From: Michal Privoznik <[email protected]> So far, this is a NOP as no secdriver implements the callback. But the idea is to separate seclabel generation on profile loading for AppArmor. See next commit.
Signed-off-by: Michal Privoznik <[email protected]> --- src/qemu/qemu_process.c | 7 +++++++ src/qemu/qemu_security.h | 1 + 2 files changed, 8 insertions(+) diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index a53bb40783..5d5b1b291b 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -7154,6 +7154,13 @@ qemuProcessPrepareDomain(virQEMUDriver *driver, } } + /* Keep this as the last step so that security drivers can + * see all the path generated in steps above. */ + if (!(flags & VIR_QEMU_PROCESS_START_PRETEND)) { + if (qemuSecurityManagerLoadProfile(driver->securityManager, vm->def) < 0) + return -1; + } + return 0; } diff --git a/src/qemu/qemu_security.h b/src/qemu/qemu_security.h index 36663cffde..d540c01f77 100644 --- a/src/qemu/qemu_security.h +++ b/src/qemu/qemu_security.h @@ -137,6 +137,7 @@ int qemuSecurityCommandRun(virQEMUDriver *driver, #define qemuSecurityGetMountOptions virSecurityManagerGetMountOptions #define qemuSecurityGetNested virSecurityManagerGetNested #define qemuSecurityGetProcessLabel virSecurityManagerGetProcessLabel +#define qemuSecurityManagerLoadProfile virSecurityManagerLoadProfile #define qemuSecurityNew virSecurityManagerNew #define qemuSecurityNewDAC virSecurityManagerNewDAC #define qemuSecurityNewStack virSecurityManagerNewStack -- 2.52.0
