1. Patchew
  2. Libvirt
  3. [PATCH 0/3] apparmor: Separate seclabel generation and profile loading
  4. View patch

[PATCH 1/3] security: Introduce virSecurityDomainLoadProfile()

Michal Privoznik via Devel posted 3 patches 2 weeks, 4 days ago
[PATCH 1/3] security: Introduce virSecurityDomainLoadProfile()
Posted by Michal Privoznik via Devel 2 weeks, 4 days ago 
From: Michal Privoznik <mprivozn@redhat.com>

Specifically tailored for AppArmor, so that generating a seclabel
and producing profile can be separated.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/libvirt_private.syms        |  1 +
 src/security/security_driver.h  |  4 ++++
 src/security/security_manager.c | 13 +++++++++++++
 src/security/security_manager.h |  2 ++
 src/security/security_stack.c   | 15 +++++++++++++++
 5 files changed, 35 insertions(+)

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 4e57e4a8f6..64152c3bbb 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1822,6 +1822,7 @@ virSecurityManagerGetModel;
 virSecurityManagerGetMountOptions;
 virSecurityManagerGetNested;
 virSecurityManagerGetProcessLabel;
+virSecurityManagerLoadProfile;
 virSecurityManagerMoveImageMetadata;
 virSecurityManagerNew;
 virSecurityManagerNewDAC;
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index b8c5b416e3..d81662dab4 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -81,6 +81,8 @@ typedef int (*virSecurityDomainReserveLabel) (virSecurityManager *mgr,
                                               pid_t pid);
 typedef int (*virSecurityDomainReleaseLabel) (virSecurityManager *mgr,
                                               virDomainDef *sec);
+typedef int (*virSecurityDomainLoadProfile) (virSecurityManager *mgr,
+                                             virDomainDef *def);
 typedef int (*virSecurityDomainSetAllLabel) (virSecurityManager *mgr,
                                              char *const *sharedFilesystems,
                                              virDomainDef *sec,
@@ -211,6 +213,8 @@ struct _virSecurityDriver {
     virSecurityDomainReserveLabel domainReserveSecurityLabel;
     virSecurityDomainReleaseLabel domainReleaseSecurityLabel;
 
+    virSecurityDomainLoadProfile domainLoadProfile;
+
     virSecurityDomainGetProcessLabel domainGetSecurityProcessLabel;
     virSecurityDomainSetProcessLabel domainSetSecurityProcessLabel;
     virSecurityDomainSetChildProcessLabel domainSetSecurityChildProcessLabel;
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 5fc4eb4872..87c8b9f3c1 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -726,6 +726,19 @@ virSecurityManagerReleaseLabel(virSecurityManager *mgr,
 }
 
 
+int
+virSecurityManagerLoadProfile(virSecurityManager *mgr,
+                              virDomainDef *def)
+{
+    VIR_LOCK_GUARD lock = virObjectLockGuard(mgr);
+
+    if (!mgr->drv->domainLoadProfile)
+        return 0;
+
+    return mgr->drv->domainLoadProfile(mgr, def);
+}
+
+
 static int virSecurityManagerCheckModel(virSecurityManager *mgr,
                                         char *secmodel)
 {
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 068ca4e290..381b614ec1 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -128,6 +128,8 @@ int virSecurityManagerReserveLabel(virSecurityManager *mgr,
                                    pid_t pid);
 int virSecurityManagerReleaseLabel(virSecurityManager *mgr,
                                    virDomainDef *sec);
+int virSecurityManagerLoadProfile(virSecurityManager *mgr,
+                                  virDomainDef *def);
 int virSecurityManagerCheckAllLabel(virSecurityManager *mgr,
                                     virDomainDef *sec);
 int virSecurityManagerSetAllLabel(virSecurityManager *mgr,
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index 99a68a6053..96b59d159b 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -280,6 +280,19 @@ virSecurityStackReserveLabel(virSecurityManager *mgr,
 }
 
 
+static int
+virSecurityStackLoadProfile(virSecurityManager *mgr,
+                            virDomainDef *vm)
+{
+    int rc = 0;
+
+    if (virSecurityManagerLoadProfile(virSecurityStackGetPrimary(mgr), vm) < 0)
+        rc = -1;
+
+    return rc;
+}
+
+
 static int
 virSecurityStackSetHostdevLabel(virSecurityManager *mgr,
                                 virDomainDef *vm,
@@ -1070,6 +1083,8 @@ virSecurityDriver virSecurityDriverStack = {
     .domainReserveSecurityLabel         = virSecurityStackReserveLabel,
     .domainReleaseSecurityLabel         = virSecurityStackReleaseLabel,
 
+    .domainLoadProfile                  = virSecurityStackLoadProfile,
+
     .domainGetSecurityProcessLabel      = virSecurityStackGetProcessLabel,
     .domainSetSecurityProcessLabel      = virSecurityStackSetProcessLabel,
     .domainSetSecurityChildProcessLabel = virSecurityStackSetChildProcessLabel,
-- 
2.52.0

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.