security, apparmor: add (Set|Restore)MemoryLabel

Recent changes have made implementing this mandatory to hot add any memory. Implementing this in apparmor fixes this as well as allows hot-add of nvdimm tpye memory with an nvdimmPath set generating a AppArmor rule for that path. Example hot adding: <memory model='nvdimm'> <source> <path>/tmp/nvdimm-test</path> </source> <target> <size unit='KiB'>524288</size> <node>0</node> </target> </memory> Creates now: "/tmp/nvdimm-test" rwk, Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1755153 Acked-by: Jamie Strandboge <jamie@canonical.com> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2025-01-08 07:03:19 -06:00 · 2018-03-19 13:12:14 +01:00 · 2018-03-19 13:12:14 +01:00 · 999998a792
commit 999998a792
parent 85666f1314
1 changed files with 46 additions and 0 deletions
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@ -716,6 +716,49 @@ AppArmorRestoreSecurityDiskLabel(virSecurityManagerPtr mgr,
    return AppArmorRestoreSecurityImageLabel(mgr, def, disk->src);
 }

+/* Called when hotplugging */
+static int
+AppArmorSetMemoryLabel(virSecurityManagerPtr mgr,
+                       virDomainDefPtr def,
+                       virDomainMemoryDefPtr mem)
+{
+    if (mem == NULL)
+        return 0;
+
+    switch ((virDomainMemoryModel) mem->model) {
+    case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
+        if (mem->nvdimmPath == NULL) {
+            virReportError(VIR_ERR_INTERNAL_ERROR,
+                           _("%s: nvdimm without a path"),
+                           __func__);
+            return -1;
+        }
+        if (!virFileExists(mem->nvdimmPath)) {
+            virReportError(VIR_ERR_INTERNAL_ERROR,
+                           _("%s: \'%s\' does not exist"),
+                           __func__, mem->nvdimmPath);
+            return -1;
+        }
+        return reload_profile(mgr, def, mem->nvdimmPath, true);
+        break;
+    case VIR_DOMAIN_MEMORY_MODEL_NONE:
+    case VIR_DOMAIN_MEMORY_MODEL_DIMM:
+    case VIR_DOMAIN_MEMORY_MODEL_LAST:
+        break;
+    }
+
+    return 0;
+}
+
+
+static int
+AppArmorRestoreMemoryLabel(virSecurityManagerPtr mgr,
+                           virDomainDefPtr def,
+                           virDomainMemoryDefPtr mem ATTRIBUTE_UNUSED)
+{
+    return reload_profile(mgr, def, NULL, false);
+}
+
 /* Called when hotplugging */
 static int
 AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
@ -1115,6 +1158,9 @@ virSecurityDriver virAppArmorSecurityDriver = {
    .domainSetSecurityImageLabel        = AppArmorSetSecurityImageLabel,
    .domainRestoreSecurityImageLabel    = AppArmorRestoreSecurityImageLabel,

+    .domainSetSecurityMemoryLabel       = AppArmorSetMemoryLabel,
+    .domainRestoreSecurityMemoryLabel   = AppArmorRestoreMemoryLabel,
+
    .domainSetSecurityDaemonSocketLabel = AppArmorSetSecurityDaemonSocketLabel,
    .domainSetSecuritySocketLabel       = AppArmorSetSecuritySocketLabel,
    .domainClearSecuritySocketLabel     = AppArmorClearSecuritySocketLabel,