHi3eAKjs9zhoI0xxUH+V/GxLOafBSsie0BmbN1M= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1697122114444173.0045135648886; Thu, 12 Oct 2023 07:48:34 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-288-RPb4kE4dNdidKvPMEwV0Sw-1; Thu, 12 Oct 2023 10:48:30 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 12E671871DB4; Thu, 12 Oct 2023 14:48:27 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 977BD2157F5B; Thu, 12 Oct 2023 14:48:25 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 1A95C1946588; Thu, 12 Oct 2023 14:48:25 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 93B861946586 for ; Thu, 12 Oct 2023 14:47:38 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 7807CC15BBC; Thu, 12 Oct 2023 14:47:38 +0000 (UTC) Received: from speedmetal.lan (unknown [10.45.242.22]) by smtp.corp.redhat.com (Postfix) with ESMTP id 05BFCC1598A for ; Thu, 12 Oct 2023 14:47:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1697122113; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=lZHW/to8ilQqQXF+tpciVrSpuJqNQl+IGP6bjR41e9w=; b=QNvRrOjsmKoyBCEIdoIGUUwsljJe91NLdesen9WNjG2Zo5iqWiBPG5qBnRh4/siGD2/AJe I/cdeingO1EjZ4y2x38FZSrUx9S+0+PKe1SnwcTp9t+MPFinHkmG8Hp4/gxfV6/JOVPqQ+ O4gbY3V6f53GIzR9W4g8p2cUvw5CbNY= X-MC-Unique: RPb4kE4dNdidKvPMEwV0Sw-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Peter Krempa To: libvir-list@redhat.com Subject: [PATCH 7/7] security: apparmor: Use translated disk definitions for disk type=volume Date: Thu, 12 Oct 2023 16:47:31 +0200 Message-ID: <3cf2bf1ef3ca32dc4cafd8e6c5bbe0c41dc0a0e9.1697121886.git.pkrempa@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.8 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.6 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1697122115647100001 Content-Type: text/plain; charset="utf-8" The 'virt-aa-helper' process gets a XML of the VM it needs to create a profile for. For a disk type=3D'volume' this XML contained only the pool and volume name. The 'virt-aa-helper' needs a local path though for anything it needs to label. This means that we'd either need to invoke connection to the storage driver and re-resolve the volume. Alternative which makes more sense is to pass the proper data in the XML already passed to it via the new XML formatter and parser flags. This was indirectly reported upstream in https://gitlab.com/libvirt/libvirt/-/issues/546 The configuration in the issue above was created by Cockpit on Debian. Since Cockpit is getting more popular it's more likely that users will be impacted by this problem. Signed-off-by: Peter Krempa Reviewed-by: J=C3=A1n Tomko --- src/security/security_apparmor.c | 8 ++++++-- src/security/virt-aa-helper.c | 3 ++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/src/security/security_apparmor.c b/src/security/security_appar= mor.c index bce797de7c..6fd0aedacf 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -159,13 +159,17 @@ load_profile(virSecurityManager *mgr G_GNUC_UNUSED, bool append) { bool create =3D true; + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; g_autofree char *xml =3D NULL; g_autoptr(virCommand) cmd =3D NULL; - xml =3D virDomainDefFormat(def, NULL, VIR_DOMAIN_DEF_FORMAT_SECURE); - if (!xml) + if (virDomainDefFormatInternal(def, NULL, &buf, + VIR_DOMAIN_DEF_FORMAT_SECURE | + VIR_DOMAIN_DEF_FORMAT_VOLUME_TRANSLATED= ) < 0) return -1; + xml =3D virBufferContentAndReset(&buf); + if (profile_status_file(profile) >=3D 0) create =3D false; diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 0855eb68ca..be13979cef 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -654,7 +654,8 @@ get_definition(vahControl * ctl, const char *xmlStr) ctl->def =3D virDomainDefParseString(xmlStr, ctl->xmlopt, NULL, VIR_DOMAIN_DEF_PARSE_SKIP_SECLABEL | - VIR_DOMAIN_DEF_PARSE_SKIP_VALIDATE); + VIR_DOMAIN_DEF_PARSE_SKIP_VALIDATE | + VIR_DOMAIN_DEF_PARSE_VOLUME_TRANSLA= TED); if (ctl->def =3D=3D NULL) { vah_error(ctl, 0, _("could not parse XML")); --=20 2.41.0