From: Michal Privoznik <[email protected]> Specifically tailored for AppArmor, so that generating a seclabel and producing profile can be separated.
Signed-off-by: Michal Privoznik <[email protected]> --- src/libvirt_private.syms | 1 + src/security/security_driver.h | 4 ++++ src/security/security_manager.c | 13 +++++++++++++ src/security/security_manager.h | 2 ++ src/security/security_stack.c | 15 +++++++++++++++ 5 files changed, 35 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 4e57e4a8f6..64152c3bbb 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -1822,6 +1822,7 @@ virSecurityManagerGetModel; virSecurityManagerGetMountOptions; virSecurityManagerGetNested; virSecurityManagerGetProcessLabel; +virSecurityManagerLoadProfile; virSecurityManagerMoveImageMetadata; virSecurityManagerNew; virSecurityManagerNewDAC; diff --git a/src/security/security_driver.h b/src/security/security_driver.h index b8c5b416e3..d81662dab4 100644 --- a/src/security/security_driver.h +++ b/src/security/security_driver.h @@ -81,6 +81,8 @@ typedef int (*virSecurityDomainReserveLabel) (virSecurityManager *mgr, pid_t pid); typedef int (*virSecurityDomainReleaseLabel) (virSecurityManager *mgr, virDomainDef *sec); +typedef int (*virSecurityDomainLoadProfile) (virSecurityManager *mgr, + virDomainDef *def); typedef int (*virSecurityDomainSetAllLabel) (virSecurityManager *mgr, char *const *sharedFilesystems, virDomainDef *sec, @@ -211,6 +213,8 @@ struct _virSecurityDriver { virSecurityDomainReserveLabel domainReserveSecurityLabel; virSecurityDomainReleaseLabel domainReleaseSecurityLabel; + virSecurityDomainLoadProfile domainLoadProfile; + virSecurityDomainGetProcessLabel domainGetSecurityProcessLabel; virSecurityDomainSetProcessLabel domainSetSecurityProcessLabel; virSecurityDomainSetChildProcessLabel domainSetSecurityChildProcessLabel; diff --git a/src/security/security_manager.c b/src/security/security_manager.c index 5fc4eb4872..87c8b9f3c1 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -726,6 +726,19 @@ virSecurityManagerReleaseLabel(virSecurityManager *mgr, } +int +virSecurityManagerLoadProfile(virSecurityManager *mgr, + virDomainDef *def) +{ + VIR_LOCK_GUARD lock = virObjectLockGuard(mgr); + + if (!mgr->drv->domainLoadProfile) + return 0; + + return mgr->drv->domainLoadProfile(mgr, def); +} + + static int virSecurityManagerCheckModel(virSecurityManager *mgr, char *secmodel) { diff --git a/src/security/security_manager.h b/src/security/security_manager.h index 068ca4e290..381b614ec1 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -128,6 +128,8 @@ int virSecurityManagerReserveLabel(virSecurityManager *mgr, pid_t pid); int virSecurityManagerReleaseLabel(virSecurityManager *mgr, virDomainDef *sec); +int virSecurityManagerLoadProfile(virSecurityManager *mgr, + virDomainDef *def); int virSecurityManagerCheckAllLabel(virSecurityManager *mgr, virDomainDef *sec); int virSecurityManagerSetAllLabel(virSecurityManager *mgr, diff --git a/src/security/security_stack.c b/src/security/security_stack.c index 99a68a6053..96b59d159b 100644 --- a/src/security/security_stack.c +++ b/src/security/security_stack.c @@ -280,6 +280,19 @@ virSecurityStackReserveLabel(virSecurityManager *mgr, } +static int +virSecurityStackLoadProfile(virSecurityManager *mgr, + virDomainDef *vm) +{ + int rc = 0; + + if (virSecurityManagerLoadProfile(virSecurityStackGetPrimary(mgr), vm) < 0) + rc = -1; + + return rc; +} + + static int virSecurityStackSetHostdevLabel(virSecurityManager *mgr, virDomainDef *vm, @@ -1070,6 +1083,8 @@ virSecurityDriver virSecurityDriverStack = { .domainReserveSecurityLabel = virSecurityStackReserveLabel, .domainReleaseSecurityLabel = virSecurityStackReleaseLabel, + .domainLoadProfile = virSecurityStackLoadProfile, + .domainGetSecurityProcessLabel = virSecurityStackGetProcessLabel, .domainSetSecurityProcessLabel = virSecurityStackSetProcessLabel, .domainSetSecurityChildProcessLabel = virSecurityStackSetChildProcessLabel, -- 2.52.0
